> Should I use 0x01 (i.e. USERNAME_TOKEN) or am I supposed to register my own.
> Looking at the source code it doesn't really look possible to use a custom
> value here (take a look at WSSecurityUtil.decodeAction). If I have to
> replace something, it might as well be "UsernameToken"/0x01, I guess.
You can use a custom value. WSSecurityUtil.decodeAction contains the
following code:
int parsedAction = Integer.parseInt(single[i]);
if (wssConfig.getAction(parsedAction) == null) {
throw new WSSecurityException(
"Unknown action defined: " + single[i]
);
}
actions.add(new Integer(parsedAction));
Colm.
On Thu, Mar 15, 2012 at 5:53 PM, David Mansfield <[email protected]> wrote:
> On 03/15/2012 11:07 AM, Colm O hEigeartaigh wrote:
>>
>> Hi David,
>>
>>> I have also looked at the "custom actions" but I don't understand what
>>> the
>>> statement "integer representing the WSS4J action identifier" means, nor
>>> what
>>> indeed a WSS4J action is, or how to make one.
>>
>> You could take a look at the following unit test "testCustomAction":
>>
>>
>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java?view=markup
>>
>> You need to implement your own Action implementation to insert the
>> token in the security header:
>>
>>
>> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/Action.java?view=markup
>>
>> Then you need to tell WSS4J to use this Action implementation
>> corresponding to a given integer. From the test:
>>
>> CountingUsernameTokenAction action = new CountingUsernameTokenAction();
>> Map<Object, Object> customActions = new HashMap<Object, Object>(1);
>> customActions.put(WSConstants.UT, action);
>>
>> ...
>> msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
>> msg.put(WSS4JOutInterceptor.WSS4J_ACTION_MAP, customActions);
>
> Ok. Getting there. Still a few questions:
>
> So these two lines set the "action" equal to "UsernameToken" (which
> translates elsewhere to 0x01), then supply a custom action map using a
> custom Action implementation for 0x01.
>
> Should I use 0x01 (i.e. USERNAME_TOKEN) or am I supposed to register my own.
> Looking at the source code it doesn't really look possible to use a custom
> value here (take a look at WSSecurityUtil.decodeAction). If I have to
> replace something, it might as well be "UsernameToken"/0x01, I guess.
>
> The other big problem is that all of these manipulations occur (in the test
> case you linked) on the "SoapMessage". It seems like the docs example
> works by configuring some "properties" map of the WSS4JOutInterceptor. So
> if I can translate what you said, I get:
>
> <bean id="sessionTokenAction"
> class="com.example.subclass.of.action.MySessionTokenAction" />
>
> <bean id="sessionTokenInterceptor"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <!-- Redefines the action for UsernameToken to use a custom impl. and
> turns on the action -->
> <entry key="action" value="UsernameToken" /> <!-- turn on the
> UsernameToken i.e. 0x01 -->
> <entry key="wss4j.action.map">
> <map key-type="java.lang.Integer" value-type="java.lang.Object">
> <entry key="0x01" value-ref="sessionTokenAction"/>
> </map>
> </entry>
> </map>
> </constructor-arg>
> </bean>
>
> <bean id="greeterServiceFactory"
> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
> ...
> <property name="outInterceptors">
> <list>
> <ref bean="securityTokenInterceptor" />
> </list>
> </property>
> </bean>
>
>
> And than services retrieved from spring will have the custom mapping
> applied.
>
>> The integer you associate with the action needs to be added via
>> WSHandlerConstants.ACTION. The example above is a tad confusing, as it
>> overrides the UsernameTokenAction rather than specifying a new action.
>>
>> Colm.
>>
>> On Thu, Mar 15, 2012 at 2:43 PM, David Mansfield<[email protected]>
>> wrote:
>>>
>>> Hi. This is my first post!
>>>
>>> I am working with a web service that has employed a "custom" security
>>> solution roughly based on STS. After I receive a "token" from their STS
>>> (using their custom library) I have to embed the opaque token in a custom
>>> header inside the wsse:Security soap header. Roughly like:
>>>
>>> <wsse:Security>
>>> <SecurityToken>
>>> <TokenValue>4321fade4321fade</TokenValue>
>>> </SecurityToken>
>>> </wsse:Security>
>>>
>>> (along with timestamping).
>>>
>>> The SecurityToken element is associated with their namespace.
>>>
>>> The session token will be common for _all_ requests using the service,
>>> but
>>> it will change over time as a session has a TTL (i.e. once a day the
>>> session
>>> token will need to be updated).
>>>
>>> I have looked at the WSS4JOutInterceptor but it seems to only be able to
>>> handle "standard" things like UsernameToken.
>>>
>>> I have also looked at the "custom actions" but I don't understand what
>>> the
>>> statement "integer representing the WSS4J action identifier" means, nor
>>> what
>>> indeed a WSS4J action is, or how to make one.
>>>
>>> Can someone point me in the right direction?
>>>
>>> Thanks,
>>> David Mansfield
>>> Cobite, INC.
>>>
>>>
>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
