Client config below
cxf.xml
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd";>
<jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItPort";
createdFromAPI="true">
<!-- Uncomment if using WS-SecPolicy method -->
<jaxws:properties>
<entry key="ws-security.username" value="joe"/>
<entry key="ws-security.callback-handler"
value-ref="myPasswordCallback"/>
</jaxws:properties>
</jaxws:client>
<bean id="myPasswordCallback"
class="client.ClientPasswordCallback"/>
</beans>
ClientPasswordCallback
public class ClientPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if ("joe".equals(pc.getIdentifier())) {
pc.setPassword("joespassword");
} // else {...} - can add more users, access DB, etc.
}
}
Everything works, just that password of request is in clear text and no
error response.
In case you ask Server config, here it is:
cxf-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd";>
<jaxws:endpoint id="doubleit"
implementor="service.DoubleItPortTypeImpl"
address="/doubleit"
wsdlLocation="WEB-INF/wsdl/DoubleIt.wsdl">
<!-- Uncomment only if using WS-SecurityPolicy -->
<jaxws:properties>
<entry key="ws-security.callback-handler"
value-ref="myPasswordCallback"/>
</jaxws:properties>
</jaxws:endpoint>
<bean id="myPasswordCallback"
class="service.ServerPasswordCallback" />
</beans>
ServerPasswordCallback
public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if ("joe".equals(pc.getIdentifier())) {
pc.setPassword("joespassword");
}
}
}
Thanks
Sam
On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote:
What does your client configuration look like?
Colm.
On Thu, Aug 22, 2013 at 12:34 PM, Sam <[email protected]> wrote:
Hi Colm,
The policy is
<wsp:Policy wsu:Id="DoubleItBindingPolicy"**>
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://schemas.**xmlsoap.org/ws/2005/07/**securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://**schemas.xmlsoap.org/ws/2005/**
07/securitypolicy/**IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
**">
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I am not getting any error message and the password in request is still in
clear text when I run the sample code from Glen's site. Response still
returns OK.
I was expecting CXF to take care of hashing password automatically but it
still works without returning error message.
It's like <sp:HashPassword/> is optional. Maybe I am missing something.
Thanks
Sam
On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
Yes it is possible. What policy are you using + what is the error you are
getting?
Colm.
On Thu, Aug 22, 2013 at 11:53 AM, Sam <[email protected]> wrote:
Hi all,
I read in
http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
jsp?topic=%2Fcom.ibm.****websphere.wlp.express.doc%**
2Fae%2Fcwlp_wssec_templates_****scenario1.html<http://pic.dhe.**
ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**
ibm.websphere.wlp.express.doc%**2Fae%2Fcwlp_wssec_templates_**
scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>
,
which shows
the use of ws-policy for UsernameToken with password digest
(HashPassword)
over SSL.
My question is, is it possible to use ws-policy for UsernameToken with
password digest without SSL in CXF?
I am asking as I have been tweaking the WSDL for the usernametoke
tutorial
from http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****
profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
<http://www.jroller.**com/gmazza/entry/cxf_**usernametoken_profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>
,
to run without SSL successfully, now
I am trying to make it support password digest without SSL , and without
luck.
Thanks
Sam
