Re: MTOM + WS-Security X.509 Certificate Token Profile Question

[Mayank Mishra]

XyLus wrote:
Hi All
I have client abd server that use MTOM to send message with attachment. (it
works fine I can see 
<xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include";
href="$reference"/> in message and attachment bytes afterwards in Outbound
log)

I am wondering if it is possible to combine MTOM and WS-Security X.509
Certificate Token Profile  signing


I checked out WS-Security and MTOM tutorials available on CXF page and now I
have  client code as follows:


 UploadService ss = new UploadService(wsdlURL, SERVICE_NAME);
        UploadServicePortType port = ss.getUploadServicePort();

        
        //WS-Security via API
     
        Map<String,Object> outProps = new HashMap<String,Object>();
        
        outProps.put(WSHandlerConstants.ACTION, "Signature");
        outProps.put(WSHandlerConstants.USER, "myAlias");
        outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientPasswordCallback.class.getName());
        outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"client_sign.properties");

        org.apache.cxf.endpoint.Client client =
org.apache.cxf.frontend.ClientProxy.getClient(port);
        org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
        
        WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
        cxfEndpoint.getOutInterceptors().add(wssOut);
        cxfEndpoint.getOutInterceptors().add(new SAAJOutInterceptor()); //
2.0.x only; not needed in 2.1+

        //WS-Security via API END
        
        Binding binding = ((BindingProvider)port).getBinding();
        ((SOAPBinding)binding).setMTOMEnabled(true);


I've made matching changes on server side and everything works fine.
However there is no 
<xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include";
href="$reference"/>
in client Inbound anymore. Instead of reference in message there is
attachment data coded with base64 :/


Please confirm whether my client configuration is not correct or combining
MTOM and WS-Security at the same time is not possible.

  
Hi Maciej,

Combination of MTOM and WS-Security must work. There is nothing like 
mutually exclusive. AFAIK, securing MTOM attachment is not supported 
currently.
Also, I am unable to locate any SignatureParts in security properties 
supplied to WSS4JInterceptor. Are you expecting any default behavior? or 
just for brevity they are not there?
Anyway, I haven't tried this combination before but will surely update 
you soon by trying myself.

With Regards,
Mayank
Any help would be appreciated,
Maciej