Hi Mayank,
Thanks for the details.To give you a few more details on the 2nd question below.
1) Once we enable the ws-security and start using the actions like below .
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken Encrypt"/>
And if the client doesn't send a user name token and uses some other login
mechanism say cookies we see the
org.apache.ws.security.WSSecurityException: An error was discovered processing
the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:200)
How can we make the options optional?
2)You have mentioned that CXF has the nonce support if we use password digest
.But the cxf documentation says that cxf doesn't have the implementation for
nonce.Can you point me to some docs which show how it works on the server
side.I think that cxf does have the client side support,but not the server
side caching/processing nonces.
http://cwiki.apache.org/CXF20DOC/ws-security.html
Thanks and regards,
Bharath
-----Original Message-----
From: Mayank Mishra [mailto:[email protected]]
Sent: Wednesday, June 17, 2009 2:46 PM
To: [email protected]
Subject: Re: Few Open issues using UserName Token Profile
bharath thippireddy wrote:
> 1)How do we configure the interceptors at a bus level in cxf-servlet.xml
> along with the endpoint declarations.
>
>
Configuring the CXF Bus can be found at [1]
> 2)Once the ws-security(user name token profile/encryption) is enabled on each
> endpoint using the declarative method in cxf-servlet.xml we see the following
> exception if the client sends a request without user token soap header.Since
> we will be having other methods to authenticate how can we make these headers
> optional. Is commenting the ws-security interceptor declaration in the
> cxf-servlet.xml the only way?
>
>
If I am able to understand this point, you want to allow some client
request which doesn't have user name tokens. If this is the requirement
you can make use of WS-Policy to specify an optional behavior of
WS-SecurityPolicy.
or if in case you want to process the authentication yourself you can
write the custom authentication mechanism in CallbackHandler
or if in case you are sending your own custom user name token in the
header then you can write your own Interceptor to handle the DOM
presented by SAAJ.
> Jun 16, 2009 1:43:28 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> handleMessage
> WARNING: Request does not contain required Security header
> Jun 16, 2009 1:43:28 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> handleMessage
> WARNING:
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:200)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
> at
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:99)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:337)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:182)
> at
> org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:163)
> at
> org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:141)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>
> 3)Does cxf support having custom tokens under the username token header ?.I
> do see the methods available on the client and server callback classes but I
> do not see the custom element getting added to the UT header.
>
> Document doc = docBuilder.newDocument();
> Element customToken=doc.createElement("customToken");
> dbId.setTextContent("1");
> pc.setCustomToken(customToken);
>
>
>
I never came across custom tokens under username token in UsernameToken
specification (both 1.0 and 1.1) by OASIS. Upto my best information
there's nothing like that. Will be a surprise to me too :)
With Regards,
Mayank
[1]. http://cwiki.apache.org/CXF20DOC/bus-configuration.html
> thanks and regards,
> Bharath
>
>
>
