You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by vickatvuuch <vl...@gmail.com> on 2009/10/20 17:28:59 UTC
java first how-to add WS-Security header to WSDL
Hi All,
I'm trying to put together a java first CXF server with WS-Security.
I have the WSS4JInInterceptor with password callback handling my requests
with clear text pass for now.
Could somebody point me into a right direction regarding two issues I'm
trying to figure out:
1. WSDL header generation, in particular how to add WS-Security header to a
generated WSDL, any examples?
2. Another question I have is how to handle sessions using CXF, can't find a
good example on that.. Basic idea is to have a Auth port to authenticate a
session/token using WS-Security, have server return that session/token and
make client use that for subsequent calls into all other ports.
Thanks,
-Vitaly
Here is SOAP request with WS-Security which WSS4JInInterceptor is handling.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:spr="http://spring.demo/">
soap:mustUnderstand="1">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soapenv:mustUnderstand="true">
<wsse:UsernameToken wsu:Id="UsernameToken-799830164">
<wsse:Username>username</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<spr:getDude>
<!--Optional:-->
<arg0>1</arg0>
<!--Optional:-->
<arg1>2</arg1>
</spr:getDude>
</soapenv:Body>
</soapenv:Envelope>
My project is attached.
http://www.nabble.com/file/p25977266/CXFHelloServer.jar CXFHelloServer.jar
--
View this message in context: http://www.nabble.com/java-first-how-to-add-WS-Security-header-to-WSDL-tp25977266p25977266.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: java first how-to add WS-Security header to WSDL
Posted by vickatvuuch <vl...@gmail.com>.
Thanks Guys.
It seems to me that I need to come up with custom solution for both of my
problems.
1. To support a Auth port that gives back a token for further reuse I'm
thinking about
making my own Session/token management mechanism based on a custom
Header interceptor, which I would plug in right after ReadHeadersInterceptor
in the read phase.
Question here is where to plug it in if I want all SOAP requests to get
intercepted in one place.
I will have lots of endpoints and while I'm testing it under a single jaxws
endpoint currently,
what I really need is an interceptor shared by all SOAP endpoints.
I tried to attach it to cxf:bus , but that didn't work and it's probably not
a correct spot as
the bus getting it all including REST and who knows may be JMS later.
2. Adding custom WSDL header is still open. Also for #1 above, it will
require SessionID token
to be outputted in the reply header. I'm looking into output phase
interceptors, can you tell where you would intercept it such that I could
add something like
<soapenv:Header><Auth><SessionID>LongTokenHere</SessionID></Auth></soapenv:Header>?
Thanks a bunch,
-Vitaly
dkulp wrote:
>
>
> Ah. Java first. Right. That complicates things quite a bit.
>
> This will become significantly easier with CXF 2.3 as we've added
> annotations
> that can be used to attach policies to the java class/methods and such
> that
> would appear in the WSDL. But that's 2.3, not 2.2.4.
>
> For 2.2.3, we did apply a patch that supposedly allows it:
> https://issues.apache.org/jira/browse/CXF-2281
> but we didn't really get a test case for it some I'm not 100% sure how to
> configure it.
>
> Looking at the code, it LOOKS like it's only configured in via the
> external
> policy attachment spec stuff. You thus have a file like:
>
> <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy">
> <wsp:PolicyAttachment>
> <wsp:AppliesTo>
> <wsa:EndpointReferenceType
> xmlns:wsa="http://www.w3.org/2005/08/addressing">
> <wsa:Address>http://x.y.z/GreeterPort</wsa:Address>
> </wsa:EndpointReferenceType>
> </wsp:AppliesTo>
> <wsp:Policy>
> ............
> </wsp:Policy>
> </wsp:PolicyAttachment>
> </attachments>
>
>
> and then in your spring config, just add:
>
> <p:externalAttachment id="external"
> location="classpath:/blah/blah/attachments.xml"/>
>
> or similar. Definitely not idea and it would be good to simplify this
> quite
> a bit somehow. (of course, with 2.3, the annotations simplify it quite
> a
> bit)
>
> Dan
>
>
>
>
> On Tue October 20 2009 1:06:01 pm vickatvuuch wrote:
>> Hi Dan,
>>
>> Thanks for your reply.
>>
>> Forgot to mention that I'm building and running on CXF 2.2.4.
>>
>> Are you saying, that I can not have generated WSDL to include WSPolicy or
>> you are saying that if I configure it CXF will do it automagically? What
>> about this note on WS-SecurityPolicy?
>>
>> Note: at this point, WS-SecurityPolicy support is ONLY available for
>> "WSDL
>> first" scenarios. The WS-SecurityPolicy fragments can only be pulled from
>> WSDL. In the future, we plan to enable various code first scenarios as
>> well, but at this time, only WSDL first is available.
