[jira] [Created] (CXF-6036) Multiple UsernameToken

Tue, 07 Oct 2014 07:32:57 -0700 

Xiaoshu Wang created CXF-6036:
---------------------------------

             Summary: Multiple UsernameToken
                 Key: CXF-6036
                 URL: https://issues.apache.org/jira/browse/CXF-6036
             Project: CXF
          Issue Type: Bug
          Components: JAX-WS Runtime
    Affects Versions: 2.7.11
            Reporter: Xiaoshu Wang


Hi, I encountered a strange (bad as well) behavior using apache CXF. Here is 
the code that create the client.

        @Override
        public SearchRetrieveBasePerson getSearchClient() {
                SearchRetrieveBasePerson searchClient = getSearchService()
                        .getSearchRetrieveBasePersonPort();

                HTTPConduit http = (HTTPConduit) client.getConduit();

                HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
                httpClientPolicy.setConnectionTimeout(1 * 90 * 1000);
                httpClientPolicy.setAllowChunking(false);
                httpClientPolicy.setReceiveTimeout(3 * 60 * 1000);

                http.setClient(httpClientPolicy);
                BindingProvider bp = (BindingProvider) searchClient;
                bp.getRequestContext().put("thread.local.request.context", 
"true");
                bp.getRequestContext().put("use.async.http.conduit", 
Boolean.FALSE);
                bp.getRequestContext().put("ws-security.username", 
getUsername());
                bp.getRequestContext().put("ws-security.password", 
getPassword());

                List headers = new ArrayList();
                Header auditingHeader;
                try {
                        auditingHeader = new Header(new QName(
                                "http://its.unc.edu/uncaudit";, 
"UNCAuditHeader"),
                                getAuditHeader(), new 
JAXBDataBinding(UNCAuditHeader.class));
                        headers.add(auditingHeader);
                        bp.getRequestContext().put(Header.HEADER_LIST, headers);
                } catch (JAXBException e) {
                        throw new RuntimeException(new PersonSvcClientException(
                                "Unable to create UNCAuditHeader", e));
                }
                
bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
                        getSearchSoapAddress());
                return searchClient;
        }

Note: the getSearchService() returns a singleton of CXF generated 
WebServiceClient.

If I cached the returned client and use it for the subsequent requests, i.e., 
using it as a singleton. Each request added an additional UsernameToken to the 
request. Here is the SOAP request on the 4th request. As you can see, there are 
four UsernameToken added to the Security header. I wonder if this is a bug or 
if I have done something improperly?

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
        <soap:Header>
                <OrgAuditHeader xmlns="http://my.org/audit";>
                        <clientIP>0.0.0.0</clientIP>
                        <requestedByUser>foo</requestedByUser>
                        <requestedBySystem>BAR</requestedBySystem>
                </OrgAuditHeader>
                <wsse:Security soap:mustUnderstand="1" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
                        <wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847092141">
                                <wsse:Username>SomeUserName</wsse:Username>
                                <wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>SomePassword</wsse:Password>
                        </wsse:UsernameToken>
                        <wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116982">
                                <wsse:Username>SomeUserName</wsse:Username>
                                <wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>SomePassword</wsse:Password>
                        </wsse:UsernameToken>
                        <wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116983">
                                
<wsse:Username>SomeUserName</wsse:Username><wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>SomePassword</wsse:Password>
                        </wsse:UsernameToken>
                        <wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116984">
                                <wsse:Username>SomeUserName</wsse:Username>
                                <wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>SomePassword</wsse:Password>
                        </wsse:UsernameToken>
                </wsse:Security>
        </soap:Header>
        <soap:Body>
                <searchRetrieveBasePersonProcessRequest 
xmlns="http://my.org/common/Person/searchRetrieveBasePerson"; 
xmlns:ns2="http://my.org/common/Person/core/1.6"; 
xmlns:ns3="http://my.org/common/Person/fault"; xmlns:ns4="http://my.org/audit";>
                        <PID>1234567</PID>
                </searchRetrieveBasePersonProcessRequest>
        </soap:Body>
</soap:Envelope>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to