You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Daniel Kulp <dk...@apache.org> on 2009/08/10 17:09:53 UTC
Re: Adding Elements to WS-Security Header .... WSS4JOutInterceptor, SAAJOutInterceptor
Does your custom element go INTO the security header or go before the security header?
If it's the latter, check the faq:
http://cxf.apache.org/faq.html#FAQ-HowcanIaddsoapheaderstotherequest%25252Fresponse%25253F
That can also work for the former case. If you add a header with the proper "security" name, the wss4j interceptor will use the existing security header (and
add stuff to it) instead of adding a second.
Dan
On Fri August 7 2009 3:42:19 pm R1ch wrote:
> CXF 2.2 and WSS4J 1.5.8
>
> Hello all,
> I have a working webservice configured with WSS4JOutInterceptor to insert a
> signed SAML token.
> Now I'm trying to insert an Element before the signature occurs so that my
> Element is also signed.
>
> I tried two different ways and both are not resulting in what I need.
> ==========================================================================
> 1) did something similar to
>
> public class myInterceptor extends WSS4JOutInterceptor {
> handleMessage(SoapMessage mc) {
> SOAPMessage soapMsg = myElement();
> mc.setContent(SOAPMessage.class, soapMsg);
> super.handleMessage(mc);
> }
> }
> this throws an exception, dont have it right now but can reproduce if some
> needs to see it.
> If I place the super.handleMessage(mc); before my code, (before the
> myElement()) there is no error
> but my element is not in the final soap message.
>
> Then I noticed that WSS4JOutInterceptor.handleMessage(SoapMessage mc) has
> if (mc.getContent(SOAPMessage.class) == null) {
> saajOut.handleMessage(mc);
> }
> So I thought that I can't add SOAPMessage content. so I came up with the
> next try
>
> ==========================================================================
> 2) I did something almost exactly to what WSS4JOutInterceptor has, i.e use
> an internal interceptor
> with phase.USER_PROTOCOL. The WSS4JOutInterceptorInternal is
> Phase.POST_PROTOCOL so i figured
> if mine was before the post it would work.
>
> public class myInterceptor extends WSS4JOutInterceptor {
>
> final class myInternal implements PhaseInterceptor<SoapMessage> {
> handleMessage(SoapMessage mc) {
> SOAPMessage soapMsg = myElement();
> mc.setContent(SOAPMessage.class, soapMsg);
> super.handleMessage(mc);
> }
> }
> }
>
> Well, my element is in the final SOAP message but it is not signed and my
> <BODY> was actually empty
> not what the webservice returns.
> ==========================================================================
>
> So I was going to try and my Element to the message as XMLStreamWriter
> content but I noticed that
> SAAJOutInterceptor.handleMessage(SoapMessage message) replaces that with
> W3CDOMStreamWriter
>
> 1. My first question is how do I get my element signed?
> 2. What is the correct way to add content, is it mc.setContent() or do I
> mc.getContent and add to that?
> 3. What is the pupose of the Message Content Formats?
> 4. When should I use SOAPMessage or XMLStreamWriter or any other format?
> 5. If I put my content in the message for example as java.io.OutputStream
> does it still get added to the final message?
>
> Thanks for your time.
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Adding Elements to WS-Security Header .... WSS4JOutInterceptor,
SAAJOutInterceptor
Posted by R1ch <ri...@gmail.com>.
So I have the following param to my service for testing
@WebParam(name="Security", header=true, mode=WebParam.Mode.OUT,
targetNamespace="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")
Holder<String> myElement);
then I set the String in the Holder before the service returns.
i can see the Security element in the Header but the string in my holder is
not being sent. Is there something I'm missing?
On Mon, Aug 10, 2009 at 2:42 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> On Mon August 10 2009 1:10:32 pm R1ch wrote:
> > Hi Dan and thanks for the respone. Resending I dont think i hit reply all
> > last time
> >
> > The custom element goes INTO the security header. The element is added in
> a
> > response, per the faq, i would be using a Holder.
> > But how do I specify that it should go in the security header?
> > What do you mean by "If you add a header with the proper "security" name"
> ?
>
> Basically, if you add a header (see the faq) of a DOM element with the name
> {
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd}:Security<http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd%7D:Security>
> (or the ws-sec 1.0 namespace) that contains your element, then when it gets
> into the WSS4J interceptors, it will use that element instead of creating a
> new one. It will add it's content into that element.