>>
>> http://cxf.apache.org/docs/ws-securitypolicy.html
>>
>> I already tried to specify policy as follows:
>>
>> <wsp:Policy wsu:Id="UsernameToken"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>> ty-utility-1.0.xsd"> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:SupportingTokens
>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>> <wsp:Policy>
>> <sp:UsernameToken
>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/
>> IncludeToken/AlwaysToRecipient" />
>> </wsp:Policy>
>> </sp:SupportingTokens>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>>
>> <jaxws:endpoint implementor="#helloWorldServiceBean"
>> address="/v1/soap/HelloWorld">
>> <jaxws:features>
>> <p:policies>
>> <wsp:PolicyReference URI="#UsernameToken"
>> xmlns:wsp="http://www.w3.org/2006/07/ws-policy" />
>> </p:policies>
>>
>> </jaxws:features>
>>
>> </jaxws:endpoint>
>>
>> java2ws produced the same WSDL as before - no traces of policy.
>>
>> dkulp wrote:
>> > On Tue October 20 2009 11:28:59 am vickatvuuch wrote:
>> >> Hi All,
>> >>
>> >> I'm trying to put together a java first CXF server with WS-Security.
>> >> I have the WSS4JInInterceptor with password callback handling my
>> >> requests with clear text pass for now.
>> >> Could somebody point me into a right direction regarding two issues
>> I'm
>> >> trying to figure out:
>> >> 1. WSDL header generation, in particular how to add WS-Security header
>> >> to a
>> >> generated WSDL, any examples?
>> >
>> > Well, in general, you don't. I've never actually seen that done.
>> >
>> > For the most part, what you would do it define a WS-SecurityPolicy
>> policy
>> > that
>> > defined the security constraints and then the various security policy
>> > runtimes
>> > would interpret that into the required security header. In your case,
>> > the
>> > summary would be a TransportBinding/HttpsToken with a UsernameToken
>> > SupportingToken.
>> >
>> > In XML that would be added to the wsdl, it would look like:
>> >
>> >
>> > <wsp:Policy wsu:Id="ut_policy"
>> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> >
>> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>> > wss-wssecurity-utility-1.0.xsd">
>> > <sp:TransportBinding
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> > <wsp:Policy>
>> > <sp:TransportToken>
>> > <wsp:Policy>
>> > <sp:HttpsToken/>
>> > </wsp:Policy>
>> > </sp:TransportToken>
>> > <sp:Layout>
>> > <wsp:Policy>
>> > <sp:Strict/>
>> > </wsp:Policy>
>> > </sp:Layout>
>> > <sp:AlgorithmSuite>
>> > <wsp:Policy>
>> > <sp:Basic128/>
>> > </wsp:Policy>
>> > </sp:AlgorithmSuite>
>> > </wsp:Policy>
>> > </sp:TransportBinding>
>> > <sp:SupportingTokens
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> > <wsp:Policy>
>> > <sp:UsernameToken
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>> >
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inc
>> >ludeToken/Always"> <wsp:Policy>
>> > <sp:WssUsernameToken11/>
>> > </wsp:Policy>
>> > </sp:UsernameToken>
>> > </wsp:Policy>
>> > </sp:SupportingTokens>
>> > </wsp:Policy>
>> >
>> > and then add
>> > <wsp:PolicyReference
>> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> > URI="#ut_policy"/>
>> >
>> > to the wsdl:service/wsdl:port for your service.
>> >
>> > Of course, once you do that with CXF, the SecurityPolicy implementation
>> > will
>> > probably kick in and process it and you would need on unconfigure the
>> > WSS4J
>> > interceptors and reconfigure things using the SecurityPolicy constants.
>> > See:
>> >
>> > http://cxf.apache.org/docs/ws-securitypolicy.html
>> >
>> > for information. Oliver Wulff is kind of working on a SecurityPolicy
>> > based
>> > UsernameToken example:
>> > http://www.nabble.com/WS-SecurityPolicy,-UsernamePassword-example-
>> > to25958182.html
>> >
>> >> 2. Another question I have is how to handle sessions using CXF, can't
>> >> find
>> >> a good example on that.. Basic idea is to have a Auth port to
>> >> authenticate
>> >> a session/token using WS-Security, have server return that
>> >> session/token and make client use that for subsequent calls into all
>> >> other ports.
>> >
>> > Yea. That's definitely one way to do it. You would normally define
>> some
>> > sort
>> > of session object in schema and then reference that schema from the
>> other
>> > services and define soap:headers in those WSDL's for the sessions.
>> >
>> > Dan
>> >
>> >> Thanks,
>> >> -Vitaly
>> >>
>> >> Here is SOAP request with WS-Security which WSS4JInInterceptor is
>> >> handling.
>> >>
>> >> <soapenv:Envelope
>> >> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>> >> xmlns:spr="http://spring.demo/">
>> >> soap:mustUnderstand="1">
>> >> <soapenv:Header>
>> >> <wsse:Security
>> >>
>> >>
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
>> >>cur ity-secext-1.0.xsd"
>> >>
>> >>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
>> >>uri ty-utility-1.0.xsd" soapenv:mustUnderstand="true">
>> >> <wsse:UsernameToken wsu:Id="UsernameToken-799830164">
>> >> <wsse:Username>username</wsse:Username>
>> >> <wsse:Password
>> >>
>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-t
>> >>oke n-profile-1.0#PasswordText">password</wsse:Password>
>> >> </wsse:UsernameToken>
>> >> </wsse:Security>
>> >> </soapenv:Header>
>> >>
>> >> <soapenv:Body>
>> >> <spr:getDude>
>> >> <!--Optional:-->
>> >> <arg0>1</arg0>
>> >> <!--Optional:-->
>> >> <arg1>2</arg1>
>> >> </spr:getDude>
>> >> </soapenv:Body>
>> >> </soapenv:Envelope>
>> >>
>> >> My project is attached.
