Hi Colm, I have tested with CXF 3.0.1 as well and results are same.The SOAP Request and Password Callback code are included below. Yes I have enabled the logging, which does not log outbound message on the client side when WSS4JStaxOutInterceptor is used. However the inbound message is getting logged. SOAP Request: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soap:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="G0174fea5-ef7f-435e-8d5f-36a3143ffaa4"> <wsse:Username>theUserName</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>thePassword</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <TwowayStructStringRequest xmlns="http://test.com/struct/xsd";> <PerfStructStringArrayVal> <Item> <StringVal>String</StringVal> <DoubleVal>18446744073709551616</DoubleVal> <FloatVal>4294967296</FloatVal> <CharVal>a</CharVal> <LongVal>4294967296</LongVal> <ShortVal>65536</ShortVal> </Item> </PerfStructStringArrayVal> </TwowayStructStringRequest> </soap:Body></soap:Envelope> Password Callback Code (this code works with WS-SecurityPolicy as well as WSS4J old interceptors. public class ServerPasswordCallback implements CallbackHandler { private Map<String, String> passwords = new HashMap<String, String>(); public ServerPasswordCallback() { passwords.put("theUserName", "thePassword"); passwords.put("abcd", "dcba"); } /** * Here, we attempt to get the password from the private * alias/passwords map. */ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; String pass = passwords.get(pc.getIdentifier()); if (pass == null) { throw new SecurityException ("The UsernameToken '"+pc.getIdentifier()+"' can not be authenticated."); } else if (pass != null) { pc.setPassword(pass); return; } } // // Password not found // throw new IOException(); } /** * Add an alias/password pair to the callback mechanism. */ public void setAliasPassword(String alias, String password) { passwords.put(alias, password); }} Client configuration with WSS4JStaxOutInterceptor: <jaxws:client name="..." createdFromAPI="true"> <jaxws:outInterceptors> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken"/> <entry key="user" value="theUserName"/> <entry key="passwordType" value="PasswordText"/> <entry key="passwordCallbackRef" value-ref="clientCallback"/> </map> </constructor-arg> </bean> </jaxws:outInterceptors> </jaxws:client> <bean id="clientCallback" class="com.att.cio.rpcperf.client.ClientPasswordCallback"/> <cxf:bus> <cxf:features> <cxf:logging/> </cxf:features> </cxf:bus> Thanks,Venkat
> Date: Thu, 21 Aug 2014 16:33:03 +0100 > Subject: Re: WSS4JStax interceptor issues in Apache CXF 3.0.0 > From: [email protected] > To: [email protected] > > Hi, > > > 1) The client with WSS4JStaxOutInterceptor (WSS4J-2.0.0) is not > working. It is throwing the exception. > > It was a bug in WSS4J 2.0.0 (SOAP schemas were not included), fixed in > WSS4J 2.0.1. > > > 2) I replaced the WSS4J 2.0.0 jar’s with WSS4J 2.0.1 jar and the > client side works fine. However with 2.0.0 and 2.0.1 the server > side code > was not getting the User Name in password callback handler when > WSS4JStaxInInterceptor used, basically > > “getIdentifier” method returns an empty string. Everything works fine > with old WSS4J interceptors as well as WS-SecurityPolicy. > > This seems odd. Could you paste in what the UsernameToken from the message > looks like, what the CallbackHandler implementation looks like? > > > 3) WSS4JStaxOutInterceptor does not log the outbound message when > the logging enabled. > > Do you mean that if you enable the CXF logging interceptors, it doesn't log > the message? WSS4JStaxOutInterceptor itself doesn't log the message. > > Colm. > > On Wed, Aug 20, 2014 at 7:22 PM, NALLA, VENKAT <[email protected]> wrote: > > > Hi Colm, > > > > > > > > I am using Apache CXF version 3.0.0 and testing JAX-WS services with > > WS-Security UsernameToken profile with plain password, and running in to > > following issues. Appreciate if you could help in resolving these issues. > > > > > > > > 1) The client with WSS4JStaxOutInterceptor (WSS4J-2.0.0) is not > > working. It is throwing the exception. > > > > a. Exception using Oracle JDK 7 on Windows 7 desktop in the > > attached file “OracleJDK7WSS4J-2.0.0-ClientException on Win7.txt” > > > > b. Exception using IBM JDK 7 on AIX in the attached file > > “IBMJDK7-WSS4j-2.0.0ClientException on AIX.txt” > > > > > > > > 2) I replaced the WSS4J 2.0.0 jar’s with WSS4J 2.0.1 jar and the > > client side works fine. However with 2.0.0 and 2.0.1 the server side code > > was not getting the User Name in password callback handler when > > WSS4JStaxInInterceptor used, basically “getIdentifier” method returns an > > empty string. Everything works fine with old WSS4J interceptors as well as > > WS-SecurityPolicy. > > > > 3) WSS4JStaxOutInterceptor does not log the outbound message when > > the logging enabled. > > > > > > > > The server configuration: > > > > <jaxws:endpoint name="…" createdFromAPI="true"> > > > > <jaxws:inInterceptors> > > > > > > > > <bean class=" > > org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor"> > > > > < > > constructor-arg> > > > > > > <map> > > > > > > <entry key="action" value="UsernameToken"/> > > > > > > <entry key="passwordType" value="PasswordText"/> > > > > > > <entry key="passwordCallbackClass" value="...ServerPasswordCallback"/> > > > > > > </map> > > > > </ > > constructor-arg> > > > > </bean> > > > > </jaxws:inInterceptors> > > > > </jaxws:endpoint> > > > > > > > > Thanks, > > > > Venkat > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > >
