You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by pep25abril <pe...@gmail.com> on 2013/05/28 17:29:45 UTC
WS Security in CXF 2.4 vs 2.3
Hi everyone,
I'm developing a WS with CXF v2.3 and WS-Security with Username & Password
policy, that I've checked that works properly with CXF v2.4 but not in v2.3.
Of course I've seen all docs placed on Apache CXF website in relation to
this topic, and the most interesting information I find is found on the
website
http://coheigea.blogspot.com.es/2011/02/wspasswordcallback-changes-in-wss4j-16.html
, explaining the changes applied in wss4j v1.5 to v1.6, that is the same as
the library changed in CXF v2.3 and v2.4. I'm not sure if because of these I
should change my configuration file in some way, depending on the version
used...
Specifically, I have the following files on my project:
beans.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
<jaxws:endpoint id="server"
endpointName="s:IfuncionessformswsPort"
serviceName="s:Ifuncionessformsws"
implementor="es.servef.comuns.webservices.funcionessforms.IfuncionessformswsPortTypeImpl"
address="/IfuncionessformswsPort"
depends-on="ClientAuthHttpsSettings"
wsdlLocation="Ifuncionessformsws.wsdl"
xmlns:s="http://funcionessforms.webservices.comuns.servef.es/">
<jaxws:properties>
<entry key="ws-security.callback-handler"
value="es.servef.comuns.webservices.funcionessforms.ServerPasswordCallback"/>
</jaxws:properties>
</jaxws:endpoint>
<httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
<httpj:engine port="8443">
<httpj:tlsServerParameters>
<sec:clientAuthentication want="true"
required="true" />
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
</beans>
---
WSDL settings (only service and policy):
...
<wsdl:service name="Ifuncionessformsws">
<wsdl:port binding="tns:IfuncionessformswsSoapBinding"
name="IfuncionessformswsPort">
<soap:address
location="https://localhost:8443/testWsCxfMavenFuncionsSformsPolitica/services/IfuncionessformswsPort"/>
<wsp:PolicyReference URI="#listassformswspolicy"/>
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="listassformswspolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
...
---
server.java:
protected IfuncionessformswsPortType_IfuncionessformswsPort_Server()
throws Exception {
System.out.println("Starting Server");
SpringBusFactory bf = new SpringBusFactory();
URL busFile =
IfuncionessformswsPortType_IfuncionessformswsPort_Server.class.getResource("WEB-INF/beans.xml");
Bus bus = bf.createBus(busFile.toString());
bf.setDefaultBus(bus);
}
public static void main(String args[]) throws Exception {
new IfuncionessformswsPortType_IfuncionessformswsPort_Server();
System.out.println("Server ready...");
Thread.sleep(5 * 60 * 1000);
System.out.println("Server exiting");
System.exit(0);
}
---
and ServerPasswordCallback:
public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
System.out.println("pc.getIdentifier() = " + pc.getIdentifier() + ",
pc.getPassword() = " + pc.getPassword());
if ("joe".equals(pc.getIdentifier())) {
if (!pc.getPassword().equals("joespassword")) {
throw new IOException("wrong password");
}
}
else {
throw new UnsupportedCallbackException(callbacks[0], "check
failed");
}
}
}
Testing this, I have seen that system.out in serverpasswordcallback appears
while using CXF v2.4 but not v2.3... Maybe it doesn't link the beans.xml
configuration file with the callback class for some reason? In a sample from
CXF distribution v2.3 (ws_security\ut_policy\src\demo\wssec\server), it's
done also in this way.
Any idea?
Thanks in advance,
Josep
--
View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-in-CXF-2-4-vs-2-3-tp5728447.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS Security in CXF 2.4 vs 2.3
Posted by Colm O hEigeartaigh <co...@apache.org>.
Can you supply a test-case that reproduces the problem?
Colm.
On Tue, May 28, 2013 at 5:00 PM, Josep A. Perales <pe...@gmail.com>wrote:
> Thanks for the answer Colm, but I tested this using CXF 2.7 and it works
> perfectly, the same as v2.4. The problem of this, is the client requirement
> who in principle needs to use CXF 2.3 for client and server...
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/WS-Security-in-CXF-2-4-vs-2-3-tp5728447p5728450.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: WS Security in CXF 2.4 vs 2.3
Posted by "Josep A. Perales" <pe...@gmail.com>.
Thanks for the answer Colm, but I tested this using CXF 2.7 and it works
perfectly, the same as v2.4. The problem of this, is the client requirement
who in principle needs to use CXF 2.3 for client and server...
--
View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-in-CXF-2-4-vs-2-3-tp5728447p5728450.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS Security in CXF 2.4 vs 2.3
Posted by Colm O hEigeartaigh <co...@apache.org>.
Neither CXF 2.3 nor 2.4 are supported any more. Could you try instead with
one of the latest 2.6 or 2.7 releases?
https://cxf.apache.org/download.html
Colm.
On Tue, May 28, 2013 at 4:29 PM, pep25abril <pe...@gmail.com> wrote:
> Hi everyone,
>
> I'm developing a WS with CXF v2.3 and WS-Security with Username & Password
> policy, that I've checked that works properly with CXF v2.4 but not in
> v2.3.
