This discussion is archived
6 Replies Latest reply: Apr 1, 2010 7:55 AM by u8slawo RSS

How to disable http for JAX-WS

u8slawo Newbie
Currently Being Moderated
Hi everybody,
I am facing the problem that I want only https (In the form of one-way-ssl) to be enabled for a web service. In other words, I want to disable the http part.
For JAX-RPC there used to be the WLHttpsTransport annotation or ant element but they are not available for JAX-WS.
I know I could restrict the http access by providing a policy file but this is not exactly what I want.
I don't want the service to report back to the client that some security constraint restricts the access to http. I want the server to report that this ressource is simply not available.
Do you know of a way to do this?
Cheers
Slawo.
  • 1. Re: How to disable http for JAX-WS
    739896 Guru
    Currently Being Moderated
    Hi,

    You can add the following entry inside your *"web.xml"* ...

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>app or resource name</web-resource-name>
    <url-pattern>/*</url-pattern> <!-- define all url
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <font color=maroon>
    <user-data-constraint>
    *<transport-guarantee>CONFIDENTIAL</transport-guarantee>*
    </user-data-constraint>
    </font>
    </security-constraint>
    ----------------

    Above will force any Http request to be automatically be converted into HTTPS.


    .
    .
    Thanks
    Jay SenSharma
    http://jaysensharma.wordpress.com (WebLogic Wonders Are here)
  • 2. Re: How to disable http for JAX-WS
    u8slawo Newbie
    Currently Being Moderated
    Thanks Jay SenSharma,
    this is exactly what I have been looking for.

    But one additional question arises:
    What if I don't have a web.xml file because I have the @Session annotation and use the web service as a bean inside an EJB context only?

    Cheers
    Slawo
  • 3. Re: How to disable http for JAX-WS
    sandeep_singh Pro
    Currently Being Moderated
    In that case use the below annotation:

    import weblogic.jws.security.UserDataConstraint;

    @WebService(name="SecurityHttpsPortType",
    serviceName="SecurityHttpsService",
    targetNamespace="http://example.org")

    @UserDataConstraint(
    transport=UserDataConstraint.Transport.CONFIDENTIAL)

    public class SecurityHttpsImpl {
    }

    Thanks,
    Sandeep
  • 4. Re: How to disable http for JAX-WS
    759546 Newbie
    Currently Being Moderated
    Hi Sandeep,
    I think this annotation is only allowed for JAX-RPC (See the title of this discussion topic.):

    [jwsc] (...)/SlawosWSBean.java 24:8
    [jwsc] [ERROR] - The annotation weblogic.jws.security.UserDataConstraint is not allowed on (...).SlawosWSBean because it is a JAX-WS type web service.
    [jwsc] (...)/SlawosWSBean.java 24:8
    [jwsc] [ERROR] - Only HTTP ports are supported for JAX-WS.
    [jwsc] (...)/SlawosWSBean.java 24:8
    [jwsc] [ERROR] - The annotation weblogic.jws.security.UserDataConstraint is not allowed on (...).SlawosWSBean because it is a JAX-WS type web service.

    So it won't work for me.
    Cheers
    Slawo.
  • 5. Re: How to disable http for JAX-WS
    sandeep_singh Pro
    Currently Being Moderated
    In that case you will have to use the policy files to enable the transport layer security for JAX-WS:
    sample policy for securing JAX-WS over SSL provided by weblogic is : Wssp1.2-2007-Https.xml

    These polices can be applied to the web methods using @Policies and @policy annotations.

    thanks,
    Sandeep
  • 6. Re: How to disable http for JAX-WS
    u8slawo Newbie
    Currently Being Moderated
    ... which I already knew as I have written in my first opening posting.
    But anyway, thanks for your answer.
    Slawo.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points