>
> Dan
>
>
> >
> > On Mon, Aug 10, 2009 at 11:09 AM, Daniel Kulp <dk...@apache.org> wrote:
> > > Does your custom element go INTO the security header or go before the
> > > security header?
> > >
> > > If it's the latter, check the faq:
> > >
> > >
> http://cxf.apache.org/faq.html#FAQ-HowcanIaddsoapheaderstotherequest%2525
> > >2Fresponse%25253F
> > >
> > > That can also work for the former case. If you add a header with the
> > > proper "security" name, the wss4j interceptor will use the existing
> > > security header (and
> > > add stuff to it) instead of adding a second.
> > >
> > >
> > > Dan
> > >
> > > On Fri August 7 2009 3:42:19 pm R1ch wrote:
> > > > CXF 2.2 and WSS4J 1.5.8
> > > >
> > > > Hello all,
> > > > I have a working webservice configured with WSS4JOutInterceptor to
> > > > insert
> > >
> > > a
> > >
> > > > signed SAML token.
> > > > Now I'm trying to insert an Element before the signature occurs so
> that
> > >
> > > my
> > >
> > > > Element is also signed.
> > > >
> > > > I tried two different ways and both are not resulting in what I need.
> > >
> > >
> =========================================================================
> > >=
> > >
> > > > 1) did something similar to
> > > >
> > > > public class myInterceptor extends WSS4JOutInterceptor {
> > > > handleMessage(SoapMessage mc) {
> > > > SOAPMessage soapMsg = myElement();
> > > > mc.setContent(SOAPMessage.class, soapMsg);
> > > > super.handleMessage(mc);
> > > > }
> > > > }
> > > > this throws an exception, dont have it right now but can reproduce if
> > >
> > > some
> > >
> > > > needs to see it.
> > > > If I place the super.handleMessage(mc); before my code, (before the
> > > > myElement()) there is no error
> > > > but my element is not in the final soap message.
> > > >
> > > > Then I noticed that WSS4JOutInterceptor.handleMessage(SoapMessage mc)
> > > > has if (mc.getContent(SOAPMessage.class) == null) {
> > > > saajOut.handleMessage(mc);
> > > > }
> > > > So I thought that I can't add SOAPMessage content. so I came up with
> > > > the next try
> > >
> > >
> =========================================================================
> > >=
> > >
> > > > 2) I did something almost exactly to what WSS4JOutInterceptor has,
> i.e
> > >
> > > use
> > >
> > > > an internal interceptor
> > > > with phase.USER_PROTOCOL. The WSS4JOutInterceptorInternal is
> > > > Phase.POST_PROTOCOL so i figured
> > > > if mine was before the post it would work.
> > > >
> > > > public class myInterceptor extends WSS4JOutInterceptor {
> > > >
> > > > final class myInternal implements
> > > > PhaseInterceptor<SoapMessage>
> > >
> > > {
> > >
> > > > handleMessage(SoapMessage mc) {
> > > > SOAPMessage soapMsg = myElement();
> > > > mc.setContent(SOAPMessage.class,
> soapMsg);
> > > > super.handleMessage(mc);
> > > > }
> > > > }
> > > > }
> > > >
> > > > Well, my element is in the final SOAP message but it is not signed
> and
> > > > my <BODY> was actually empty
> > > > not what the webservice returns.
> > >
> > >
> =========================================================================
> > >=
> > >
> > > > So I was going to try and my Element to the message as
> XMLStreamWriter
> > > > content but I noticed that
> > > > SAAJOutInterceptor.handleMessage(SoapMessage message) replaces that
> > > > with W3CDOMStreamWriter
> > > >
> > > > 1. My first question is how do I get my element signed?
> > > > 2. What is the correct way to add content, is it mc.setContent() or
> do
> > > > I mc.getContent and add to that?
> > > > 3. What is the pupose of the Message Content Formats?
> > > > 4. When should I use SOAPMessage or XMLStreamWriter or any other
> > > > format? 5. If I put my content in the message for example as
> > > > java.io.OutputStream does it still get added to the final message?
> > > >
> > > > Thanks for your time.
