Hi everyone, I'm developing a WS with CXF v2.3 and WS-Security with Username & Password policy, that I've checked that works properly with CXF v2.4 but not in v2.3. Of course I've seen all docs placed on Apache CXF website in relation to this topic, and the most interesting information I find is found on the website http://coheigea.blogspot.com.es/2011/02/wspasswordcallback-changes-in-wss4j-16.html , explaining the changes applied in wss4j v1.5 to v1.6, that is the same as the library changed in CXF v2.3 and v2.4. I'm not sure if because of these I should change my configuration file in some way, depending on the version used...
Specifically, I have the following files on my project: beans.xml: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:sec="http://cxf.apache.org/configuration/security"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> <import resource="classpath:META-INF/cxf/cxf.xml" /> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> <cxf:bus> <cxf:features> <cxf:logging/> </cxf:features> </cxf:bus> <jaxws:endpoint id="server" endpointName="s:IfuncionessformswsPort" serviceName="s:Ifuncionessformsws" implementor="es.servef.comuns.webservices.funcionessforms.IfuncionessformswsPortTypeImpl" address="/IfuncionessformswsPort" depends-on="ClientAuthHttpsSettings" wsdlLocation="Ifuncionessformsws.wsdl" xmlns:s="http://funcionessforms.webservices.comuns.servef.es/";> <jaxws:properties> <entry key="ws-security.callback-handler" value="es.servef.comuns.webservices.funcionessforms.ServerPasswordCallback"/> </jaxws:properties> </jaxws:endpoint> <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> <httpj:engine port="8443"> <httpj:tlsServerParameters> <sec:clientAuthentication want="true" required="true" /> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory> </beans> --- WSDL settings (only service and policy): ... <wsdl:service name="Ifuncionessformsws"> <wsdl:port binding="tns:IfuncionessformswsSoapBinding" name="IfuncionessformswsPort"> <soap:address location="https://localhost:8443/testWsCxfMavenFuncionsSformsPolitica/services/IfuncionessformswsPort"/> <wsp:PolicyReference URI="#listassformswspolicy"/> </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="listassformswspolicy"> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssUsernameToken11/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> ... --- server.java: protected IfuncionessformswsPortType_IfuncionessformswsPort_Server() throws Exception { System.out.println("Starting Server"); SpringBusFactory bf = new SpringBusFactory(); URL busFile = IfuncionessformswsPortType_IfuncionessformswsPort_Server.class.getResource("WEB-INF/beans.xml"); Bus bus = bf.createBus(busFile.toString()); bf.setDefaultBus(bus); } public static void main(String args[]) throws Exception { new IfuncionessformswsPortType_IfuncionessformswsPort_Server(); System.out.println("Server ready..."); Thread.sleep(5 * 60 * 1000); System.out.println("Server exiting"); System.exit(0); } --- and ServerPasswordCallback: public class ServerPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; System.out.println("pc.getIdentifier() = " + pc.getIdentifier() + ", pc.getPassword() = " + pc.getPassword()); if ("joe".equals(pc.getIdentifier())) { if (!pc.getPassword().equals("joespassword")) { throw new IOException("wrong password"); } } else { throw new UnsupportedCallbackException(callbacks[0], "check failed"); } } } Testing this, I have seen that system.out in serverpasswordcallback appears while using CXF v2.4 but not v2.3... Maybe it doesn't link the beans.xml configuration file with the callback class for some reason? In a sample from CXF distribution v2.3 (ws_security\ut_policy\src\demo\wssec\server), it's done also in this way. Any idea? Thanks in advance, Josep -- View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-in-CXF-2-4-vs-2-3-tp5728447.html Sent from the cxf-user mailing list archive at Nabble.com.
