Thanks for the answers Dan.From the following post I see that using the UsernameToken header and encryption together with wss4j/cxf has issues. Are they resolved now. If yes will there be two password callbacks ,one for the keystore password and the other for the password in the usernametoken.
http://markmail.org/message/3567ypt7qiihn4gi This post on X509 encryptiong usingCXF is interesting but does not use UserNameTokens http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the Can you please point me to some CXF samples which use the x509 cert encryption or other wss4j-encryption methods which encrypt only the Soap Headers(usernametoken) . Thanks and regards, Bharath -----Original Message----- From: Daniel Kulp [mailto:[email protected]] Sent: Tuesday, June 02, 2009 3:57 PM To: [email protected] Cc: bharath thippireddy Subject: Re: Securing User Name Token using CXF? On Tue June 2 2009 3:06:52 pm bharath thippireddy wrote: > We are implementing User Name Token Profile for login on each web service > call to our application. Can you please answer the following questions. > > > > 1)We use the cxf-servlet.xml file to configure our endpoints. Is there a > way to enable wss4j and username token profile callback functionality at a > global(BUS) level instead of adding the line below to each endpoint. Yea. The "<cxf:bus>" element can be used to add the interceptors to the Bus itself. That will apply to all the endpoint on the bus. > 2) What is best recommended approach to secure the username and password on > each call? Is it HTTPS or are there other ways to do it which are also > interoperable? HTTPs would be the best performing. The other option is to fully use WS- Security and use an X509 cert to encrypt the UsernameToken header in the message. -- Daniel Kulp [email protected] http://www.dankulp.com/blog
