Comments on: CXF WS-Security using JSR 181 + Interceptor Annotations (XFire Migration)

By: Nilantha

Nilantha — Wed, 12 Mar 2008 15:14:01 +0000

Thanks for posting this,

I would like to add following…

for those who need to access Spring context in any part of the application including CallbackHanders, this would be helpful

http://www.mail-archive.com/axis-user@ws.apache.org/msg22148.html

please update if you come across any better way of doing that.

Thanks,
Nilantha

By: Sai C

Sai C — Tue, 11 Mar 2008 16:23:45 +0000

I am calling a .Net web service in Java (client)and used the JAXWsProxyFactoryBean by enabling the WSAddressFeature, however, my soap header does not contain a though it prints an element. Could somebody let me know how do I get wsa:action in soap header using CXF API.

Appreciate your help.

Regards,
Sai

By: yulinxp

yulinxp — Thu, 10 Jan 2008 15:45:37 +0000

It will handle PasswordDigest automatically.
For PasswordText, I have to do the comparison and throw exception.

public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

String strClientPwd = pc.getPassword();
int usage = pc.getUsage();

if(pc.getIdentifer().equals(”joe”)) {

String strServerPwd = “password”;

if(usage == WSPasswordCallback.USERNAME_TOKEN) { //PasswordDigest
pc.setPassword(strServerPwd);

}else if(usage == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) { //PasswordText
pc.setPassword(strServerPwd);

if(!strClientPwd.equalsIgnoreCase(strServerPwd)){ //DIY compare
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
}
}
}
}

By: Arsenalist

Arsenalist — Mon, 07 Jan 2008 17:45:45 +0000

I see what you’re saying and maybe they’ve changed the implementation on the server side however ValidateUserTokenInterceptor was present in the XFire samples and its use was recommended by the committers. I think you also need to look at the source code for the WSS4J class UsernameTokenProcessor to learn more.

Have you tried the case where you specify an invalid username/password or a valid username but an invalid password? Do you still receive the SoapFault?

By: yulinxp

yulinxp — Mon, 07 Jan 2008 17:22:40 +0000

You mention:
Since WSS4J validates a UsernameToken only if it finds a security header we need to cover the case where no security header is specified.

In the following snippet from WSS4JInInterceptor.java
public void handleMessage(SoapMessage msg) throws Fault

if (wsResult == null) { // no security header found
if (doAction == WSConstants.NO_SECURITY) {
return;
} else {
LOG.warning(”Request does not contain required Security header”);
throw new SoapFault(new Message(”NO_SECURITY”, LOG), version.getSender());
}
}

If no security header found, a SoapFault is thrown. In my test, I set WS Security in server but not in client. And my client side does receive that SoapFault. So do we still need ValidateUserTokenInterceptor?

By: Nigel

Nigel — Sat, 10 Nov 2007 09:06:21 +0000

Client Bean

Thanks

By: Nigel

Nigel — Sat, 10 Nov 2007 09:04:18 +0000

Is there an example of a client which is a Spring application, ie

By: Matt Madhavan

Matt Madhavan — Thu, 25 Oct 2007 22:40:59 +0000

Hi,
I am doing java first development. And I obtain my client proxy from the client-beans.xml file.

How do I code my client now when I obtain my client proxy from using spring?

Thanks
Matt

By: Feng

Feng — Fri, 12 Oct 2007 17:03:28 +0000

I am also wondering what if the client is not Java based, say a .NET client, is there any example about integration ?

By: Feng

Feng — Wed, 10 Oct 2007 20:53:29 +0000

Shawn:
I have trouble compile
SportsService_Service service = new SportsService_Service();
May I ask for the wsdl and the command that you use to generate the SportsService_Service class ?
Thanks
Feng