Hi We have a SOAP based backend system that has its own proprietary security token. The token is quite simple, it is based on a shared secret.
To integrate this backend, I have to add such tokens to messages sent to it and validate such tokens to receive calls from it. The creation and validation is not a problem. I already have code to create and validate the tokens. I also found "AbstractTokenInterceptor" as base class and "UsernameTokenInterceptor" as a "reference implementation" to handle tokens in an interceptor. But the Javadocs say almost nothing about the methods to implement. Therefore I studied the source code of them a bit. I assume I have to implement the method "addToken" to add such a token to a message sent to the backend. And "processToken" sounds like validate the token of an incoming message. But what is "assertTokens" for? And this is just the most basic question. In "UsernameTokenInterceptor" there is a lot of stuff I don't understand or at least don't know why it is done. Where can I get an understanding of *what needs to be done* (ws-security theory) and how to extend "AbstractTokenInterceptor" to do these things (CXF and interceptor know-how)? Are there any recommended books, tutorials or articles? Thanks a lot Stephan
