[ https://issues.apache.org/jira/browse/CXF-6036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14163233#comment-14163233 ]
Colm O hEigeartaigh commented on CXF-6036: ------------------------------------------ Could you create a test-case for the issue? Colm. > Multiple UsernameToken > ---------------------- > > Key: CXF-6036 > URL: https://issues.apache.org/jira/browse/CXF-6036 > Project: CXF > Issue Type: Bug > Components: JAX-WS Runtime > Affects Versions: 2.7.11 > Reporter: Xiaoshu Wang > > Hi, I encountered a strange (bad as well) behavior using apache CXF. Here is > the code that create the client. > @Override > public SearchRetrieveBasePerson getSearchClient() { > SearchRetrieveBasePerson searchClient = getSearchService() > .getSearchRetrieveBasePersonPort(); > HTTPConduit http = (HTTPConduit) client.getConduit(); > HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); > httpClientPolicy.setConnectionTimeout(1 * 90 * 1000); > httpClientPolicy.setAllowChunking(false); > httpClientPolicy.setReceiveTimeout(3 * 60 * 1000); > http.setClient(httpClientPolicy); > BindingProvider bp = (BindingProvider) searchClient; > bp.getRequestContext().put("thread.local.request.context", > "true"); > bp.getRequestContext().put("use.async.http.conduit", > Boolean.FALSE); > bp.getRequestContext().put("ws-security.username", > getUsername()); > bp.getRequestContext().put("ws-security.password", > getPassword()); > List headers = new ArrayList(); > Header auditingHeader; > try { > auditingHeader = new Header(new QName( > "http://its.unc.edu/uncaudit", > "UNCAuditHeader"), > getAuditHeader(), new > JAXBDataBinding(UNCAuditHeader.class)); > headers.add(auditingHeader); > bp.getRequestContext().put(Header.HEADER_LIST, headers); > } catch (JAXBException e) { > throw new RuntimeException(new PersonSvcClientException( > "Unable to create UNCAuditHeader", e)); > } > > bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, > getSearchSoapAddress()); > return searchClient; > } > Note: the getSearchService() returns a singleton of CXF generated > WebServiceClient. > If I cached the returned client and use it for the subsequent requests, i.e., > using it as a singleton. Each request added an additional UsernameToken to > the request. Here is the SOAP request on the 4th request. As you can see, > there are four UsernameToken added to the Security header. I wonder if this > is a bug or if I have done something improperly? > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> > <soap:Header> > <OrgAuditHeader xmlns="http://my.org/audit"> > <clientIP>0.0.0.0</clientIP> > <requestedByUser>foo</requestedByUser> > <requestedBySystem>BAR</requestedBySystem> > </OrgAuditHeader> > <wsse:Security soap:mustUnderstand="1" > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> > <wsse:UsernameToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847092141"> > <wsse:Username>SomeUserName</wsse:Username> > <wsse:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> > </wsse:UsernameToken> > <wsse:UsernameToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116982"> > <wsse:Username>SomeUserName</wsse:Username> > <wsse:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> > </wsse:UsernameToken> > <wsse:UsernameToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116983"> > > <wsse:Username>SomeUserName</wsse:Username><wsse:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> > </wsse:UsernameToken> > <wsse:UsernameToken > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116984"> > <wsse:Username>SomeUserName</wsse:Username> > <wsse:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> > </wsse:UsernameToken> > </wsse:Security> > </soap:Header> > <soap:Body> > <searchRetrieveBasePersonProcessRequest > xmlns="http://my.org/common/Person/searchRetrieveBasePerson" > xmlns:ns2="http://my.org/common/Person/core/1.6" > xmlns:ns3="http://my.org/common/Person/fault" xmlns:ns4="http://my.org/audit"> > <PID>1234567</PID> > </searchRetrieveBasePersonProcessRequest> > </soap:Body> > </soap:Envelope> -- This message was sent by Atlassian JIRA (v6.3.4#6332)