> > >
> > > --
> > > Daniel Kulp
> > > dkulp@apache.org
> > > http://www.dankulp.com/blog
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
Re: Adding Elements to WS-Security Header .... WSS4JOutInterceptor, SAAJOutInterceptor
Posted by Daniel Kulp <dk...@apache.org>.
On Mon August 10 2009 1:10:32 pm R1ch wrote:
> Hi Dan and thanks for the respone. Resending I dont think i hit reply all
> last time
>
> The custom element goes INTO the security header. The element is added in a
> response, per the faq, i would be using a Holder.
> But how do I specify that it should go in the security header?
> What do you mean by "If you add a header with the proper "security" name" ?
Basically, if you add a header (see the faq) of a DOM element with the name
{http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd}:Security
(or the ws-sec 1.0 namespace) that contains your element, then when it gets
into the WSS4J interceptors, it will use that element instead of creating a
new one. It will add it's content into that element.
Dan
>
> On Mon, Aug 10, 2009 at 11:09 AM, Daniel Kulp <dk...@apache.org> wrote:
> > Does your custom element go INTO the security header or go before the
> > security header?
> >
> > If it's the latter, check the faq:
> >
> > http://cxf.apache.org/faq.html#FAQ-HowcanIaddsoapheaderstotherequest%2525
> >2Fresponse%25253F
> >
> > That can also work for the former case. If you add a header with the
> > proper "security" name, the wss4j interceptor will use the existing
> > security header (and
> > add stuff to it) instead of adding a second.
> >
> >
> > Dan
> >
> > On Fri August 7 2009 3:42:19 pm R1ch wrote:
> > > CXF 2.2 and WSS4J 1.5.8
> > >
> > > Hello all,
> > > I have a working webservice configured with WSS4JOutInterceptor to
> > > insert
> >
> > a
> >
> > > signed SAML token.
> > > Now I'm trying to insert an Element before the signature occurs so that
> >
> > my
> >
> > > Element is also signed.
> > >
> > > I tried two different ways and both are not resulting in what I need.
> >
> > =========================================================================
> >=
> >
> > > 1) did something similar to
> > >
> > > public class myInterceptor extends WSS4JOutInterceptor {
> > > handleMessage(SoapMessage mc) {
> > > SOAPMessage soapMsg = myElement();
> > > mc.setContent(SOAPMessage.class, soapMsg);
> > > super.handleMessage(mc);
> > > }
> > > }
> > > this throws an exception, dont have it right now but can reproduce if
> >
> > some
> >
> > > needs to see it.
> > > If I place the super.handleMessage(mc); before my code, (before the
> > > myElement()) there is no error
> > > but my element is not in the final soap message.
> > >
> > > Then I noticed that WSS4JOutInterceptor.handleMessage(SoapMessage mc)
> > > has if (mc.getContent(SOAPMessage.class) == null) {
> > > saajOut.handleMessage(mc);
> > > }
> > > So I thought that I can't add SOAPMessage content. so I came up with
> > > the next try
> >
> > =========================================================================
> >=
> >
> > > 2) I did something almost exactly to what WSS4JOutInterceptor has, i.e
> >
> > use
> >
> > > an internal interceptor
> > > with phase.USER_PROTOCOL. The WSS4JOutInterceptorInternal is
> > > Phase.POST_PROTOCOL so i figured
> > > if mine was before the post it would work.
> > >
> > > public class myInterceptor extends WSS4JOutInterceptor {
> > >
> > > final class myInternal implements
> > > PhaseInterceptor<SoapMessage>
> >
> > {
> >
> > > handleMessage(SoapMessage mc) {
> > > SOAPMessage soapMsg = myElement();
> > > mc.setContent(SOAPMessage.class, soapMsg);
> > > super.handleMessage(mc);
> > > }
> > > }
> > > }
> > >
> > > Well, my element is in the final SOAP message but it is not signed and
> > > my <BODY> was actually empty
> > > not what the webservice returns.
> >
> > =========================================================================
> >=
> >
> > > So I was going to try and my Element to the message as XMLStreamWriter
> > > content but I noticed that
> > > SAAJOutInterceptor.handleMessage(SoapMessage message) replaces that
> > > with W3CDOMStreamWriter
> > >
> > > 1. My first question is how do I get my element signed?
