If you use a password digest type, then Nonce and Created are included automatically. If you wish to add Nonce + Created Elements in the UsernameToken for "PasswordText", then add the following to your WSS4JOutIntercepto r and it should work:
<entry key="addUTElements" value="Nonce Created"/> It's not supported to have a pluggable way of setting Nonces + Created values...why do you even want to? If you want to do this then you'll need to create your own version of WSS4J's UsernameTokenAction + plug that in instead. Colm. On Thu, Mar 21, 2013 at 2:23 PM, wolverine2710 <[email protected]>wrote: > I'm using Spring 3.2.0.Release, CXF 2.7.3 and Java JDK1.6.0_24. I'm using > Wsse-security UsernameToken. This is working. Now a new requirement > surfaced. The WS is going to implement 'replay attack prevention'. I've > read > the 'OASIS Web Services Security: Username Token Profile V1.0' document'. > What I need to implement is <wsse:Nonce> and <wsuCreated>.According to the > OASIS if you implement one or both you must include them in > <wsse:PasswordDigest> > > I will show the relevant part of my Spring config file and below that I > will > ask my questions. > > > > <jaxws:client id="ppiClient" serviceClass="com.xxx.payment.Payment" > address="${prepaidin.uri}" > > > <jaxws:outInterceptors> > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> > <constructor-arg> > <map> > <entry key="action" value="UsernameToken"/> > <entry key="user" value="${prepaidin.username}"/> > <entry key="passwordType" value="PasswordText"/> > <entry key="passwordCallbackRef" > value-ref="myPasswordCallback"/> > </map> > </constructor-arg> > </bean> > </jaxws:outInterceptors> > </jaxws:client> > > > <bean id="myPasswordCallback" > class="net.xxx.backend.ClientPasswordCallback"/> > <http-conf:conduit name="*.http-conduit"> > <http-conf:client > ConnectionTimeout="${prepaidin.ConnectionTimeout}" > ReceiveTimeout="${prepaidin.ReceiveTimeout}" > Connection="close" /> > </http-conf:conduit> > > > <bean id="abstractLoggingInterceptor" abstract="true"> > <property name="prettyLogging" value="true" /> > </bean> > <bean id="loggingInInterceptor" > class="org.apache.cxf.interceptor.LoggingInInterceptor" > parent="abstractLoggingInterceptor" /> > <bean id="loggingOutInterceptor" > class="org.apache.cxf.interceptor.LoggingOutInterceptor" > parent="abstractLoggingInterceptor" /> > > <cxf:bus> > <cxf:inInterceptors> > <ref bean="loggingInInterceptor" /> > </cxf:inInterceptors> > <cxf:outInterceptors> > <ref bean="loggingOutInterceptor" /> > </cxf:outInterceptors> > <cxf:outFaultInterceptors> > <ref bean="loggingOutInterceptor" /> > </cxf:outFaultInterceptors> > <cxf:inFaultInterceptors> > <ref bean="loggingInInterceptor" /> > </cxf:inFaultInterceptors> > </cxf:bus> > > I have search the Net a LOT (approx 2 days) including the CXF website, but > I > can NOT find what I'm looking for... > > Questions: > > 1) All examples I have use a passwordCallbackRef in combination with > PasswordText. Isn't it possible to have something like <entry > key="password" > value="this_is_my_secret password" ?? > > 2) How can in the above setup implement <wsse:Nonce>. As the nonce has to > be > in a specific format I need a callback method for it (value-ref=......). I > also need to be able to reuse this nonce in a <wsse:PasswordDigest> tag > (see below) > > 3) How do create a wsu:Created which I can use in combination with > <wsse:PasswordDigest> (see below). When I extend the action part to <entry > key="action" value="UsernameToken"/> I see that in the soaprequest a > <wsu:Timestamp> tag is generated with in it a <wsu:Created> and > <wsu:Expires>. But I need to reuse that wsu:created tag in the > <wsse:PasswordDigest> tag. > > 4) <wsse:PasswordDigest>. The OASIS specs say Password_Digest = Base > (SHA-1(nonce + created + password). How can I configure this in the spring > config file. A callback is needed because I need to reuse the nonce, > created > and password. Can a PasswordText tag be used in combination with > PasswordDigest or are they mutual exlusive? > > 5) Does anyone know of a good book which describes ws-security in > combination with Spring and CXF? > > Any solution or hints/urls/references is very much appreciated. Because > like > I said I'm totally stuck with this... > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/WS-security-UsernameToken-How-to-set-wssse-Nonce-and-wsse-PasswordDigest-with-Spring-and-CXF-tp5724932.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
