Ok I have an answer for you. The problem is that you are using the
WS-SecurityPolicy 1.1 namespace ("
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";). This version of the
spec does not define "HashPassword" at all:http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf The solution is to use the newer WS-SecurityPolicy 1.2 namespace instead, which works fine - " http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";. See here for an example (line 215): http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup Colm. On Fri, Aug 23, 2013 at 12:16 PM, Sam <[email protected]> wrote: > > Version 2.7.6. The latest I believe. > > Thanks > Sam > > On 23/08/2013 9:09 p.m., Colm O hEigeartaigh wrote: > >> What version of CXF are you using? >> >> Colm. >> >> >> On Thu, Aug 22, 2013 at 10:15 PM, Sam <[email protected]> wrote: >> >> Client config below >>> >>> cxf.xml >>> >>> <beans >>> xmlns="http://www.**springfram**ework.org/schema/**beans<http://springframework.org/schema/**beans> >>> <http:**//www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans> >>> > >>> " >>> >>> xmlns:xsi="http://www.w3.org/****2001/XMLSchema-instance<http://www.w3.org/**2001/XMLSchema-instance> >>> <http:**//www.w3.org/2001/XMLSchema-**instance<http://www.w3.org/2001/XMLSchema-instance> >>> > >>> " >>> >>> xmlns:jaxws="http://cxf.**apac**he.org/jaxws<http://apache.org/jaxws> >>> <http://cxf.**apache.org/jaxws <http://cxf.apache.org/jaxws>> >>> " >>> xsi:schemaLocation="http://**w**ww.springframework.org/**** >>> schema/beans <http://www.springframework.org/**schema/beans><http://www. >>> **springframework.org/schema/**beans<http://www.springframework.org/schema/beans> >>> > >>> http://www.springframework.****org/schema/beans/spring-beans.** >>> **xsd<http://www.**springframework.org/schema/**beans/spring-beans.xsd<http://www.springframework.org/schema/beans/spring-beans.xsd> >>> > >>> http://cxf.apache.org/jaxws >>> >>> http://cxf.apache.org/schemas/****jaxws.xsd<http://cxf.apache.org/schemas/**jaxws.xsd> >>> <http://cxf.apache.**org/schemas/jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd> >>> > >>> "> >>> >>> <jaxws:client >>> >>> name="{http://www.example.org/****contract/DoubleIt}**DoubleItPort<http://www.example.org/**contract/DoubleIt%7DDoubleItPort> >>> <http://www.**example.org/contract/DoubleIt%**7DDoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort> >>> > >>> **" >>> createdFromAPI="true"> >>> <!-- Uncomment if using WS-SecPolicy method --> >>> <jaxws:properties> >>> <entry key="ws-security.username" value="joe"/> >>> <entry key="ws-security.callback-****handler" >>> value-ref="myPasswordCallback"****/> >>> </jaxws:properties> >>> >>> </jaxws:client> >>> >>> <bean id="myPasswordCallback" >>> class="client.****ClientPasswordCallback"/> >>> >>> </beans> >>> >>> >>> ClientPasswordCallback >>> >>> public class ClientPasswordCallback implements CallbackHandler { >>> >>> public void handle(Callback[] callbacks) throws IOException, >>> UnsupportedCallbackException { >>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; >>> >>> if ("joe".equals(pc.****getIdentifier())) { >>> pc.setPassword("joespassword")****; >>> } // else {...} - can add more users, access DB, etc. >>> } >>> } >>> >>> Everything works, just that password of request is in clear text and no >>> error response. >>> >>> In case you ask Server config, here it is: >>> >>> cxf-servlet.xml >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <beans >>> xmlns="http://www.**springfram**ework.org/schema/**beans<http://springframework.org/schema/**beans> >>> <http:**//www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans> >>> > >>> " >>> >>> xmlns:xsi="http://www.w3.org/****2001/XMLSchema-instance<http://www.w3.org/**2001/XMLSchema-instance> >>> <http:**//www.w3.org/2001/XMLSchema-**instance<http://www.w3.org/2001/XMLSchema-instance> >>> > >>> " >>> >>> xmlns:jaxws="http://cxf.