Re: Run a CXF client without spring (HttpsToken assertion fails)

Martin Dietze Tue, 21 Apr 2015 04:36:19 -0700

On 21 April 2015 at 11:41, Colm O hEigeartaigh <[email protected]> wrote:
> Is the call actually over https or not? The policy that is applicable says
> that it must be, and the check is failing. What is the endpoint URL?


The services is running on http (in case of my unit test).

I have now found out the reason for my problems, I was actually just
about to post a reply to my own question.

The problem was the wsdl file that is part of the service library and
which I am using here:

URL wsdlLocation = XXX_Service.class.getClassLoader().getResource("XXX.wsdl");

In this wsdl there is, among others, this code:

<sp:TransportToken>
  <wsp:Policy>
    <sp:HttpsToken RequireClientCertificate="false"/>
  </wsp:Policy>
</sp:TransportToken>

This is why my client's configuration would always try to enforce
https. I can circumvent this by this code:

String emptyWspPolicyXml = "<wsp:Policy wsu:Id=\"TransportToken\"\n" //
    + 
"\txmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"\n";
//
    + "\txmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"\n"; //
    + 
"\txmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\";>\n"
//
    + "\t\t<wsp:ExactlyOne>\n" //
    + "\t\t\t<wsp:All>\n" //
    + "\t\t\t\t<sp:TransportBinding
xmlns:sp=\"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy\";>\n"
//
    + "\t\t\t\t\t<wsp:Policy>\n" //
    + "\t\t\t\t\t</wsp:Policy>" //
    + "\t\t\t\t</sp:TransportBinding>\n" //
    + "\t\t\t</wsp:All>\n" //
    + "\t\t</wsp:ExactlyOne>\n" //
    + "</wsp:Policy>\n" //
    ;
PolicyBuilder builder =
client.getBus().getExtension(org.apache.cxf.ws.policy.PolicyBuilder.class);
Policy wsSecurityPolicy = builder.getPolicy(new
ByteArrayInputStream(emptyWspPolicyXml.getBytes(StandardCharsets.UTF_8)));
client.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE,
wsSecurityPolicy);

My next step will be to replace that string constant by some more or
less configurable mechanism probably allowing the user to provide an
own input stream to a configuration xml. Not terribly nice, but will
do.

One question remains however:

In the spring-based approach, a very simple configuration is used:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
     xmlns:jaxws="http://cxf.apache.org/jaxws";
     xmlns:jaxrs="http://cxf.apache.org/jaxrs";
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
     xmlns:cxf="http://cxf.apache.org/core";
     xmlns:context="http://www.springframework.org/schema/context";
     xmlns:cache="http://www.springframework.org/schema/cache";
     xmlns:aop="http://www.springframework.org/schema/aop";
     xmlns:http-conf="http://cxf.apache.org/transports/http/configuration";
     xmlns:http="http://cxf.apache.org/transports/http/configuration";
     xmlns:conf-sec="http://cxf.apache.org/configuration/security";
     xmlns:sec="http://cxf.apache.org/configuration/security";
     xmlns:soap="http://cxf.apache.org/bindings/soap";
     xsi:schemaLocation="http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
    http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
    http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
    http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
    http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
    http://www.springframework.org/schema/cache
http://www.springframework.org/schema/cache/spring-cache.xsd
    http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
    http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
    http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
    http://cxf.apache.org/bindings/soap
http://cxf.apache.org/schemas/configuration/soap.xsd
    http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
">

  <jaxws:client id="xxx"
          serviceClass="com.yyy.xxx.XXX"
          address="http://localhost:8080/XXX/soap";
  >
    <jaxws:features>
      <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
    </jaxws:features>
    <jaxws:binding>
      <soap:soapBinding version="1.2"/>
    </jaxws:binding>

  </jaxws:client>
  [...]

The existing, spring-based test, would do something like this:

ApplicationContext context = new ClassPathXmlApplicationContext(new
String[] { "client.xml" });
port = context.getBean("xxx");

As I found out in the debugger, through this approach I don't get the
defaults from the library's wsdl file (well, obviously it's never
referenced here), so that I don't get its defaults into my
configuration. Just out of interest, how comes that I can create  a
client using spring that ignores the service library's wsdl, while
when using the Java API I am forced to use it (at least I never found
an alternative way to set it up)?

Cheers,

Martin

-- 
---------- [email protected] --/-- [email protected] ----
------------- / http://herbert.the-little-red-haired-girl.org / -------------

Re: Run a CXF client without spring (HttpsToken assertion fails)

Reply via email to