Hi, What's missing from your email is *how* the security token is supposed to be sent to the SOAP backend. Typically for WS-Security, security tokens are BASE-64 encoded and inserted into the security header of the request as a "BinarySecurityToken".
If this is the case then you can leverage the following interceptor in CXF: https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java To see how to use it take a look at the following test: https://github.com/apache/cxf/blob/master/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/BinarySecurityTokenTest.java The interceptor is added for the test in Spring config here: https://github.com/apache/cxf/blob/ebfb3a364c496f76c8b27aacc9bdd7b8aa804602/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/client.xml#L174 On the receiving side, the BinarySecurityTokenInterceptor just processes the token but doesn't validate it. You can implement your custom validation logic in a WSS4J "Validator" implementation, and reference it in the JAX-WS properties of the service endpoint via the "ws-security.bst.validator" configuration key. Colm. On Wed, Jul 11, 2018 at 4:11 PM, Burkard Stephan <[email protected]> wrote: > Hi > > We have a SOAP based backend system that has its own proprietary security > token. The token is quite simple, it is based on a shared secret. > > To integrate this backend, I have to add such tokens to messages sent to > it and validate such tokens to receive calls from it. The creation and > validation is not a problem. I already have code to create and validate the > tokens. > > I also found "AbstractTokenInterceptor" as base class and > "UsernameTokenInterceptor" as a "reference implementation" to handle tokens > in an interceptor. But the Javadocs say almost nothing about the methods to > implement. > > Therefore I studied the source code of them a bit. I assume I have to > implement the method "addToken" to add such a token to a message sent to > the backend. And "processToken" sounds like validate the token of an > incoming message. But what is "assertTokens" for? > > And this is just the most basic question. In "UsernameTokenInterceptor" > there is a lot of stuff I don't understand or at least don't know why it is > done. > > Where can I get an understanding of *what needs to be done* (ws-security > theory) and how to extend "AbstractTokenInterceptor" to do these things > (CXF and interceptor know-how)? Are there any recommended books, tutorials > or articles? > > Thanks a lot > Stephan > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
