Apache CXF - credentials not being sent from WSS4JOutInterceptor?

java web-services cxf ws-security
bwsmith picture bwsmith · May 6, 2011 · Viewed 16.7k times · Source

I am trying to connect to a web service using WS-Security UsernameToken spec 1.0, using apache cxf 2.4.0.

I've copied the code below from the CXF docs, but am getting: org.apache.cxf.ws.policy.PolicyException: No username available

    MyService_Service ss = new MyService_Service(wsdlURL, SERVICE_NAME);
    MyService port = ss.getBasicHttpBindingMyService ();  


    Client client = ClientProxy.getClient(port);
    Endpoint cxfEndpoint = client.getEndpoint();

    Map<String,Object> outProps = new HashMap<String,Object>();
    outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    outProps.put(WSHandlerConstants.USER, "USERNAME");
    outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, 
    ClientPasswordHandler.class.getName());

    WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
    cxfEndpoint.getOutInterceptors().add(wssOut);

I've also implemented a ClientPasswordHandler class, again from the docs, but it seems like the username is never sent (according to the error). Here is the password handler:

public class ClientPasswordHandler implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
    pc.setPassword("Password");     
    }
}

Is there any way to see if the WSS4Jinterceptor is being applied, and the UsernameToken is sent?

Answer

Daniel Kulp picture Daniel Kulp · May 6, 2011

Are you getting the PolicyException on the client side? If so, that likely means the WSDL you are using has a WS-SecucurityPolicy fragment in it that describes the UsernameToken policy that it wants and is expecting. If that's the case, then you shouldn't configure the WSS4JOutInterceptor at all. The WS-Policy runtime will handle it and you just need to provide some properties that it may need.

The docs for the SecurityPolicy stuff are at: http://cxf.apache.org/docs/ws-securitypolicy.html

You likely just need to use:


Map ctx = ((BindingProvider)port).getRequestContext();
ctx.put("ws-security.username", "USERNAME");
ctx.put("ws-security.password", "Password");

Related questions

How do you use TLS/SSL Http Authentication with a CXF client to a web service?

I'm trying to access a web service secured by a certificate. The security is setup on IIS and the web service is behind it. I don't think WS-SECURITY will do this type of authentication. Is there any way to pass …

Read More
How can I add namespace declarations in a SOAPEnvelope

In my soap application, I'm using apache cxf. Here's my code which will submit data to the server. import org.apache.cxf.Bus; import org.apache.cxf.BusFactory; import org.apache.cxf.bus.spring.SpringBusFactory; import org.apache.cxf.endpoint.…

Read More
Read response body in JAX-RS client from a post request

Having some sort of proxy between a mobile app and a web-service, we are puzzled by the response when issuing a post request. We receive response with status 200: OK. But we can not find/extract the JSON response body. Client …

Read More