Hi,
You must keep WSS4JInInterceptor as this interceptor is used to
extract username/password from ws-security usernameToken header.
But you needn't keep passwordCallbackHandler as the container level
JAAS will do the auth.
So what you need do is add a jaxws endpoint property to disable the
callback handler.
Since from CXF 2.4, it should be ws-
security.validate.token=false(seems you already figured it out, :-)).
For cxf bc consumer, you can specify properties like
add an attribute properties="#properties" for cxf bc consumer
endpoint, and here's the properties
<util:map id="properties">
<entry key="ws-security.validate.token" value="false"/>
</util:map>
By this way you needn't the callback handler at all and the
authentication could be delegate to the container JAAS.
To be more clear, the src/main/resources/META-INF/spring/beans.xml
from your testcase should be
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:cxfbc="http://servicemix.apache.org/cxfbc/1.0";
xmlns:isl="http://aura.cz/isl";
xmlns:pocty-techniky="http://www.aura.cz/xrg/isl/g/v_1.0.0.0";
xmlns:util="http://www.springframework.org/schema/util";
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://servicemix.apache.org/cxfbc/1.0
http://servicemix.apache.org/cxfbc/1.0/servicemix-cxf-bc.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
">
<cxfbc:consumer
service="pocty-techniky:AGWebService"
endpoint="AGWebServiceSoap"
locationURI="http://localhost:8194/pocty/";
wsdl="classpath:wsdl/isl_g.wsdl"
targetService="isl:pocty"
targetEndpoint="xquery"
schemaValidationEnabled="true" jaasDomain="karaf"
properties="#properties">
<cxfbc:inInterceptors>
<bean
class="org.apache.cxf.interceptor.LoggingInInterceptor" />
<ref bean="UserName_RequestIn" />
</cxfbc:inInterceptors>
</cxfbc:consumer>
<util:map id="properties">
<entry key="ws-security.validate.token" value="false"/>
</util:map>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="UserName_RequestIn">
<constructor-arg>
<map>
<entry
key="action"
value="UsernameToken" />
<entry
key="passwordType"
value="PasswordText" />
</map>
</constructor-arg>
</bean>
<bean class="org.apache.servicemix.common.osgi.EndpointExporter" />
</beans>
Hope this helps.
Freeman
On 2011-9-14, at 下午3:37, Radomir Kadlec wrote:
Hi Freeman,
thank you, it seems much better now with the cxfbc:consumer and JAAS
authentication.
The user will be authenticated.
*BUT how not to use the passwordCallbackHandler?*
Which interceptors should be used now or how to better configure the
WSS4JInInterceptor?
When I use the WSS4JInInterceptor, I must still manually return valid
password in the passwordCallbackHandler.
And when I remove the WSS4JInInterceptor from the cxfbc:consumer, no
authentication performs.
I tried to use the *"ws-security.validate.token"* and
*"ws-security.ut.no-callbacks"* parameters in cxfbc:consumer and in
WSS4JInInterceptor too, but the *passwordCallbackHandler will be
always
called.*
Is the user authenticated twice now?
When I change the password in my passwordCallbackHandler, the
authentication
fails.
And when I remove the jaas realm "servicemix-domain" from
jaasRealm.xml, it
fails too (no realm servicemix-domain found).
Thanks,
Radomir
--
View this message in context:
http://servicemix.396122.n5.nabble.com/JAAS-configuration-ClassNotFoundException-UsernameTokenProcessor-tp4794258p4801883.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
---------------------------------------------
Freeman Fang
FuseSource
Email:[email protected]
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
