Hi Dan, Thanks for your reply.
Forgot to mention that I'm building and running on CXF 2.2.4. Are you saying, that I can not have generated WSDL to include WSPolicy or you are saying that if I configure it CXF will do it automagically? What about this note on WS-SecurityPolicy? Note: at this point, WS-SecurityPolicy support is ONLY available for "WSDL first" scenarios. The WS-SecurityPolicy fragments can only be pulled from WSDL. In the future, we plan to enable various code first scenarios as well, but at this time, only WSDL first is available. http://cxf.apache.org/docs/ws-securitypolicy.html I already tried to specify policy as follows: <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"; /> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <jaxws:endpoint implementor="#helloWorldServiceBean" address="/v1/soap/HelloWorld"> <jaxws:features> <p:policies> <wsp:PolicyReference URI="#UsernameToken" xmlns:wsp="http://www.w3.org/2006/07/ws-policy"; /> </p:policies> </jaxws:features> </jaxws:endpoint> java2ws produced the same WSDL as before - no traces of policy. dkulp wrote: > > On Tue October 20 2009 11:28:59 am vickatvuuch wrote: >> Hi All, >> >> I'm trying to put together a java first CXF server with WS-Security. >> I have the WSS4JInInterceptor with password callback handling my requests >> with clear text pass for now. >> Could somebody point me into a right direction regarding two issues I'm >> trying to figure out: >> 1. WSDL header generation, in particular how to add WS-Security header to >> a >> generated WSDL, any examples? > > Well, in general, you don't. I've never actually seen that done. > > For the most part, what you would do it define a WS-SecurityPolicy policy > that > defined the security constraints and then the various security policy > runtimes > would interpret that into the required security header. In your case, > the > summary would be a TransportBinding/HttpsToken with a UsernameToken > SupportingToken. > > In XML that would be added to the wsdl, it would look like: > > > <wsp:Policy wsu:Id="ut_policy" > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401- > wss-wssecurity-utility-1.0.xsd"> > <sp:TransportBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken/> > </wsp:Policy> > </sp:TransportToken> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128/> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:TransportBinding> > <sp:SupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:UsernameToken > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";> > <wsp:Policy> > <sp:WssUsernameToken11/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SupportingTokens> > </wsp:Policy> > > and then add > <wsp:PolicyReference > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > URI="#ut_policy"/> > > to the wsdl:service/wsdl:port for your service. > > Of course, once you do that with CXF, the SecurityPolicy implementation > will > probably kick in and process it and you would need on unconfigure the > WSS4J > interceptors and reconfigure things using the SecurityPolicy constants. > See: > > http://cxf.apache.org/docs/ws-securitypolicy.html > > for information. Oliver Wulff is kind of working on a SecurityPolicy > based > UsernameToken example: > http://www.nabble.com/WS-SecurityPolicy,-UsernamePassword-example- > to25958182.html > >> 2. Another question I have is how to handle sessions using CXF, can't >> find >> a good example on that.. Basic idea is to have a Auth port to >> authenticate >> a session/token using WS-Security, have server return that session/token >> and make client use that for subsequent calls into all other ports. > > Yea. That's definitely one way to do it. You would normally define some > sort > of session object in schema and then reference that schema from the other > services and define soap:headers in those WSDL's for the sessions. > > Dan > > >> >> Thanks, >> -Vitaly >> >> Here is SOAP request with WS-Security which WSS4JInInterceptor is >> handling. >> >> <soapenv:Envelope >> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; >> xmlns:spr="http://spring.demo/";> >> soap:mustUnderstand="1"> >> <soapenv:Header> >> <wsse:Security >> >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur >> ity-secext-1.0.xsd" >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri >> ty-utility-1.0.xsd" soapenv:mustUnderstand="true"> >> <wsse:UsernameToken wsu:Id="UsernameToken-799830164"> >> <wsse:Username>username</wsse:Username> >> <wsse:Password >> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-toke >> n-profile-1.0#PasswordText">password</wsse:Password> >> </wsse:UsernameToken> >> </wsse:Security> >> </soapenv:Header> >> >> <soapenv:Body> >> <spr:getDude> >> <!--Optional:--> >> <arg0>1</arg0> >> <!--Optional:--> >> <arg1>2</arg1> >> </spr:getDude> >> </soapenv:Body> >> </soapenv:Envelope> >> >> My project is attached. >> http://www.nabble.com/file/p25977266/CXFHelloServer.jar >> CXFHelloServer.jar >> > > -- > Daniel Kulp > [email protected] > http://www.dankulp.com/blog > > -- View this message in context: http://www.nabble.com/java-first-how-to-add-WS-Security-header-to-WSDL-tp25977266p25978891.html Sent from the cxf-user mailing list archive at Nabble.com.
