If you are running JBoss the procedure is similar to Tomcat but with some small differences.

First open the /jboss/server/{$server.name}/conf/login-conf.xml file. {$server.name} is the server your web services are running on (in the standard installation it is called 'default').

Add at the bottom of the file (but inside the policy element) the following lines:

<application-policy name="web-services">
 <authentication>
  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
    flag = "required">
   <module-option name="usersProperties">props/web-service-users.properties</module-option>
   <module-option name="rolesProperties">props/web-service-roles.properties</module-option>
  </login-module>
 </authentication>
</application-policy>

The bold statements are the interesting ones. The name attribute defines the name of the application policy we are defining. The userProperties attribute gives the relative location to the user properties file, in which we will define the users and their passwords. The rolesProperties attribute gives the relative location to the role properties file, in which we will define the roles and which users belong to which role.

The authentication system is not user based, but role based. Roles enables to group users and to allows that one user can play several roles and as it is for groups, a role can be played by several users.

Now we need to create the two files we have defined. Go into the props folder (inside the conf directory) and create the web-service-users.properties file and add the user as following:

Hans=test

(for this example we use our dummy user Hans). The first part is the user name and the second his/her password. You can create as many users as you like, but remember that you can group users into roles. So you only need to create several users if they shall have different passwords.

Now create the file web-service-roles.properties and add the roles as following:

Hans=web-service-user

(our example role is web-service-user and currently only Hans belongs to this role).

For more information about the syntax of the files you can open one of the existing users and roles properties files inside the props folder. If a user belongs to several roles, the roles are separated by comma like:

Hans=web-service-user,foo,bar

After creating the users and roles we need to define the restriction.

Open the /jboss/server/{$server.name}/deploy/{$axis}/WEB-INF/web.xml and add the following lines at the bottom of the file (but inside the web-app element):

<security-constraint>
 <web-resource-collection> 
  <web-resource-name>All the web services</web-resource-name>
  <description>Protects all web services</description>
  <url-pattern>/services/*</url-pattern> 
 </web-resource-collection>
 <auth-constraint>
  <role-name>web-service-user</role-name>
 </auth-constraint>
</security-constraint>

<security-role>
 <role-name>web-service-user</role-name>
</security-role>

<login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Axis Restriction Areas</realm-name>
</login-config>

<user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

The format is the same as described in the Tomcat section (the definition can be found here). We set a resource (/services/*) which is protected and only accessible for the role web-service-user. The optional description element allows you to add comments to this constraint.

The authentication is HTTP Basic Authentication (as digest is not supported by Axis currently) and as we are using SSL for the transfer that's ok. You can define the restriction more explicitly to restrict access to single web services.

So you can have multiple security-constraint elements in the web.xml file and each security-constraint element has at least one web-resource-collection element and multiple auth-constraint elements.

The user-data-constraint element forces the user to use SSL.

In the end we need to add/edit the /jboss/server/{$server.name}/deploy/{$axis}/WEB-INF/jboss-web.xml file and add the following:

<jboss-web>
   <security-domain>java:/jaas/web-services</security-domain>
</jboss-web>

In the case you already have the jboss-web.xml file, then just add the new security-domain element inside the existing jboss-web element. If you don't have that file already then create it and add the whole lines as described above.

Please note that the bold phrase (web-services) has to match exactly with the phrase as you defined in the login-conf.xml before.

Restart your JBoss and try the authentication by entering the path to the restricted resource in your web browser. The browser will prompt you for a username and a password. If you enter a valid username/password as you just created you should get access to the resource.

This section is based on the JBoss documentation: Part 1 - Part2