> > > 2. What is the correct way to add content, is it mc.setContent() or do
> > > I mc.getContent and add to that?
> > > 3. What is the pupose of the Message Content Formats?
> > > 4. When should I use SOAPMessage or XMLStreamWriter or any other
> > > format? 5. If I put my content in the message for example as
> > > java.io.OutputStream does it still get added to the final message?
> > >
> > > Thanks for your time.
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Adding Elements to WS-Security Header .... WSS4JOutInterceptor,
SAAJOutInterceptor
Posted by R1ch <ri...@gmail.com>.
Hi Dan and thanks for the respone. Resending I dont think i hit reply all
last time
The custom element goes INTO the security header. The element is added in a
response, per the faq, i would be using a Holder.
But how do I specify that it should go in the security header?
What do you mean by "If you add a header with the proper "security" name" ?
On Mon, Aug 10, 2009 at 11:09 AM, Daniel Kulp <dk...@apache.org> wrote:
>
> Does your custom element go INTO the security header or go before the
> security header?
>
> If it's the latter, check the faq:
>
> http://cxf.apache.org/faq.html#FAQ-HowcanIaddsoapheaderstotherequest%25252Fresponse%25253F
>
> That can also work for the former case. If you add a header with the
> proper "security" name, the wss4j interceptor will use the existing security
> header (and
> add stuff to it) instead of adding a second.
>
>
> Dan
>
>
>
> On Fri August 7 2009 3:42:19 pm R1ch wrote:
> > CXF 2.2 and WSS4J 1.5.8
> >
> > Hello all,
> > I have a working webservice configured with WSS4JOutInterceptor to insert
> a
> > signed SAML token.
> > Now I'm trying to insert an Element before the signature occurs so that
> my
> > Element is also signed.
> >
> > I tried two different ways and both are not resulting in what I need.
> >
> ==========================================================================
> > 1) did something similar to
> >
> > public class myInterceptor extends WSS4JOutInterceptor {
> > handleMessage(SoapMessage mc) {
> > SOAPMessage soapMsg = myElement();
> > mc.setContent(SOAPMessage.class, soapMsg);
> > super.handleMessage(mc);
> > }
> > }
> > this throws an exception, dont have it right now but can reproduce if
> some
> > needs to see it.
> > If I place the super.handleMessage(mc); before my code, (before the
> > myElement()) there is no error
> > but my element is not in the final soap message.
> >
> > Then I noticed that WSS4JOutInterceptor.handleMessage(SoapMessage mc) has
> > if (mc.getContent(SOAPMessage.class) == null) {
> > saajOut.handleMessage(mc);
> > }
> > So I thought that I can't add SOAPMessage content. so I came up with the
> > next try
> >
> >
> ==========================================================================
> > 2) I did something almost exactly to what WSS4JOutInterceptor has, i.e
> use
> > an internal interceptor
> > with phase.USER_PROTOCOL. The WSS4JOutInterceptorInternal is
> > Phase.POST_PROTOCOL so i figured
> > if mine was before the post it would work.
> >
> > public class myInterceptor extends WSS4JOutInterceptor {
> >
> > final class myInternal implements PhaseInterceptor<SoapMessage>
> {
> > handleMessage(SoapMessage mc) {
> > SOAPMessage soapMsg = myElement();
> > mc.setContent(SOAPMessage.class, soapMsg);
> > super.handleMessage(mc);
> > }
> > }
> > }
> >
> > Well, my element is in the final SOAP message but it is not signed and my
> > <BODY> was actually empty
> > not what the webservice returns.
> >
> ==========================================================================
> >
> > So I was going to try and my Element to the message as XMLStreamWriter
> > content but I noticed that
> > SAAJOutInterceptor.handleMessage(SoapMessage message) replaces that with
> > W3CDOMStreamWriter
> >
> > 1. My first question is how do I get my element signed?
> > 2. What is the correct way to add content, is it mc.setContent() or do I
> > mc.getContent and add to that?
> > 3. What is the pupose of the Message Content Formats?
> > 4. When should I use SOAPMessage or XMLStreamWriter or any other format?
> > 5. If I put my content in the message for example as java.io.OutputStream
> > does it still get added to the final message?
> >
> > Thanks for your time.
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>