>> >> http://www.nabble.com/file/p25977266/CXFHelloServer.jar
>> >> CXFHelloServer.jar
>>
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
--
View this message in context: http://www.nabble.com/java-first-how-to-add-WS-Security-header-to-WSDL-tp25977266p25998758.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: java first how-to add WS-Security header to WSDL
Posted by Daniel Kulp <dk...@apache.org>.
Ah. Java first. Right. That complicates things quite a bit.
This will become significantly easier with CXF 2.3 as we've added annotations
that can be used to attach policies to the java class/methods and such that
would appear in the WSDL. But that's 2.3, not 2.2.4.
For 2.2.3, we did apply a patch that supposedly allows it:
https://issues.apache.org/jira/browse/CXF-2281
but we didn't really get a test case for it some I'm not 100% sure how to
configure it.
Looking at the code, it LOOKS like it's only configured in via the external
policy attachment spec stuff. You thus have a file like:
<attachments xmlns:wsp="http://www.w3.org/ns/ws-policy">
<wsp:PolicyAttachment>
<wsp:AppliesTo>
<wsa:EndpointReferenceType
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://x.y.z/GreeterPort</wsa:Address>
</wsa:EndpointReferenceType>
</wsp:AppliesTo>
<wsp:Policy>
............
</wsp:Policy>
</wsp:PolicyAttachment>
</attachments>
and then in your spring config, just add:
<p:externalAttachment id="external"
location="classpath:/blah/blah/attachments.xml"/>
or similar. Definitely not idea and it would be good to simplify this quite
a bit somehow. (of course, with 2.3, the annotations simplify it quite a
bit)
Dan
On Tue October 20 2009 1:06:01 pm vickatvuuch wrote:
> Hi Dan,
>
> Thanks for your reply.
>
> Forgot to mention that I'm building and running on CXF 2.2.4.
>
> Are you saying, that I can not have generated WSDL to include WSPolicy or
> you are saying that if I configure it CXF will do it automagically? What
> about this note on WS-SecurityPolicy?
>
> Note: at this point, WS-SecurityPolicy support is ONLY available for "WSDL
> first" scenarios. The WS-SecurityPolicy fragments can only be pulled from
> WSDL. In the future, we plan to enable various code first scenarios as
> well, but at this time, only WSDL first is available.
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> I already tried to specify policy as follows:
>
> <wsp:Policy wsu:Id="UsernameToken"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
> ty-utility-1.0.xsd"> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/
> IncludeToken/AlwaysToRecipient" />
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> <jaxws:endpoint implementor="#helloWorldServiceBean"
> address="/v1/soap/HelloWorld">
> <jaxws:features>
> <p:policies>
> <wsp:PolicyReference URI="#UsernameToken"
> xmlns:wsp="http://www.w3.org/2006/07/ws-policy" />
> </p:policies>
>
> </jaxws:features>
>
> </jaxws:endpoint>
>
> java2ws produced the same WSDL as before - no traces of policy.
>
> dkulp wrote:
> > On Tue October 20 2009 11:28:59 am vickatvuuch wrote:
> >> Hi All,
> >>
> >> I'm trying to put together a java first CXF server with WS-Security.
> >> I have the WSS4JInInterceptor with password callback handling my
> >> requests with clear text pass for now.
> >> Could somebody point me into a right direction regarding two issues I'm
> >> trying to figure out:
> >> 1. WSDL header generation, in particular how to add WS-Security header
> >> to a
> >> generated WSDL, any examples?
> >
> > Well, in general, you don't. I've never actually seen that done.
> >
> > For the most part, what you would do it define a WS-SecurityPolicy policy
> > that
> > defined the security constraints and then the various security policy
> > runtimes
> > would interpret that into the required security header. In your case,
> > the
> > summary would be a TransportBinding/HttpsToken with a UsernameToken
> > SupportingToken.
> >
> > In XML that would be added to the wsdl, it would look like:
> >
> >
> > <wsp:Policy wsu:Id="ut_policy"
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> >
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> > wss-wssecurity-utility-1.0.xsd">
> > <sp:TransportBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken/>
> > </wsp:Policy>
> > </sp:TransportToken>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Strict/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > </wsp:Policy>
> > </sp:TransportBinding>
> > <sp:SupportingTokens
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:UsernameToken
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inc
> >ludeToken/Always"> <wsp:Policy>
> > <sp:WssUsernameToken11/>
> > </wsp:Policy>
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:Policy>
> >
> > and then add
> > <wsp:PolicyReference
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > URI="#ut_policy"/>
> >
> > to the wsdl:service/wsdl:port for your service.