**apac**he.org/jaxws<http://apache.org/jaxws> >>> <http://cxf.**apache.org/jaxws <http://cxf.apache.org/jaxws>> >>> " >>> xsi:schemaLocation="http://**w**ww.springframework.org/**** >>> schema/beans <http://www.springframework.org/**schema/beans><http://www. >>> **springframework.org/schema/**beans<http://www.springframework.org/schema/beans> >>> > >>> http://www.springframework.****org/schema/beans/spring-beans.** >>> **xsd<http://www.**springframework.org/schema/**beans/spring-beans.xsd<http://www.springframework.org/schema/beans/spring-beans.xsd> >>> > >>> http://cxf.apache.org/jaxws >>> >>> http://cxf.apache.org/schemas/****jaxws.xsd<http://cxf.apache.org/schemas/**jaxws.xsd> >>> <http://cxf.apache.**org/schemas/jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd> >>> > >>> "> >>> >>> <jaxws:endpoint id="doubleit" >>> implementor="service.****DoubleItPortTypeImpl" >>> address="/doubleit" >>> wsdlLocation="WEB-INF/wsdl/****DoubleIt.wsdl"> >>> >>> <!-- Uncomment only if using WS-SecurityPolicy --> >>> <jaxws:properties> >>> <entry key="ws-security.callback-****handler" >>> value-ref="myPasswordCallback"****/> >>> </jaxws:properties> >>> >>> </jaxws:endpoint> >>> >>> <bean id="myPasswordCallback" >>> class="service.****ServerPasswordCallback" /> >>> </beans> >>> >>> ServerPasswordCallback >>> >>> public class ServerPasswordCallback implements CallbackHandler { >>> >>> public void handle(Callback[] callbacks) throws IOException, >>> UnsupportedCallbackException { >>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; >>> >>> if ("joe".equals(pc.****getIdentifier())) { >>> pc.setPassword("joespassword")****; >>> } >>> } >>> } >>> >>> Thanks >>> Sam >>> >>> On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote: >>> >>> What does your client configuration look like? >>>> >>>> Colm. >>>> >>>> >>>> On Thu, Aug 22, 2013 at 12:34 PM, Sam <[email protected]> wrote: >>>> >>>> Hi Colm, >>>> >>>>> The policy is >>>>> >>>>> <wsp:Policy wsu:Id="DoubleItBindingPolicy"******> >>>>> <wsp:ExactlyOne> >>>>> <wsp:All> >>>>> <sp:SupportingTokens >>>>> xmlns:sp="http://schemas.****xml**soap.org/ws/2005/07/**** >>>>> securitypolicy >>>>> <http://xmlsoap.org/ws/2005/**07/**securitypolicy<http://xmlsoap.org/ws/2005/07/**securitypolicy> >>>>> >< >>>>> http://schemas.**xmlsoap.org/**ws/2005/07/**securitypolicy<http://xmlsoap.org/ws/2005/07/**securitypolicy> >>>>> <ht**tp://schemas.xmlsoap.org/ws/**2005/07/securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy> >>>>> > >>>>> "> >>>>> <wsp:Policy> >>>>> <sp:UsernameToken >>>>> >>>>> sp:IncludeToken="http://****sche**mas.xmlsoap.org/ws/2005/****<http://mas.xmlsoap.org/ws/2005/**> >>>>> <http://schemas.xmlsoap.org/**ws/2005/**<http://schemas.xmlsoap.org/ws/2005/**> >>>>> > >>>>> 07/securitypolicy/******IncludeToken/****AlwaysToRecipient<http://** >>>>> schemas.xmlsoap.org/ws/2005/****07/securitypolicy/**<http://schemas.xmlsoap.org/ws/2005/**07/securitypolicy/**> >>>>> IncludeToken/**AlwaysToRecipient<http://**schemas.xmlsoap.org/ws/2005/ >>>>> **07/securitypolicy/**IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient> >>>>> **> >>>>> **> >>>>> **"> >>>>> <wsp:Policy> >>>>> <sp:HashPassword/> >>>>> <sp:WssUsernameToken11/> >>>>> </wsp:Policy> >>>>> </sp:UsernameToken> >>>>> </wsp:Policy> >>>>> </sp:SupportingTokens> >>>>> </wsp:All> >>>>> </wsp:ExactlyOne> >>>>> </wsp:Policy> >>>>> >>>>> I am not getting any error message and the password in request is still >>>>> in >>>>> clear text when I run the sample code from Glen's site. Response still >>>>> returns OK. >>>>> I was expecting CXF to take care of hashing password automatically but >>>>> it >>>>> still works without returning error message. >>>>> >>>>> It's like <sp:HashPassword/> is optional. Maybe I am missing something. >>>>> >>>>> Thanks >>>>> Sam >>>>> >>>>> On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote: >>>>> >>>>> Yes it is possible. What policy are you using + what is the error you >>>>> >>>>>> are >>>>>> getting? >>>>>> >>>>>> Colm. >>>>>> >>>>>> >>>>>> On Thu, Aug 22, 2013 at 11:53 AM, Sam <[email protected]> wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I read in http://pic.dhe.ibm.com/******** >>>>>>> infocenter/wasinfo/v8r5/index.***<http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.*> >>>>>>> ***** <http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.** >>>>>>> **** <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****> >>>>>>> >< >>>>>>> http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.******<http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****> >>>>>>> <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**> >>>>>>> > >>>>>>> jsp?topic=%2Fcom.ibm.********websphere.wlp.express.doc%** >>>>>>> 2Fae%2Fcwlp_wssec_templates_********scenario1.html<http://pic.** >>>>>>> **dhe.<http://pic.dhe.> >>>>>>> ** >>>>>>> ibm.com/infocenter/wasinfo/******v8r5/index.jsp?topic=%2Fcom.****<http://ibm.com/infocenter/wasinfo/****v8r5/index.jsp?topic=%2Fcom.**> >>>>>>> <http://ibm.com/infocenter/**wasinfo/**v8r5/index.jsp?** >>>>>>> topic=%2Fcom.**<http://ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**> >>>>>>> > >>>>>>> ibm.websphere.wlp.express.doc%******2Fae%2Fcwlp_wssec_** >>>>>>> templates_**** >>>>>>> scenario1.html<http://pic.dhe.****ibm.com/infocenter/wasinfo/****<http://ibm.com/infocenter/wasinfo/**> >>>>>>> v8r5/index.jsp?topic=%2Fcom.****ibm.websphere.wlp.express.doc%**** >>>>>>> 2Fae%2Fcwlp_wssec_templates_****scenario1.html<http://pic.dhe.** >>>>>>> ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.** >>>>>>> ibm.websphere.wlp.express.doc%**2Fae%2Fcwlp_wssec_templates_** >>>>>>> scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html> >>>>>>> > >>>>>>> >>>>>>>> , >>>>>>>> >>>>>>>> which shows >>>>>>> the use of ws-policy for UsernameToken with password digest >>>>>>> (HashPassword) >>>>>>> over SSL. >>>>>>> >>>>>>> My question is, is it possible to use ws-policy for UsernameToken >>>>>>> with >>>>>>> password digest without SSL in CXF? >>>>>>> >>>>>>> I am asking as I have been tweaking the WSDL for the usernametoke >>>>>>> tutorial >>>>>>> from http://www.jroller.com/gmazza/********entry/cxf_usernametoken_* >>>>>>> *****<http://www.jroller.com/gmazza/******entry/cxf_usernametoken_****> >>>>>>> ** <http://www.jroller.com/**gmazza/****entry/cxf_** >>>>>>> usernametoken_****<http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****> >>>>>>> > >>>>>>> profile<http://www.jroller.****com/gmazza/**entry/cxf_** >>>>>>> usernametoken_**profile<http:/**/www.jroller.com/gmazza/**** >>>>>>> entry/cxf_usernametoken_****profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile> >>>>>>> > >>>>>>> <http://www.jroller.**com/****gmazza/entry/cxf_**** >>>>>>> usernametoken_profile<http://****www.jroller.com/gmazza/entry/****<http://www.jroller.com/gmazza/entry/**> >>>>>>> cxf_usernametoken_profile<http**://www.jroller.com/gmazza/** >>>>>>> entry/cxf_usernametoken_**profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile> >>>>>>> > >>>>>>> >>>>>>>> , >>>>>>>> >>>>>>>> to run without SSL successfully, now >>>>>>> I am trying to make it support password digest without SSL , and >>>>>>> without >>>>>>> luck. >>>>>>> >>>>>>> Thanks >>>>>>> Sam >>>>>>> >>>>>>> >>>>>>> >>>>>>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
