Hi Benji, It is not throwing an exception because you have defined the following property:
<property name="ignoreActions" value="true" /> That is telling the WSS4JInInterceptor not to bother matching configured Actions against what was actually processed. This property is not really intended to be used under normal circumstances. The PolicyBasedWSS4JInInterceptor sets it to true as it does it's own verification of what security actions were performed. Colm. On Wed, Mar 27, 2013 at 7:14 PM, Shults, Benji < [email protected]> wrote: > I’m using CXF 2.7.3. > > The WSS4JInInterceptor is setting SECURITY_PROCESSED to Boolean.TRUE and > the service is invoked when no SOAP Security header is provided. Is this > the expected behavior? I would expect security processing to fail if no > security header is provided. > > My password callback function is never called and the service is invoked. > What am I missing? > > Is this because the WSDL doesn’t mention any security policy (or any > policy for that matter)? What do I need to do in such a case? > > Here’s my spring config excerpt. > > <jaxws:endpoint id="eventNotificationEndpoint" > > implementor="#eventNotificationEndpointImpl" address="/eventNotification"> > <jaxws:properties> > <entry > key="schema-validation-enabled" value="true" /> > <!-- The following two > properties are set because we are using such an > old > version of ehcache. Delete these when we upgrade EhCache. --> > <entry > key="ws-security.nonce.cache.instance" value-ref="nonceMemoryReplayCache" /> > <entry > key="ws-security.timestamp.cache.instance" > value-ref="timestampMemoryReplayCache" /> > </jaxws:properties> > <jaxws:inInterceptors> > <ref > bean="loggingInInterceptor" /> > <bean > id="eventNotificationMeterSecurityEnabledCheckIncomingInterceptor" > > class="com.ecologic.components.server.security.webservices.interceptors.SecurityEnabledCheckInInterceptor" > > p:securityManager-ref="securityManager" > > p:webServiceAuthStrategyDao-ref="wsDestinationDao" > p:endpointName="EventNotification" > > p:endpointType="WS_SERVER_INT" /> > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > > <constructor-arg> > > <map> > > <entry key="action" value="UsernameToken Timestamp" /> > > <entry key="passwordType" value="PasswordDigest" /> > > <entry key="passwordCallbackRef"> > > <bean > parent="securityServiceForWebserviceWithDigest" > > > p:endpointName="EventNotification" /> > > </entry> > > </map> > > </constructor-arg> > <property > name="ignoreActions" value="true" /> > </bean> > </jaxws:inInterceptors> > <jaxws:outInterceptors> > <ref > bean="loggingOutInterceptor" /> > <ref > bean="securityEnabledCheckOutgoingInterceptor" /> > </jaxws:outInterceptors> > </jaxws:endpoint> > > Cheers, > > Benji > > > > P PLEASE CONSIDER OUR ENVIRONMENT BEFORE PRINTING THIS EMAIL. > > This e-mail (including any attachments) is confidential and may be legally > privileged. If you are not an intended recipient or an authorized > representative of an intended recipient, you are prohibited from using, > copying or distributing the information in this e-mail or its attachments. > If you have received this e-mail in error, please notify the sender > immediately by return e-mail and delete all copies of this message and any > attachments. Thank you. > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
