How to restrict access to everything but wsdl?

Question

I have a webservice deployed under Tomcat 6, it works perfectly. Now I want to authentificate any client, but keep the wsdl in public access via URL like http://localhost:8080/services/MyService?wsdl

I have tried to solve the problem this way (web.xml of webapp), but it doesn't work:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>WSDL access - to anybody</web-resource-name>
        <url-pattern>/services/MyService?wsdl</url-pattern>
    </web-resource-collection>

    <auth-constraint><role-name>*</role-name></auth-constraint>      
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Some authentification required</web-resource-name>
        <url-pattern>/services/MyService</url-pattern>
    </web-resource-collection>

    <auth-constraint><role-name>somebody</role-name></auth-constraint>          
</security-constraint>

The only solution I see for now is to create additional servlet and give one rights to access WSDLs. The servlet will pass required wsdl to client, no matter is it authentificated or not. WSDL URL will be not obvius in this case, so I don't like the solution. Any other advices, please?

Nothing changes. Manual states that first matching pattern will be used, so order is correct. — no id, Sep 06 '11 at 04:53

score 8 · Accepted Answer · answered Jun 04 '13 at 06:53

I had similar problem and I've found the solution. WebServices methods are invoked via POST, while the WSDL is fetched via GET. So the solutions is to restrict only POST access.

security-constraint>
    <web-resource-collection>
        <web-resource-name>Some authentification required</web-resource-name>
        <url-pattern>/services/MyService</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint><role-name>somebody</role-name></auth-constraint>          
</security-constraint>

I'm using WebSphere 7 with JAXWS, but the web.xml configuration is the same for all containers and appservers.

This post can also be useful: http://stackoverflow.com/questions/8069640/whitelist-security-constraint-in-web-xml — Danubian Sailor, Jun 04 '13 at 06:55

score 2 · Answer 2 · answered Sep 06 '11 at 04:55

2

You are trying to have transport level security.. If you try to secure your individual services with ws-security - you can keep the wsdl open while the service being secured...

answered Sep 06 '11 at 04:55

Prabath Siriwardena

5,891
1
27
34

2

No its not opposite. He wants to keep the wsdl open and secure all other services. – Prabath Siriwardena Sep 06 '11 at 05:16
This is not opposite. That is how you secure the service but still keep the wsdl open. – Pavithra Gunasekara Sep 06 '11 at 05:19
I have changed the question. Probably it is more clear for now. The ws-security is seems to be the future for my project, yet don't have time to deal with one for now. – no id Sep 06 '11 at 06:13

score 0 · Answer 3 · answered Jan 27 '16 at 23:15

I have an app setup this way. I have a login page that will authenticate the user with a userID and password. Only when a valid user logs in, will they have access to data and pages. Any connection to the WSDL will not be affected as it will be handled by the WSDL function calls.

How to restrict access to everything but wsdl?

3 Answers3