You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2012/05/05 18:48:36 UTC

svn commit: r815904 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-security.html

Author: buildbot
Date: Sat May  5 16:48:35 2012
New Revision: 815904

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/ws-security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-security.html
==============================================================================
--- websites/production/cxf/content/docs/ws-security.html (original)
+++ websites/production/cxf/content/docs/ws-security.html Sat May  5 16:48:35 2012
@@ -480,6 +480,10 @@ outProps.put(WSHandlerConstants.ACTION, 
 
 <p><a shape="rect" class="external-link" href="http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/" rel="nofollow">Here is an example</a> of WS-Security implemented using annotations for interceptors (uses UsernameToken).</p>
 
+<h3><a shape="rect" name="WS-Security-WSSecurityUsernameTokenandCustomAuthentication"></a>WS-Security UsernameToken and Custom Authentication</h3>
+
+<p>If needed, one may want to configure a jaxws:endpoint with a "ws-security.validate.token" property set to false and register a custom org.apache.cxf.interceptor.security.AbstractUsernameTokenInInterceptor implementation for using a WSS4J UsernameToken wrapped in a CXF specific UsernameToken for the custom authentication and Subject creation. The JAASLoginInterceptor will also recognize a CXF UsernameToken and thus can be used instead of the custom org.apache.cxf.interceptor.security.AbstractUsernameTokenInterceptor.  (Prior to CXF 2.4.0, use "ws-security.ut.no-callbacks" instead of "ws-security.validate.token" with the value of true instead of false to  postpone the validation of the token.)</p>
+
 <h2><a shape="rect" name="WS-Security-UsingX.509Certificates"></a>Using X.509 Certificates</h2>
 
 <p>The X.509 Certificate Token Profile (<a shape="rect" class="external-link" href="http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf" rel="nofollow">pdf</a>) provides another option for implementing WS-Security.  For the Signature and Encryption actions, you'll need to create a public &amp; private key for the entities involved.  You can generate a self-signed key pair for your development environment via the following steps.  Keep in mind these will not be signed by an external authority like Verisign, so are inappropriate for production use.</p>