> Of course I've seen all docs placed on Apache CXF website in relation to
> this topic, and the most interesting information I find is found on the
> website
>
> http://coheigea.blogspot.com.es/2011/02/wspasswordcallback-changes-in-wss4j-16.html
> , explaining the changes applied in wss4j v1.5 to v1.6, that is the same as
> the library changed in CXF v2.3 and v2.4. I'm not sure if because of these
> I
> should change my configuration file in some way, depending on the version
> used...
>
> Specifically, I have the following files on my project:
>
> beans.xml:
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:cxf="http://cxf.apache.org/core"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:sec="http://cxf.apache.org/configuration/security"
> xmlns:http="http://cxf.apache.org/transports/http/configuration"
> xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xsi:schemaLocation="
> http://cxf.apache.org/core
> http://cxf.apache.org/schemas/core.xsd
> http://cxf.apache.org/configuration/security
> http://cxf.apache.org/schemas/configuration/security.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd
> http://cxf.apache.org/transports/http/configuration
> http://cxf.apache.org/schemas/configuration/http-conf.xsd
> http://cxf.apache.org/transports/http-jetty/configuration
> http://cxf.apache.org/schemas/configuration/http-jetty.xsd
> http://www.springframework.org/schema/beans
>
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
>
>
> <import resource="classpath:META-INF/cxf/cxf.xml" />
> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>
> <cxf:bus>
> <cxf:features>
> <cxf:logging/>
> </cxf:features>
> </cxf:bus>
>
> <jaxws:endpoint id="server"
> endpointName="s:IfuncionessformswsPort"
> serviceName="s:Ifuncionessformsws"
>
>
> implementor="es.servef.comuns.webservices.funcionessforms.IfuncionessformswsPortTypeImpl"
> address="/IfuncionessformswsPort"
> depends-on="ClientAuthHttpsSettings"
> wsdlLocation="Ifuncionessformsws.wsdl"
> xmlns:s="
> http://funcionessforms.webservices.comuns.servef.es/">
> <jaxws:properties>
> <entry key="ws-security.callback-handler"
>
> value="es.servef.comuns.webservices.funcionessforms.ServerPasswordCallback"/>
> </jaxws:properties>
> </jaxws:endpoint>
>
> <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
> <httpj:engine port="8443">
> <httpj:tlsServerParameters>
> <sec:clientAuthentication want="true"
> required="true" />
> </httpj:tlsServerParameters>
> </httpj:engine>
> </httpj:engine-factory>
>
> </beans>
>
> ---
>
> WSDL settings (only service and policy):
>
> ...
> <wsdl:service name="Ifuncionessformsws">
> <wsdl:port binding="tns:IfuncionessformswsSoapBinding"
> name="IfuncionessformswsPort">
> <soap:address
> location="
> https://localhost:8443/testWsCxfMavenFuncionsSformsPolitica/services/IfuncionessformswsPort
> "/>
> <wsp:PolicyReference URI="#listassformswspolicy"/>
> </wsdl:port>
> </wsdl:service>
> <wsp:Policy wsu:Id="listassformswspolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:WssUsernameToken11/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> ...
>
> ---
>
> server.java:
>
> protected IfuncionessformswsPortType_IfuncionessformswsPort_Server()
> throws Exception {
> System.out.println("Starting Server");
>
> SpringBusFactory bf = new SpringBusFactory();
> URL busFile =
>
> IfuncionessformswsPortType_IfuncionessformswsPort_Server.class.getResource("WEB-INF/beans.xml");
> Bus bus = bf.createBus(busFile.toString());
> bf.setDefaultBus(bus);
> }
>
> public static void main(String args[]) throws Exception {
> new IfuncionessformswsPortType_IfuncionessformswsPort_Server();
> System.out.println("Server ready...");
>
> Thread.sleep(5 * 60 * 1000);
> System.out.println("Server exiting");
> System.exit(0);
> }
>
> ---
>
> and ServerPasswordCallback:
>
> public class ServerPasswordCallback implements CallbackHandler {
>
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
> System.out.println("pc.getIdentifier() = " + pc.getIdentifier() +
> ",
> pc.getPassword() = " + pc.getPassword());
>
> if ("joe".equals(pc.getIdentifier())) {
> if (!pc.getPassword().equals("joespassword")) {
> throw new IOException("wrong password");
> }
> }
> else {
> throw new UnsupportedCallbackException(callbacks[0], "check
> failed");
> }
> }
> }
>
> Testing this, I have seen that system.out in serverpasswordcallback appears
> while using CXF v2.4 but not v2.3... Maybe it doesn't link the beans.xml
> configuration file with the callback class for some reason? In a sample
> from
> CXF distribution v2.3 (ws_security\ut_policy\src\demo\wssec\server), it's
> done also in this way.
>
> Any idea?
>
> Thanks in advance,
>
> Josep
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/WS-Security-in-CXF-2-4-vs-2-3-tp5728447.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com