Hi Adam, To verify Username token you even don't need to write own interceptor. CXF provides some configuration ways to achieve it: 1) Using WS-policy (recommended). See samples/ws_security/ut_policy from CXF distribution for details. 2) Configure jaxws:properties in CXF client and endpoint. See http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile for deatils 3) Directly configure WSS4J interceptors.
To your questions: > 1. How does this interceptor work? Does that mean all the messages coming > in to my webservice server now will go through the interceptor class I specify > from the ininterceptor annotation? Yes, it is basic idea of interceptors. Incoming message will go through configured in- interceptor (http://cxf.apache.org/docs/interceptors.html ) > > 2. Below is the interceptor implementation I copied from one of the earlier > posts. All the interceptors are added to the message.getInterceptorChain(). > Does that the same as adding the interceptors to the endpoint? If not, > what's the difference? Actually it is the same. Interceptors configured for endpoint will appear in service interceptor chain. Directly adding interceptors into chain normally used in dynamic scenarios. > > 3. Could anyone help me understand how to use WSS4JInInterceptor class? > In the example below, it's constructed with a hashmap. Will the > WSS4JInInterceptor instance then automatically validate the username and > password? WSS4JInInterceptor is entry point for WSS4J security mechanisms including UsernameToken and SAML authentications, XML signature and encryption, etc. > > 4. I have currently comment out the SAAJInInterceptor and > userTokenInterceptor. What's the point for having SAAJInInterceptor here? SAAJInInterceptor is responsible to unmarshal stream based message to SAAJ model. Currently it is required for WSS4J interceptors as far as WSS4J 1.6.X works with DOM messages. > > 5. I know userTokenInterceptor is the custom interceptor, but in my > implementation of it, I don't have a way to add the logic from the message in > it's handleMessage() method. Could someone tell me what's the normal use > case for the custom interceptor and how is it usually implemented like? http://cxf.apache.org/docs/interceptors.html Regards, Andrei. > -----Original Message----- > From: adamcchang [mailto:[email protected]] > Sent: Freitag, 25. Januar 2013 20:35 > To: [email protected] > Subject: Interceptors for WS security > > I have created a web service server (code first method) by using the > @WebService(endpointInterface = > "edu.uci.oit.dwh.webservices.DWHServer", > serviceName = "DWHServer") annotation. I am trying to add a security level > on top of this. After reading through some posts, I have added the following > annotation > @InInterceptors(interceptors={"edu.uci.oit.dwh.webservices.WSSecurityInt > erceptor"}) > However I have some questions and hope someone here with better > knowledge could help me out. > > 1. How does this interceptor work? Does that mean all the messages coming > in to my webservice server now will go through the interceptor class I specify > from the ininterceptor annotation? > > 2. Below is the interceptor implementation I copied from one of the earlier > posts. All the interceptors are added to the message.getInterceptorChain(). > Does that the same as adding the interceptors to the endpoint? If not, > what's the difference? > > 3. Could anyone help me understand how to use WSS4JInInterceptor class? > In the example below, it's constructed with a hashmap. Will the > WSS4JInInterceptor instance then automatically validate the username and > password? > > 4. I have currently comment out the SAAJInInterceptor and > userTokenInterceptor. What's the point for having SAAJInInterceptor here? > > 5. I know userTokenInterceptor is the custom interceptor, but in my > implementation of it, I don't have a way to add the logic from the message in > it's handleMessage() method. Could someone tell me what's the normal use > case for the custom interceptor and how is it usually implemented like? > > > public class WSSecurityInterceptor extends AbstractPhaseInterceptor { > > public WSSecurityInterceptor() { > super(Phase.PRE_PROTOCOL); > } > public WSSecurityInterceptor(String s) { > super(Phase.PRE_PROTOCOL); > } > > public void handleMessage(Message message) throws Fault { > > Map props = new HashMap(); > props.put(WSHandlerConstants.ACTION, > WSHandlerConstants.USERNAME_TOKEN); > props.put(WSHandlerConstants.PW_CALLBACK_CLASS, > ServerPasswordHandler.class.getName()); > WSS4JInInterceptor wss4jInInterceptor = new > WSS4JInInterceptor(props); > System.out.println("props:" + props); > ValidateUserTokenInterceptor userTokenInterceptor = new > ValidateUserTokenInterceptor(Phase.POST_PROTOCOL); > message.getInterceptorChain().add(wss4jInInterceptor); > //message.getInterceptorChain().add(new SAAJInInterceptor()); > //message.getInterceptorChain().add(userTokenInterceptor); > } > } > > Sorry I know I am kind of not asking specific questions but because I am not > too clear on the whole picture. I really appreciate any one who could help > me out. Thanks in advance. > > ~Adam > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Interceptors-for-WS-security- > tp5722285.html > Sent from the cxf-user mailing list archive at Nabble.com.
