How to Secure the EJB3.0 Stateless Session Bean Web Services

Question

I exposing EJB3.0 stateless session bean as web service using JAX-WS annotations and right now I'm using JBOSS5.1.0 GA as application server and JBOSSWS is generating the WSDL for me when I deploy the EAR.

Now I want to secure the web services by providing authentication and encryption-decryption on the SOAP messages. How do I can achieve that, Is there any annotations available for both in JAX-WS (or) can I achieve by doing any configuration at EJB level. I do not want to do secure web services with respect to JBOSS, because I want to deploy the same EAR in different application as well.

So please help me to build the generic EJB3.0 web services bean with the security implementation ., Thanks a lot in advance

Answer 1

Concerning SOAP WebServices, you can a lot of posts in this forum related to your question. In particular in User authenticate in SOAP I've mentioned that there several ways to authenticate the client.

Supposing that you want to authenticate the client by X.509 certificate. Then:

• For JBossWS refer WS-SecurityOptions – X509 Certificate Token
• For Metro/JAX-WS services refer Using JAX-WS-Based Web Services with SSL
• For Apache CXF refer WS-Security
• For Spring Security refer Spring Security With X.509 Certificate