I'm using Spring 3.2.0.Release, CXF 2.7.3 and Java JDK1.6.0_24. I'm using
Wsse-security UsernameToken. This is working. Now a new requirement
surfaced. The WS is going to implement 'replay attack prevention'. I've read
the 'OASIS Web Services Security: Username Token Profile V1.0' document'.
What I need to implement is <wsse:Nonce> and <wsuCreated>.According to the
OASIS if you implement one or both you must include them in
<wsse:PasswordDigest>
I will show the relevant part of my Spring config file and below that I will
ask my questions.
<jaxws:client id="ppiClient" serviceClass="com.xxx.payment.Payment"
address="${prepaidin.uri}" >
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="user" value="${prepaidin.username}"/>
<entry key="passwordType" value="PasswordText"/>
<entry key="passwordCallbackRef"
value-ref="myPasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:client>
<bean id="myPasswordCallback"
class="net.xxx.backend.ClientPasswordCallback"/>
<http-conf:conduit name="*.http-conduit">
<http-conf:client
ConnectionTimeout="${prepaidin.ConnectionTimeout}"
ReceiveTimeout="${prepaidin.ReceiveTimeout}"
Connection="close" />
</http-conf:conduit>
<bean id="abstractLoggingInterceptor" abstract="true">
<property name="prettyLogging" value="true" />
</bean>
<bean id="loggingInInterceptor"
class="org.apache.cxf.interceptor.LoggingInInterceptor"
parent="abstractLoggingInterceptor" />
<bean id="loggingOutInterceptor"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"
parent="abstractLoggingInterceptor" />
<cxf:bus>
<cxf:inInterceptors>
<ref bean="loggingInInterceptor" />
</cxf:inInterceptors>
<cxf:outInterceptors>
<ref bean="loggingOutInterceptor" />
</cxf:outInterceptors>
<cxf:outFaultInterceptors>
<ref bean="loggingOutInterceptor" />
</cxf:outFaultInterceptors>
<cxf:inFaultInterceptors>
<ref bean="loggingInInterceptor" />
</cxf:inFaultInterceptors>
</cxf:bus>
I have search the Net a LOT (approx 2 days) including the CXF website, but I
can NOT find what I'm looking for...
Questions:
1) All examples I have use a passwordCallbackRef in combination with
PasswordText. Isn't it possible to have something like <entry key="password"
value="this_is_my_secret password" ??
2) How can in the above setup implement <wsse:Nonce>. As the nonce has to be
in a specific format I need a callback method for it (value-ref=......). I
also need to be able to reuse this nonce in a <wsse:PasswordDigest> tag
(see below)
3) How do create a wsu:Created which I can use in combination with
<wsse:PasswordDigest> (see below). When I extend the action part to <entry
key="action" value="UsernameToken"/> I see that in the soaprequest a
<wsu:Timestamp> tag is generated with in it a <wsu:Created> and
<wsu:Expires>. But I need to reuse that wsu:created tag in the
<wsse:PasswordDigest> tag.
4) <wsse:PasswordDigest>. The OASIS specs say Password_Digest = Base
(SHA-1(nonce + created + password). How can I configure this in the spring
config file. A callback is needed because I need to reuse the nonce, created
and password. Can a PasswordText tag be used in combination with
PasswordDigest or are they mutual exlusive?
5) Does anyone know of a good book which describes ws-security in
combination with Spring and CXF?
Any solution or hints/urls/references is very much appreciated. Because like
I said I'm totally stuck with this...
--
View this message in context:
http://cxf.547215.n5.nabble.com/WS-security-UsernameToken-How-to-set-wssse-Nonce-and-wsse-PasswordDigest-with-Spring-and-CXF-tp5724932.html
Sent from the cxf-user mailing list archive at Nabble.com.
