Archive for the 'Glassfish' Category
400 Bad Request when using Glassfish REST API

When you try to automate your Glassfish administration duties with its REST API using POST or DELETE methods, and all you get is HTTP response 400 and zero content, you forgot to read this:

REST requests that add, update, or delete objects must specify the X-Requested-By header with the value GlassFish REST HTML interface.

It is intended to prevent CSRF attacks as noted in Jason's Lee post.

Enabling SOAP message signing for EJB webservice client in Glassfish

Let's start writing posts again!

Today's solution is for following scenario: An EJB uses a web service client, and needs to sign its request with a trusted certificate. We are running Glassfish 3.1.1. Its documentation is pretty straighforward about specifying default client provider, which will cause all webservice calls to be signed. But we cannot do that, because other web service we're calling cannot handle digitally signed SOAP messages. Documentation only mentions web service endpoint configuration .

Here's what to do

Add following to your glassfish-ejb-jar.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-ejb-jar PUBLIC "-// GlassFish Application Server 3.1 EJB 3.1//EN"
                <!-- you might need explicit @WebService(name="service") on that field,
                     even if the field is named service -->
                    <!-- This is the vital part - specify port of web service -->
                        auth-layer="SOAP" provider-id="ClientProvider"/>

Then, configure your client e. g. via admin gui at path Configurations > server-config > Security > Message Security > SOAP > Tab Providers > Client Provider.