how to add security header in jax-ws request

java spring cxf jax-ws cxf-client
Rostislav V picture Rostislav V · May 31, 2016 · Viewed 8.3k times · Source

I'm creating a jax-ws client with apache cxf. I'm struggling with spring cotext configuration. All I need is to add this header to my soap request:

<soapenv:Header>
  <wsse:Security  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
     <wsse:UsernameToken wsu:Id="usernametoken">
        <wsse:Username>login</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>        
     </wsse:UsernameToken>
  </wsse:Security>

I have three parameters: usernametoken, password, login.

    <jaxws:client id="***" name="***"
              endpointName="***"
              serviceName="***"
              address="***"
              serviceClass="***"
              username="***"
              password="***"
              xmlns:tns="***">
</jaxws:client>

the code above works and sends soap message, but without security header! Could you give me some ideas how to add that header?

Answer

pedrofb picture pedrofb · Jun 1, 2016

Use this configuration

<jaxws:client   etc...>
      <jaxws:outInterceptors>     
       <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
          <constructor-arg>
              <map>
                  <entry key="action" value="UsernameToken"/>
                  <entry key="user" value="login"/>
                  <entry key="passwordType" value="PasswordText"/>
                  <entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
               </map>
           </constructor-arg>
        </bean>
      </jaxws:outInterceptors>
   </jaxws:client>

   <bean id="myPasswordCallback" class="client.ClientPasswordCallback"/>

And this class to manage the password

public class ClientPasswordCallback implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException, 
            UnsupportedCallbackException {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

        if ("login".equals(pc.getIdentifier())) {
            pc.setPassword("thepassword");
        } // else {...} - can add more users, access DB, etc.
    }
}

If you prefer Java code, also is possible

Client client = ClientProxy.getClient(port);
Endpoint cxfEndpoint = client.getEndpoint();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put("action", "UsernameToken");
outProps.put("user", "login");
outProps.put("passwordType","PasswordText");
ClientPasswordCallback c = new ClientPasswordCallback();
outProps.put("passwordCallbackRef",c);

WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(wssOut);

Related questions

Concatenate string in spring xml configuration

I need to concatenate the string value of a spring bean, to an existing string, and then set it as an attribute of another bean: <bean id="inet" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="…

Read More
How to deal with invalid characters in a WS output when using CXF?

I'm using Spring, CXF and Hibernate to build a WebService that perform search queries on a foreign database that I have read-only access. The problem is that some entries in the database have strange characters (0x2) in text fields, and …

Read More
How to inject ServletContext for JUnit tests with Spring?

I want to unit test a RESTful interface written with Apache CXF. I use a ServletContext to load some resources, so I have: @Context private ServletContext servletContext; If I deploy this on Glassfish, the ServletContext is injected and it works …

Read More