I’m using CXF 2.7.3.
The WSS4JInInterceptor is setting SECURITY_PROCESSED to Boolean.TRUE and the
service is invoked when no SOAP Security header is provided. Is this the
expected behavior? I would expect security processing to fail if no security
header is provided.
My password callback function is never called and the service is invoked. What
am I missing?
Is this because the WSDL doesn’t mention any security policy (or any policy for
that matter)? What do I need to do in such a case?
Here’s my spring config excerpt.
<jaxws:endpoint id="eventNotificationEndpoint"
implementor="#eventNotificationEndpointImpl"
address="/eventNotification">
<jaxws:properties>
<entry
key="schema-validation-enabled" value="true" />
<!-- The following two
properties are set because we are using such an
old version of
ehcache. Delete these when we upgrade EhCache. -->
<entry
key="ws-security.nonce.cache.instance" value-ref="nonceMemoryReplayCache" />
<entry
key="ws-security.timestamp.cache.instance"
value-ref="timestampMemoryReplayCache" />
</jaxws:properties>
<jaxws:inInterceptors>
<ref
bean="loggingInInterceptor" />
<bean
id="eventNotificationMeterSecurityEnabledCheckIncomingInterceptor"
class="com.ecologic.components.server.security.webservices.interceptors.SecurityEnabledCheckInInterceptor"
p:securityManager-ref="securityManager"
p:webServiceAuthStrategyDao-ref="wsDestinationDao"
p:endpointName="EventNotification"
p:endpointType="WS_SERVER_INT" />
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken Timestamp" />
<entry key="passwordType" value="PasswordDigest" />
<entry key="passwordCallbackRef">
<bean
parent="securityServiceForWebserviceWithDigest"
p:endpointName="EventNotification" />
</entry>
</map>
</constructor-arg>
<property
name="ignoreActions" value="true" />
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref
bean="loggingOutInterceptor" />
<ref
bean="securityEnabledCheckOutgoingInterceptor" />
</jaxws:outInterceptors>
</jaxws:endpoint>
Cheers,
Benji
P PLEASE CONSIDER OUR ENVIRONMENT BEFORE PRINTING THIS EMAIL.
This e-mail (including any attachments) is confidential and may be legally
privileged. If you are not an intended recipient or an authorized
representative of an intended recipient, you are prohibited from using, copying
or distributing the information in this e-mail or its attachments. If you have
received this e-mail in error, please notify the sender immediately by return
e-mail and delete all copies of this message and any attachments. Thank you.