> >
> > Of course, once you do that with CXF, the SecurityPolicy implementation
> > will
> > probably kick in and process it and you would need on unconfigure the
> > WSS4J
> > interceptors and reconfigure things using the SecurityPolicy constants.
> > See:
> >
> > http://cxf.apache.org/docs/ws-securitypolicy.html
> >
> > for information. Oliver Wulff is kind of working on a SecurityPolicy
> > based
> > UsernameToken example:
> > http://www.nabble.com/WS-SecurityPolicy,-UsernamePassword-example-
> > to25958182.html
> >
> >> 2. Another question I have is how to handle sessions using CXF, can't
> >> find
> >> a good example on that.. Basic idea is to have a Auth port to
> >> authenticate
> >> a session/token using WS-Security, have server return that
> >> session/token and make client use that for subsequent calls into all
> >> other ports.
> >
> > Yea. That's definitely one way to do it. You would normally define some
> > sort
> > of session object in schema and then reference that schema from the other
> > services and define soap:headers in those WSDL's for the sessions.
> >
> > Dan
> >
> >> Thanks,
> >> -Vitaly
> >>
> >> Here is SOAP request with WS-Security which WSS4JInInterceptor is
> >> handling.
> >>
> >> <soapenv:Envelope
> >> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> >> xmlns:spr="http://spring.demo/">
> >> soap:mustUnderstand="1">
> >> <soapenv:Header>
> >> <wsse:Security
> >>
> >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
> >>cur ity-secext-1.0.xsd"
> >>
> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> >>uri ty-utility-1.0.xsd" soapenv:mustUnderstand="true">
> >> <wsse:UsernameToken wsu:Id="UsernameToken-799830164">
> >> <wsse:Username>username</wsse:Username>
> >> <wsse:Password
> >> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-t
> >>oke n-profile-1.0#PasswordText">password</wsse:Password>
> >> </wsse:UsernameToken>
> >> </wsse:Security>
> >> </soapenv:Header>
> >>
> >> <soapenv:Body>
> >> <spr:getDude>
> >> <!--Optional:-->
> >> <arg0>1</arg0>
> >> <!--Optional:-->
> >> <arg1>2</arg1>
> >> </spr:getDude>
> >> </soapenv:Body>
> >> </soapenv:Envelope>
> >>
> >> My project is attached.
> >> http://www.nabble.com/file/p25977266/CXFHelloServer.jar
> >> CXFHelloServer.jar
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: AW: java first how-to add WS-Security header to WSDL
Posted by vickatvuuch <vl...@gmail.com>.
Oliver,
It looks like nabble removed your attachment.
Oliver Wulff-2 wrote:
>
> Hi Vitaly
>
> I've attached the sample I put together to test this. I've used one of the
> demos from CXF. I made an update in pom (attached) to used the most recent
> snapshot version (2.2.5-SNAPSHOT).
>
> Some fixes were required:
> https://issues.apache.org/jira/browse/CXF-2479
> <https://webmail.progress.com/exchweb/bin/redir.asp?URL=https://issues.apache.org/jira/browse/CXF-2479>
> https://issues.apache.org/jira/browse/CXF-2480
> <https://issues.apache.org/jira/browse/CXF-2480>
>
> HTH
>
> Thanks
> Oliver
>
> ________________________________
>
> Von: vickatvuuch [mailto:vlisovsky@gmail.com]
> Gesendet: Di 20.10.2009 19:06
> An: users@cxf.apache.org
> Betreff: Re: java first how-to add WS-Security header to WSDL
>
>
>
>
> Hi Dan,
>
> Thanks for your reply.
>
> Forgot to mention that I'm building and running on CXF 2.2.4.
>
> Are you saying, that I can not have generated WSDL to include WSPolicy or
> you are saying that if I configure it CXF will do it automagically? What
> about this note on WS-SecurityPolicy?
>
> Note: at this point, WS-SecurityPolicy support is ONLY available for "WSDL
> first" scenarios. The WS-SecurityPolicy fragments can only be pulled from
> WSDL. In the future, we plan to enable various code first scenarios as
> well,
> but at this time, only WSDL first is available.
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> I already tried to specify policy as follows:
>
> <wsp:Policy wsu:Id="UsernameToken"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
> />
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> <jaxws:endpoint implementor="#helloWorldServiceBean"
> address="/v1/soap/HelloWorld">
> <jaxws:features>
> <p:policies>
> <wsp:PolicyReference URI="#UsernameToken"
> xmlns:wsp="http://www.w3.org/2006/07/ws-policy" />
> </p:policies>
>
> </jaxws:features>
>
> </jaxws:endpoint>
>
> java2ws produced the same WSDL as before - no traces of policy.
>
>
> dkulp wrote:
>>
>> On Tue October 20 2009 11:28:59 am vickatvuuch wrote:
>>> Hi All,
>>>
>>> I'm trying to put together a java first CXF server with WS-Security.
>>> I have the WSS4JInInterceptor with password callback handling my
>>> requests
>>> with clear text pass for now.
