It won't--with the traditional WSS4J interceptor approach, client-side,
you hardcode it to send the username and password via those
interceptors, and since you hardcoded it, the client will do so every
time. Service-side, if you properly configured the WSS4J interceptors,
it will throw an error if the client doesn't send this information
(obviously test beforehand with clients that don't send UT info to make
sure your service is securely configured). If you're using WSS4J
service-side, you'll need to use some out-of-band method (phone call,
email, Tweet, message taped to a pigeon, newspaper or TV advertisement)
to tell your clients they need to send SOAP headers with UT information.
Alternatively, you can use the WS-SecurityPolicy approach in which you
add policy statements requiring UT security, and if the SOAP client's
framework supports WS-SecurityPolicy (Metro and CXF both do), it will
automatically handle the usernameToken security on their side. But how
they handle UT security on their side is really immaterial, whether
their SOAP framework can automatically read the WS-SecPol and send UT
that way, or if they choose to hardcode the SOAP Header with the UT
stuff and ignore the WSDL Policy statements--it doesn't matter, what's
important is that your web service provider returns an error if it
doesn't get the UT stuff.
The blog entry covers both types -- WSS4J interceptor approach and
WS-SecPol approach.
Glen
On 07/09/2011 04:30 PM, liav.ezer wrote:
Hi, thank you for the quick reply.
I'm using wss4j interceptors to enforce username token via ws security.
My question basically is to understand the concept.
If my client want to invoke the service, I need to supply him with the wsdl file. Then
he will generate a client& should be able to invoke the service. But according to
your article, this approach (wss4j interceptors) doesn't reflect the need for username
nor password to invoke the service. So how will the client know the needs& apply a
proper request to the service?
Thanks.
Liav
ב-9 ביול 2011, בשעה 23:11, "Glen Mazza-3 [via
CXF]"<[email protected]> כתב/ה:
At least in my mail client I'm not seeing any configuration, just
whitespaces, in your question below. If you're using UsernameToken,
that information will be added by CXF in the soap:header. See:
http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile for more
detail.
If you using basic auth with SSL, that's normally enforced by the
web.xml in the WAR hosting your web service provider, although I think
at least part of that can be additionally declared in policy statements
as well.
Glen
On 07/08/2011 05:04 PM, liav.ezer wrote:
Hello,
I've wrote a CXF based service& added ws security (wss4j 1.5.1) through
Spring xml.
This is the end point configuration:
This is part of the client configuration:
The service is working with the security policy (username-password).
My question is regarding the wsdl file.
I don't understand how the service wsdl doesn't enforce the ws security
policy.
How does the service client will be able to know where& how to add the user
name password.
Thanks.
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-web-service-with-sw-security-Why-the-wsdl-doesn-t-demand-the-username-pwd-tp4566648p4566648.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Glen Mazza
Application Integration Division
Talend (http://www.talend.com/ai)
blog: http://www.jroller.com/gmazza
If you reply to this email, your message will be added to the discussion below:
http://cxf.547215.n5.nabble.com/CXF-web-service-with-ws-security-Why-the-wsdl-doesn-t-demand-the-username-pwd-tp4566648p4568867.html
To unsubscribe from CXF web service with ws security - Why the wsdl doesn't
demand the username/pwd?, click here.
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-web-service-with-ws-security-Why-the-wsdl-doesn-t-demand-the-username-pwd-tp4566648p4568888.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Glen Mazza
Application Integration Division
Talend (http://www.talend.com/ai)
blog: http://www.jroller.com/gmazza
