Hi Colm
Sorry for the missing parts. The Token is unfortunately not base-64 encoded,
but a URL encoded string and embedded into the Soap header as follows:
<urn:SoapLoginInformation xmlns:urn="[namespace]">
<Token>[Token]</Token>
</urn:SoapLoginInformation>
Does "BinarySecurityToken" nevertheless work as a base for this type of token
or is there something else in CXF I could use?
Thanks
Stephan
-----Ursprüngliche Nachricht-----
Von: Colm O hEigeartaigh <[email protected]>
Gesendet: Donnerstag, 12. Juli 2018 13:54
An: [email protected]
Betreff: Re: How to implement a CXF interceptor for a proprietary token
Hi,
What's missing from your email is *how* the security token is supposed to be
sent to the SOAP backend. Typically for WS-Security, security tokens are
BASE-64 encoded and inserted into the security header of the request as a
"BinarySecurityToken".
If this is the case then you can leverage the following interceptor in CXF:
https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java
To see how to use it take a look at the following test:
https://github.com/apache/cxf/blob/master/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/BinarySecurityTokenTest.java
The interceptor is added for the test in Spring config here:
https://github.com/apache/cxf/blob/ebfb3a364c496f76c8b27aacc9bdd7b8aa804602/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/client.xml#L174
On the receiving side, the BinarySecurityTokenInterceptor just processes the
token but doesn't validate it. You can implement your custom validation logic
in a WSS4J "Validator" implementation, and reference it in the JAX-WS
properties of the service endpoint via the "ws-security.bst.validator"
configuration key.
Colm.
On Wed, Jul 11, 2018 at 4:11 PM, Burkard Stephan <[email protected]>
wrote:
> Hi
>
> We have a SOAP based backend system that has its own proprietary
> security token. The token is quite simple, it is based on a shared secret.
>
> To integrate this backend, I have to add such tokens to messages sent
> to it and validate such tokens to receive calls from it. The creation
> and validation is not a problem. I already have code to create and
> validate the tokens.
>
> I also found "AbstractTokenInterceptor" as base class and
> "UsernameTokenInterceptor" as a "reference implementation" to handle
> tokens in an interceptor. But the Javadocs say almost nothing about
> the methods to implement.
>
> Therefore I studied the source code of them a bit. I assume I have to
> implement the method "addToken" to add such a token to a message sent
> to the backend. And "processToken" sounds like validate the token of
> an incoming message. But what is "assertTokens" for?
>
> And this is just the most basic question. In "UsernameTokenInterceptor"
> there is a lot of stuff I don't understand or at least don't know why
> it is done.
>
> Where can I get an understanding of *what needs to be done*
> (ws-security
> theory) and how to extend "AbstractTokenInterceptor" to do these
> things (CXF and interceptor know-how)? Are there any recommended
> books, tutorials or articles?
>
> Thanks a lot
> Stephan
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