>>> Could somebody point me into a right direction regarding two issues I'm
>>> trying to figure out:
>>> 1. WSDL header generation, in particular how to add WS-Security header
>>> to
>>> a
>>> generated WSDL, any examples?
>>
>> Well, in general, you don't. I've never actually seen that done.
>>
>> For the most part, what you would do it define a WS-SecurityPolicy policy
>> that
>> defined the security constraints and then the various security policy
>> runtimes
>> would interpret that into the required security header. In your case,
>> the
>> summary would be a TransportBinding/HttpsToken with a UsernameToken
>> SupportingToken.
>>
>> In XML that would be added to the wsdl, it would look like:
>>
>>
>> <wsp:Policy wsu:Id="ut_policy"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>> wss-wssecurity-utility-1.0.xsd">
>> <sp:TransportBinding
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken/>
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Strict/>
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic128/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> </wsp:Policy>
>> </sp:TransportBinding>
>> <sp:SupportingTokens
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:UsernameToken
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>> <wsp:Policy>
>> <sp:WssUsernameToken11/>
>> </wsp:Policy>
>> </sp:UsernameToken>
>> </wsp:Policy>
>> </sp:SupportingTokens>
>> </wsp:Policy>
>>
>> and then add
>> <wsp:PolicyReference
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> URI="#ut_policy"/>
>>
>> to the wsdl:service/wsdl:port for your service.
>>
>> Of course, once you do that with CXF, the SecurityPolicy implementation
>> will
>> probably kick in and process it and you would need on unconfigure the
>> WSS4J
>> interceptors and reconfigure things using the SecurityPolicy constants.
>> See:
>>
>> http://cxf.apache.org/docs/ws-securitypolicy.html
>>
>> for information. Oliver Wulff is kind of working on a SecurityPolicy
>> based
>> UsernameToken example:
>> http://www.nabble.com/WS-SecurityPolicy,-UsernamePassword-example-
>> to25958182.html
>>
>>> 2. Another question I have is how to handle sessions using CXF, can't
>>> find
>>> a good example on that.. Basic idea is to have a Auth port to
>>> authenticate
>>> a session/token using WS-Security, have server return that
>>> session/token
>>> and make client use that for subsequent calls into all other ports.
>>
>> Yea. That's definitely one way to do it. You would normally define some
>> sort
>> of session object in schema and then reference that schema from the other
>> services and define soap:headers in those WSDL's for the sessions.
>>
>> Dan
>>
>>
>>>
>>> Thanks,
>>> -Vitaly
>>>
>>> Here is SOAP request with WS-Security which WSS4JInInterceptor is
>>> handling.
>>>
>>> <soapenv:Envelope
>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>>> xmlns:spr="http://spring.demo/">
>>> soap:mustUnderstand="1">
>>> <soapenv:Header>
>>> <wsse:Security
>>>
>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
>>> ity-secext-1.0.xsd"
>>>
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>>> ty-utility-1.0.xsd" soapenv:mustUnderstand="true">
>>> <wsse:UsernameToken wsu:Id="UsernameToken-799830164">
>>> <wsse:Username>username</wsse:Username>
>>> <wsse:Password
>>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-toke
>>> n-profile-1.0#PasswordText">password</wsse:Password>
>>> </wsse:UsernameToken>
>>> </wsse:Security>
>>> </soapenv:Header>
>>>
>>> <soapenv:Body>
>>> <spr:getDude>
>>> <!--Optional:-->
>>> <arg0>1</arg0>
>>> <!--Optional:-->
>>> <arg1>2</arg1>
>>> </spr:getDude>
>>> </soapenv:Body>
>>> </soapenv:Envelope>
>>>
>>> My project is attached.
>>> http://www.nabble.com/file/p25977266/CXFHelloServer.jar
>>> CXFHelloServer.jar
>>>
>>
>> --
>> Daniel Kulp
>> dkulp@apache.org
>> http://www.dankulp.com/blog
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/java-first-how-to-add-WS-Security-header-to-WSDL-tp25977266p25978891.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
>
>
>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one
> or more contributor license agreements. See the NOTICE file
> distributed with this work for additional information
> regarding copyright ownership. The ASF licenses this file
> to you under the Apache License, Version 2.0 (the
> "License"); you may not use this file except in compliance
> with the License. You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing,
> software distributed under the License is distributed on an
> "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> KIND, either express or implied. See the License for the
> specific language governing permissions and limitations
> under the License.
