WS-SecurityPolicy seems to be ignored on client side

Thu, 24 Oct 2013 03:32:04 -0700 

Hi, 

I have a CXF web service with a security policy defined in the WSDL (based
on one of the examples I think), it works almost fine when called from
SoapUI. I say almost because it returns security info in the response which
I believe it shouldn't do, based on what the spec says about
AlwaysToRecipient, but that's a different problem. 

        <wsp:Policy wsu:Id="UsernameTokenPolicy">
                                <sp:UsernameToken
                                
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                                        <wsp:Policy>
                                        <sp:WssUsernameToken11/>
                                        </wsp:Policy>                           
        
                                </sp:UsernameToken>
        </wsp:Policy>

The problem I am seeing is security headers are not added by the client when
relying on the policy in the WSDL. Neither of the following configurations
work:

     <jaxws:client id="client"
       
serviceClass="org.apache.camel.example.reportincident.ReportIncidentEndpoint"
        address="http://fnd2012:9087/report";>
        <jaxws:properties>
            <entry key="ws-security.username" value="User" />
            <entry key="ws-security.password" value="Pass" />
        </jaxws:properties>
    </jaxws:client>

        <jaxws:client id="client"
        
serviceClass="org.apache.camel.example.reportincident.ReportIncidentEndpoint"
                address="http://fnd2012:9087/report";>
                <jaxws:properties>
                        <entry key="ws-security.username" value="User" />
                        <entry key="ws-security.callback-handler"
value-ref="myPasswordCallback"/>
                </jaxws:properties>
        </jaxws:client>

However it works if I configure a WSS4JOutInterceptor as follows:

    <jaxws:client id="client"
       
serviceClass="org.apache.camel.example.reportincident.ReportIncidentEndpoint"
        address="http://fnd2012:9087/report";>
        <jaxws:outInterceptors>
            <bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
                <constructor-arg>
                    <map>
                        <entry key="action" value="UsernameToken"/>
                        <entry key="user" value="User"/>
                        <entry key="passwordType" value="PasswordText"/>
                        <entry key="passwordCallbackRef"
value-ref="myPasswordCallback"/>
                    </map>
                </constructor-arg>
            </bean>
        </jaxws:outInterceptors>
    </jaxws:client>

Any ideas where I am going wrong? 

TIA

Mark





--
View this message in context: 
http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-seems-to-be-ignored-on-client-side-tp5735502.html
Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to