When we protect a Web service using HTTP Basic authentication we protect all access to that Webservice endpoint URL even to the generated WSDL.
When exposing a POJO based webservices using a Web project the usual work around is to set the http-method to only protect POST requests. So the GET to the wsdl will not be protected.
However when exposing an EJB based Webservice we can not configure that, so the wsdl is always protected for POST or GET requests.
It would be nice if we could change that...
here is a example of the EJB WS security deployment plan:
<ejb:enterprise-beans>
<ejb:session>
<ejb:ejb-name>Test</ejb:ejb-name>
<ejb:web-service-security>
<ejb:security-realm-name>
WSTest
</ejb:security-realm-name>
<ejb:transport-guarantee>NONE</ejb:transport-guarantee>
<ejb:auth-method>BASIC</ejb:auth-method>
</ejb:web-service-security>
</ejb:session>
</ejb:enterprise-beans>
No place for defining the HTTP method.
New Feature
Resolved
Minor
Protecting EJB based Web services but excluding wsdl from the protection
<ejb:enterprise-beans> <ejb:session> <ejb:ejb-name>Test</ejb:ejb-name> <ejb:web-service-security> <ejb:security-realm-name>WSTest</ejb:security-realm-name> <ejb:transport-guarantee>NONE</ejb:transport-guarantee> <ejb:auth-method>BASIC</ejb:auth-method> <http-method>POST</http-method> <http-method>PUT</http-method> </ejb:web-service-security> </ejb:session> </ejb:enterprise-beans>