> -->
> <project xmlns="http://maven.apache.org/POM/4.0.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/maven-v4_0_0.xsd">
> <modelVersion>4.0.0</modelVersion>
> <groupId>org.apache.cxf.samples</groupId>
> <artifactId>wsdl_first_https</artifactId>
> <version>1.0</version>
> <name>WSDL first demo using HTTPS</name>
> <properties>
> <cxf.version>2.2.5-SNAPSHOT</cxf.version>
> </properties>
> <build>
> <sourceDirectory>src</sourceDirectory>
> <plugins>
> <plugin>
> <artifactId>maven-compiler-plugin</artifactId>
> <configuration>
> <source>1.5</source>
> <target>1.5</target>
> </configuration>
> </plugin>
> <plugin>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-codegen-plugin</artifactId>
> <version>LATEST</version>
> <executions>
> <execution>
> <id>generate-sources</id>
> <phase>generate-sources</phase>
> <configuration>
> <wsdlOptions>
> <wsdlOption>
>
> <wsdl>${basedir}/wsdl/hello_world.wsdl</wsdl>
> </wsdlOption>
> </wsdlOptions>
> </configuration>
> <goals>
> <goal>wsdl2java</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
> <plugin>
> <artifactId>maven-antrun-plugin</artifactId>
> <executions>
> <execution>
> <id>copyxmlfiles</id>
> <phase>generate-sources</phase>
> <goals>
> <goal>run</goal>
> </goals>
> <configuration>
> <tasks>
> <copy
> file="${basedir}/src/demo/hw_https/server/CherryServer.xml"
> todir="${basedir}/target/classes/demo/hw_https/server"/>
> <copy
> file="${basedir}/src/demo/hw_https/client/WibbleClient.xml"
> todir="${basedir}/target/classes/demo/hw_https/client"/>
> <copy
> file="${basedir}/src/demo/hw_https/client/InsecureClient.xml"
> todir="${basedir}/target/classes/demo/hw_https/client"/>
> <copy todir="${basedir}/target/classes/certs">
> <fileset dir="${basedir}/certs"/>
> </copy>
> </tasks>
> </configuration>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
> <profiles>
> <profile>
> <id>server</id>
> <build>
> <defaultGoal>test</defaultGoal>
> <plugins>
> <plugin>
> <groupId>org.codehaus.mojo</groupId>
> <artifactId>exec-maven-plugin</artifactId>
> <executions>
> <execution>
> <phase>test</phase>
> <goals>
> <goal>exec</goal>
> </goals>
> <configuration>
> <executable>java</executable>
> <arguments>
> <argument>-classpath</argument>
> <classpath/>
>
> <argument>demo.hw_https.server.Server</argument>
> </arguments>
> </configuration>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
> </profile>
> <profile>
> <id>insecure.client</id>
> <build>
> <defaultGoal>test</defaultGoal>
> <plugins>
> <plugin>
> <groupId>org.codehaus.mojo</groupId>
> <artifactId>exec-maven-plugin</artifactId>
> <executions>
> <execution>
> <phase>test</phase>
> <goals>
> <goal>java</goal>
> </goals>
> <configuration>
>
> <mainClass>demo.hw_https.client.Client</mainClass>
> <arguments>
>
> <argument>${basedir}/wsdl/hello_world.wsdl</argument>
> <argument>insecure</argument>
> </arguments>
> </configuration>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
> </profile>
> <profile>
> <id>secure.client</id>
> <build>
> <defaultGoal>test</defaultGoal>
> <plugins>
> <plugin>
> <groupId>org.codehaus.mojo</groupId>
> <artifactId>exec-maven-plugin</artifactId>
> <executions>
> <execution>
> <phase>test</phase>
> <goals>
> <goal>java</goal>
> </goals>
> <configuration>
>
> <mainClass>demo.hw_https.client.Client</mainClass>
> <arguments>
>
> <argument>${basedir}/wsdl/hello_world.wsdl</argument>
> <argument>secure</argument>
> </arguments>
> </configuration>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
> </profile>
> </profiles>
> <repositories>
> <repository>
> <id>apache-snapshots</id>
> <name>Apache Snapshot Repository</name>
>
> <url>http://people.apache.org/repo/m2-snapshot-repository/</url>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> </repository>
> <repository>
> <id>apache-incubating</id>
> <name>Apache Incubating Repository</name>
> <url>http://people.apache.org/repo/m2-incubating-repository/</url>
> </repository>
> <repository>
> <id>apache-snapshots2</id>
> <name>Apache Snapshot Repository</name>
>
> <url>http://repository.apache.org/content/groups/snapshots-group/</url>
> </repository>
> <!-- for jaxb-impl -->
> <repository>
> <id>java.net</id>
> <url>http://download.java.net/maven/1/</url>
> <layout>legacy</layout>
> </repository>
> </repositories>
> <pluginRepositories>
> <pluginRepository>
> <id>apache-plugin-snapshots</id>
> <name>Apache Maven Plugin Snapshots</name>
>
> <url>http://people.apache.org/repo/m2-snapshot-repository</url>
> <releases>
> <enabled>false</enabled>
> </releases>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> </pluginRepository>
> <pluginRepository>
> <id>apache-plugin-incubating</id>
> <name>Apache Plugin Incubating Repository</name>
>
> <url>http://people.apache.org/repo/m2-incubating-repository/</url>
> </pluginRepository>
> </pluginRepositories>
> <dependencies>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-frontend-jaxws</artifactId>
> <version>${cxf.version}</version>
> </dependency>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-transports-http</artifactId>
> <version>${cxf.version}</version>
> </dependency>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-transports-http-jetty</artifactId>
> <version>${cxf.version}</version>
> </dependency>
>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-ws-security</artifactId>
> <version>${cxf.version}</version>
> </dependency>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-ws-policy</artifactId>
> <version>${cxf.version}</version>
> </dependency>
> </dependencies>
> </project>
>
>
--
View this message in context: http://www.nabble.com/java-first-how-to-add-WS-Security-header-to-WSDL-tp25977266p25979600.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: java first how-to add WS-Security header to WSDL
Posted by Oliver Wulff <ow...@progress.com>.
