Security in WS is pretty broad topic(e.g. one way of securing web service is setting it on SSL) - I'm also not an expert but I've got a bit of experience with it. There is someting "WS-Security" and it is a standard established by OASIS(wiki will tell you more about it). On the other hand, you can design security on your own. Considering your question:
When a client invokes a WS method, how do the user credentials get passed along with the method request?
Usually this kind of data is passed in header part of soap message - exact way in which you attach username and password depends on client technology you're using(Jbossws, Axis2 etc.)
I have not seen that specified in WSDLs so is that some SOAP magic between the client/server?
I'm not sure what kind of magic you've got in mind - if you're using WS-Security standard then WS-Policy contains info about it(WS-Policy - another standard - is a document that contains additional settings for certain web service - it can be attached to wsdl or referenced by it)
The credentials would have to be sent with each ensuing WS method call as well, correct?
It can be solved like that but I've seen situations where client was receiving token after first call and later only token was attached to soap(it was valid for one session)
Hope that helps
The token passing may be the "magic" I'm thinking about. Do you happen to know if that is taken care of under the hood, once configured? In other words, if we configure the service/methods to use a token, is there any suppoting code that would need to be developed by the client and/or server or is this taken care of in the WS layer that sits on top of the code.
Thanks (and sorry for proving that "no good deed goes unpunished"!)
I have never used it directly(ws-security) however jboss seems to be supporting most of the oasis standards. I guess that after configuration of ws-security(authentication, authorization, token etc. - in jboss there are special files for that, both on server and client side) client is just passing user credentials in the beggining, after that security is handled by the server/client(it fills soap message with right header parts).
Thanks for the scoop folks!
So if i had multiple web services deployed to a single JBoss AS then could a user use any of the web methods of any of those web services with a single logon. In other words, does JBoss maintain "security sessions" accross web services. Is this the purpose of Security Domains?