You'll have to write a custom interceptor in that case - you could use the BinarySecurityTokenInterceptor as a guide.
Colm. On Thu, Jul 12, 2018 at 3:55 PM, Burkard Stephan <[email protected]> wrote: > Hi Colm > > Sorry for the missing parts. The Token is unfortunately not base-64 > encoded, but a URL encoded string and embedded into the Soap header as > follows: > > <urn:SoapLoginInformation xmlns:urn="[namespace]"> > <Token>[Token]</Token> > </urn:SoapLoginInformation> > > Does "BinarySecurityToken" nevertheless work as a base for this type of > token or is there something else in CXF I could use? > > Thanks > Stephan > > > > > -----Ursprüngliche Nachricht----- > Von: Colm O hEigeartaigh <[email protected]> > Gesendet: Donnerstag, 12. Juli 2018 13:54 > An: [email protected] > Betreff: Re: How to implement a CXF interceptor for a proprietary token > > Hi, > > What's missing from your email is *how* the security token is supposed to > be sent to the SOAP backend. Typically for WS-Security, security tokens are > BASE-64 encoded and inserted into the security header of the request as a > "BinarySecurityToken". > > If this is the case then you can leverage the following interceptor in CXF: > > https://github.com/apache/cxf/blob/master/rt/ws/security/ > src/main/java/org/apache/cxf/ws/security/wss4j/ > BinarySecurityTokenInterceptor.java > > To see how to use it take a look at the following test: > > https://github.com/apache/cxf/blob/master/systests/ws- > security/src/test/java/org/apache/cxf/systest/ws/tokens/ > BinarySecurityTokenTest.java > > The interceptor is added for the test in Spring config here: > > https://github.com/apache/cxf/blob/ebfb3a364c496f76c8b27aacc9bdd7 > b8aa804602/systests/ws-security/src/test/resources/ > org/apache/cxf/systest/ws/tokens/client.xml#L174 > > On the receiving side, the BinarySecurityTokenInterceptor just processes > the token but doesn't validate it. You can implement your custom validation > logic in a WSS4J "Validator" implementation, and reference it in the JAX-WS > properties of the service endpoint via the "ws-security.bst.validator" > configuration key. > > Colm. > > On Wed, Jul 11, 2018 at 4:11 PM, Burkard Stephan < > [email protected]> > wrote: > > > Hi > > > > We have a SOAP based backend system that has its own proprietary > > security token. The token is quite simple, it is based on a shared > secret. > > > > To integrate this backend, I have to add such tokens to messages sent > > to it and validate such tokens to receive calls from it. The creation > > and validation is not a problem. I already have code to create and > > validate the tokens. > > > > I also found "AbstractTokenInterceptor" as base class and > > "UsernameTokenInterceptor" as a "reference implementation" to handle > > tokens in an interceptor. But the Javadocs say almost nothing about > > the methods to implement. > > > > Therefore I studied the source code of them a bit. I assume I have to > > implement the method "addToken" to add such a token to a message sent > > to the backend. And "processToken" sounds like validate the token of > > an incoming message. But what is "assertTokens" for? > > > > And this is just the most basic question. In "UsernameTokenInterceptor" > > there is a lot of stuff I don't understand or at least don't know why > > it is done. > > > > Where can I get an understanding of *what needs to be done* > > (ws-security > > theory) and how to extend "AbstractTokenInterceptor" to do these > > things (CXF and interceptor know-how)? Are there any recommended > > books, tutorials or articles? > > > > Thanks a lot > > Stephan > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