Hi Vitaly
I've attached the sample I put together to test this. I've used one of the demos from CXF. I made an update in pom (attached) to used the most recent snapshot version (2.2.5-SNAPSHOT).
Some fixes were required:
https://issues.apache.org/jira/browse/CXF-2479 <https://webmail.progress.com/exchweb/bin/redir.asp?URL=https://issues.apache.org/jira/browse/CXF-2479>
https://issues.apache.org/jira/browse/CXF-2480 <https://issues.apache.org/jira/browse/CXF-2480>
HTH
Thanks
Oliver
________________________________
Von: vickatvuuch [mailto:vlisovsky@gmail.com]
Gesendet: Di 20.10.2009 19:06
An: users@cxf.apache.org
Betreff: Re: java first how-to add WS-Security header to WSDL
Hi Dan,
Thanks for your reply.
Forgot to mention that I'm building and running on CXF 2.2.4.
Are you saying, that I can not have generated WSDL to include WSPolicy or
you are saying that if I configure it CXF will do it automagically? What
about this note on WS-SecurityPolicy?
Note: at this point, WS-SecurityPolicy support is ONLY available for "WSDL
first" scenarios. The WS-SecurityPolicy fragments can only be pulled from
WSDL. In the future, we plan to enable various code first scenarios as well,
but at this time, only WSDL first is available.
http://cxf.apache.org/docs/ws-securitypolicy.html
I already tried to specify policy as follows:
<wsp:Policy wsu:Id="UsernameToken"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<jaxws:endpoint implementor="#helloWorldServiceBean"
address="/v1/soap/HelloWorld">
<jaxws:features>
<p:policies>
<wsp:PolicyReference URI="#UsernameToken"
xmlns:wsp="http://www.w3.org/2006/07/ws-policy" />
</p:policies>
</jaxws:features>
</jaxws:endpoint>
java2ws produced the same WSDL as before - no traces of policy.
dkulp wrote:
>
> On Tue October 20 2009 11:28:59 am vickatvuuch wrote:
>> Hi All,
>>
>> I'm trying to put together a java first CXF server with WS-Security.
>> I have the WSS4JInInterceptor with password callback handling my requests
>> with clear text pass for now.
>> Could somebody point me into a right direction regarding two issues I'm
>> trying to figure out:
>> 1. WSDL header generation, in particular how to add WS-Security header to
>> a
>> generated WSDL, any examples?
>
> Well, in general, you don't. I've never actually seen that done.
>
> For the most part, what you would do it define a WS-SecurityPolicy policy
> that
> defined the security constraints and then the various security policy
> runtimes
> would interpret that into the required security header. In your case,
> the
> summary would be a TransportBinding/HttpsToken with a UsernameToken
> SupportingToken.
>
> In XML that would be added to the wsdl, it would look like:
>
>
> <wsp:Policy wsu:Id="ut_policy"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> wss-wssecurity-utility-1.0.xsd">
> <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssUsernameToken11/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
>
> and then add
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#ut_policy"/>
>
> to the wsdl:service/wsdl:port for your service.
>
> Of course, once you do that with CXF, the SecurityPolicy implementation
> will
> probably kick in and process it and you would need on unconfigure the
> WSS4J
> interceptors and reconfigure things using the SecurityPolicy constants.
> See:
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> for information. Oliver Wulff is kind of working on a SecurityPolicy
> based
> UsernameToken example:
> http://www.nabble.com/WS-SecurityPolicy,-UsernamePassword-example-
> to25958182.html
>
>> 2. Another question I have is how to handle sessions using CXF, can't
>> find
>> a good example on that.. Basic idea is to have a Auth port to
>> authenticate
>> a session/token using WS-Security, have server return that session/token
>> and make client use that for subsequent calls into all other ports.
>
> Yea. That's definitely one way to do it. You would normally define some
> sort
> of session object in schema and then reference that schema from the other
> services and define soap:headers in those WSDL's for the sessions.
>
> Dan
>
>
>>
>> Thanks,
>> -Vitaly
>>
>> Here is SOAP request with WS-Security which WSS4JInInterceptor is
>> handling.
>>
>> <soapenv:Envelope
>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:spr="http://spring.demo/">
>> soap:mustUnderstand="1">
>> <soapenv:Header>
>> <wsse:Security
>>
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
>> ity-secext-1.0.xsd"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>> ty-utility-1.0.xsd" soapenv:mustUnderstand="true">
>> <wsse:UsernameToken wsu:Id="UsernameToken-799830164">
>> <wsse:Username>username</wsse:Username>
>> <wsse:Password
>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-toke
>> n-profile-1.0#PasswordText">password</wsse:Password>
>> </wsse:UsernameToken>
>> </wsse:Security>
>> </soapenv:Header>
>>
>> <soapenv:Body>
>> <spr:getDude>
>> <!--Optional:-->
>> <arg0>1</arg0>
>> <!--Optional:-->
>> <arg1>2</arg1>
>> </spr:getDude>
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>> My project is attached.
