• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

security-constraint to exclude wsdl

Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a web application built using JAX-WS. I want to secure the application at the tomcat level but I would like to leave the WSDL unsecured because my clients need to be able to get it before calling the services. Is it possible to exclude only the wsdl URL from the security-constraint in web.xml? I tried the following but it doesn't work:

I believe the problem is that the <url-pattern> element does not allow URL parameters (i.e. such as "?wsdl"). If I remove the "?.wsdl" at the end of the URL (e.g. <url-pattern>/services/ACLService</url-pattern>) I can access the service (e.g. /services/ACLService) and the asscociated wsdl but that's not what I want: the service itself should be secured!

I'm afraid that what I'm trying to do is not possible. Can anyone confirm this?


Posts: 20842
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are correct that parameters are not valid in pattern URLs.

While I am a big proponent of using the JEE container security system, I'm not sure that it's a good fit for web services. One of the problems is that a web services client might not be equipped to handle the login process presented by the container. In particular, I don't know that it's a good fit for RESTful services.

I probably would up the transport guarantee to get SSL/TLS transport, though.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!