Xiaoshu Wang created CXF-6036: --------------------------------- Summary: Multiple UsernameToken Key: CXF-6036 URL: https://issues.apache.org/jira/browse/CXF-6036 Project: CXF Issue Type: Bug Components: JAX-WS Runtime Affects Versions: 2.7.11 Reporter: Xiaoshu Wang
Hi, I encountered a strange (bad as well) behavior using apache CXF. Here is the code that create the client. @Override public SearchRetrieveBasePerson getSearchClient() { SearchRetrieveBasePerson searchClient = getSearchService() .getSearchRetrieveBasePersonPort(); HTTPConduit http = (HTTPConduit) client.getConduit(); HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); httpClientPolicy.setConnectionTimeout(1 * 90 * 1000); httpClientPolicy.setAllowChunking(false); httpClientPolicy.setReceiveTimeout(3 * 60 * 1000); http.setClient(httpClientPolicy); BindingProvider bp = (BindingProvider) searchClient; bp.getRequestContext().put("thread.local.request.context", "true"); bp.getRequestContext().put("use.async.http.conduit", Boolean.FALSE); bp.getRequestContext().put("ws-security.username", getUsername()); bp.getRequestContext().put("ws-security.password", getPassword()); List headers = new ArrayList(); Header auditingHeader; try { auditingHeader = new Header(new QName( "http://its.unc.edu/uncaudit", "UNCAuditHeader"), getAuditHeader(), new JAXBDataBinding(UNCAuditHeader.class)); headers.add(auditingHeader); bp.getRequestContext().put(Header.HEADER_LIST, headers); } catch (JAXBException e) { throw new RuntimeException(new PersonSvcClientException( "Unable to create UNCAuditHeader", e)); } bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, getSearchSoapAddress()); return searchClient; } Note: the getSearchService() returns a singleton of CXF generated WebServiceClient. If I cached the returned client and use it for the subsequent requests, i.e., using it as a singleton. Each request added an additional UsernameToken to the request. Here is the SOAP request on the 4th request. As you can see, there are four UsernameToken added to the Security header. I wonder if this is a bug or if I have done something improperly? <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <OrgAuditHeader xmlns="http://my.org/audit"> <clientIP>0.0.0.0</clientIP> <requestedByUser>foo</requestedByUser> <requestedBySystem>BAR</requestedBySystem> </OrgAuditHeader> <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847092141"> <wsse:Username>SomeUserName</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> </wsse:UsernameToken> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116982"> <wsse:Username>SomeUserName</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> </wsse:UsernameToken> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116983"> <wsse:Username>SomeUserName</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> </wsse:UsernameToken> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-331E565D0DAEB3B94B14126847116984"> <wsse:Username>SomeUserName</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <searchRetrieveBasePersonProcessRequest xmlns="http://my.org/common/Person/searchRetrieveBasePerson" xmlns:ns2="http://my.org/common/Person/core/1.6" xmlns:ns3="http://my.org/common/Person/fault" xmlns:ns4="http://my.org/audit"> <PID>1234567</PID> </searchRetrieveBasePersonProcessRequest> </soap:Body> </soap:Envelope> -- This message was sent by Atlassian JIRA (v6.3.4#6332)