>> http://www.nabble.com/file/p25977266/CXFHelloServer.jar
>> CXFHelloServer.jar
>>
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
--
View this message in context: http://www.nabble.com/java-first-how-to-add-WS-Security-header-to-WSDL-tp25977266p25978891.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: java first how-to add WS-Security header to WSDL
Posted by vickatvuuch <vl...@gmail.com>.
Hi Dan,
Thanks for your reply.
Forgot to mention that I'm building and running on CXF 2.2.4.
Are you saying, that I can not have generated WSDL to include WSPolicy or
you are saying that if I configure it CXF will do it automagically? What
about this note on WS-SecurityPolicy?
Note: at this point, WS-SecurityPolicy support is ONLY available for "WSDL
first" scenarios. The WS-SecurityPolicy fragments can only be pulled from
WSDL. In the future, we plan to enable various code first scenarios as well,
but at this time, only WSDL first is available.
http://cxf.apache.org/docs/ws-securitypolicy.html
I already tried to specify policy as follows:
<wsp:Policy wsu:Id="UsernameToken"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<jaxws:endpoint implementor="#helloWorldServiceBean"
address="/v1/soap/HelloWorld">
<jaxws:features>
<p:policies>
<wsp:PolicyReference URI="#UsernameToken"
xmlns:wsp="http://www.w3.org/2006/07/ws-policy" />
</p:policies>
</jaxws:features>
</jaxws:endpoint>
java2ws produced the same WSDL as before - no traces of policy.
dkulp wrote:
>
> On Tue October 20 2009 11:28:59 am vickatvuuch wrote:
>> Hi All,
>>
>> I'm trying to put together a java first CXF server with WS-Security.
>> I have the WSS4JInInterceptor with password callback handling my requests
>> with clear text pass for now.
>> Could somebody point me into a right direction regarding two issues I'm
>> trying to figure out:
>> 1. WSDL header generation, in particular how to add WS-Security header to
>> a
>> generated WSDL, any examples?
>
> Well, in general, you don't. I've never actually seen that done.
>
> For the most part, what you would do it define a WS-SecurityPolicy policy
> that
> defined the security constraints and then the various security policy
> runtimes
> would interpret that into the required security header. In your case,
> the
> summary would be a TransportBinding/HttpsToken with a UsernameToken
> SupportingToken.
>
> In XML that would be added to the wsdl, it would look like:
>
>
> <wsp:Policy wsu:Id="ut_policy"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> wss-wssecurity-utility-1.0.xsd">
> <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssUsernameToken11/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
>
> and then add
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#ut_policy"/>
>
> to the wsdl:service/wsdl:port for your service.
>
> Of course, once you do that with CXF, the SecurityPolicy implementation
> will
> probably kick in and process it and you would need on unconfigure the
> WSS4J
> interceptors and reconfigure things using the SecurityPolicy constants.
> See:
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> for information. Oliver Wulff is kind of working on a SecurityPolicy
> based
> UsernameToken example:
> http://www.nabble.com/WS-SecurityPolicy,-UsernamePassword-example-
> to25958182.html
>
>> 2. Another question I have is how to handle sessions using CXF, can't
>> find
>> a good example on that.. Basic idea is to have a Auth port to
>> authenticate
>> a session/token using WS-Security, have server return that session/token
>> and make client use that for subsequent calls into all other ports.
>
> Yea. That's definitely one way to do it. You would normally define some
> sort
> of session object in schema and then reference that schema from the other
> services and define soap:headers in those WSDL's for the sessions.
>
> Dan
>
>
>>
>> Thanks,
>> -Vitaly
>>
>> Here is SOAP request with WS-Security which WSS4JInInterceptor is
>> handling.
>>
>> <soapenv:Envelope
>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:spr="http://spring.demo/">
>> soap:mustUnderstand="1">
>> <soapenv:Header>
>> <wsse:Security
>>
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
>> ity-secext-1.0.xsd"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>> ty-utility-1.0.xsd" soapenv:mustUnderstand="true">
>> <wsse:UsernameToken wsu:Id="UsernameToken-799830164">
>> <wsse:Username>username</wsse:Username>
>> <wsse:Password
>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-toke
>> n-profile-1.0#PasswordText">password</wsse:Password>
>> </wsse:UsernameToken>
>> </wsse:Security>
>> </soapenv:Header>
>>
>> <soapenv:Body>
>> <spr:getDude>
>> <!--Optional:-->
>> <arg0>1</arg0>
>> <!--Optional:-->
>> <arg1>2</arg1>
>> </spr:getDude>
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>> My project is attached.
>> http://www.nabble.com/file/p25977266/CXFHelloServer.jar
>> CXFHelloServer.jar
>>
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
--
View this message in context: http://www.nabble.com/java-first-how-to-add-WS-Security-header-to-WSDL-tp25977266p25978891.html
Sent from the cxf-user mailing list archive at Nabble.com.