I turned on debugging at the log4j root logger and saw this: 07:06:22,754 DEBUG UsernameTokenProcessor:49 - Found UsernameToken list element 07:06:22,754 DEBUG UsernameTokenValidator:78 - UsernameToken user Mike 07:06:22,754 DEBUG UsernameTokenValidator:79 - UsernameToken password type null 07:06:22,754 DEBUG TimestampProcessor:46 - Found Timestamp list element 07:06:22,754 DEBUG Timestamp:151 - Current time: 2013-01-11T12:06:22.754Z 07:06:22,754 DEBUG Timestamp:156 - Timestamp created: 2013-01-11T12:06:22.738Z 07:06:22,754 DEBUG Timestamp:162 - Timestamp expires: 2013-01-11T12:11:22.738Z 07:06:22,785 DEBUG Timestamp:342 - Validation of Timestamp: Everything is ok Jan 11, 2013 7:06:22 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor checkActions WARNING: Security processing failed (actions mismatch) Jan 11, 2013 7:06:22 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage WARNING: org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header
I then tried these changes: 1. Changed the client to send a dummy password in plain text. 2. Put the dummy password into the CXF service's interceptor configuration. 3. Added a CallbackHandler to the service's WSS4JInInterceptor that set the dummy password on the WSPasswordCallback. That passed through the security checks just fine. Do you have any suggestions on how to make UsernameToken validation pass without any password tag? Thanks, Mike On Fri, Jan 11, 2013 at 5:34 AM, Colm O hEigeartaigh <[email protected]>wrote: > Hi Mike, > > Turn logging to "DEBUG" and see what the reason for the > "WSSecurityException" was. > > Colm. > > On Thu, Jan 10, 2013 at 9:14 PM, Mike Thomsen <[email protected] > >wrote: > > > I'm still fairly new to CXF and Java web services, so please bear with > me. > > The service I am calling expects a WS-Security header like this: > > > > <SOAP-ENV:Header> > > <wsse:Security xmlns:wsse=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > " > > soapenv:mustUnderstand="1"> > > <wsu:Timestamp xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > wsu:Id="Timestamp-29345020"> > > <wsu:Created>2008-11-24T19:17:43.880Z</wsu:Created> > > <wsu:Expires>2008-11-24T19:22:43.880Z</wsu:Expires> > > </wsu:Timestamp> > > <wsse:UsernameToken xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > wsu:Id="UsernameToken-18724539"> > > <wsse:Username>Mike</wsse:Username> > > </wsse:UsernameToken> > > </wsse:Security> > > </SOAP-ENV:Header> > > > > (No password) > > > > This is how I have it configured in my beans.xml file: > > > > <jaxws:endpoint id="managementService" > > implementor="com.mycompany.ManagementService" > address="/ManagementService"> > > <jaxws:inInterceptors> > > <bean > > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > > <constructor-arg> > > <map> > > <entry key="action" value="UsernameToken > > Timestamp"/> > > <entry key="passwordType" value="PasswordNone"/> > > </map> > > </constructor-arg> > > </bean> > > </jaxws:inInterceptors> > > </jaxws:endpoint> > > > > When I run the client I get this exception: > > > > org.apache.ws.security.WSSecurityException: An error was discovered > > processing the <wsse:Security> header > > > > I know the client (Spring-WS, not CXF) is sending WS-Security headers > based > > on the debugging output from it. > > > > Any help would be appreciated. > > > > Thanks, > > > > Mike > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
