How to restrict access to everything but wsdl?

Question

I have a webservice deployed under Tomcat 6, it works perfectly. Now I want to authentificate any client, but keep the wsdl in public access via URL like http://localhost:8080/services/MyService?wsdl

I have tried to solve the problem this way (web.xml of webapp), but it doesn't work:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>WSDL access - to anybody</web-resource-name>
        <url-pattern>/services/MyService?wsdl</url-pattern>
    </web-resource-collection>

    <auth-constraint><role-name>*</role-name></auth-constraint>      
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Some authentification required</web-resource-name>
        <url-pattern>/services/MyService</url-pattern>
    </web-resource-collection>

    <auth-constraint><role-name>somebody</role-name></auth-constraint>          
</security-constraint>

The only solution I see for now is to create additional servlet and give one rights to access WSDLs. The servlet will pass required wsdl to client, no matter is it authentificated or not. WSDL URL will be not obvius in this case, so I don't like the solution. Any other advices, please?

Answer 1

I had similar problem and I've found the solution. WebServices methods are invoked via POST, while the WSDL is fetched via GET. So the solutions is to restrict only POST access.

security-constraint>
    <web-resource-collection>
        <web-resource-name>Some authentification required</web-resource-name>
        <url-pattern>/services/MyService</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint><role-name>somebody</role-name></auth-constraint>          
</security-constraint>

I'm using WebSphere 7 with JAXWS, but the web.xml configuration is the same for all containers and appservers.