« Return to Thread: Security header wsse:Security is missing in Response
Re: Security header wsse:Security is missing in Response
by dkulp
::
Rate this Message:
On Wed July 8 2009 5:29:16 pm rahul.soa wrote:
> Thanks Mayank for the response. So that means Client should have
> WSS4JOutInterceptor configured to send the secured SOAP Request and should
> also be configured with WSS4JInInterceptor to receive the secured Response
> from Server. And contrary applies to Server.
That's right.
This is partially why using the WS-SecurityPolicy stuff makes it a bit easier.
You don't need to mess with interceptors as the Policy framework handles that.
You just need to add a little configuration to the endpoint or client (via
standard JAX-WS context property mechanisms) and the policy framework does the
rest.
Dan
> Best Regards,
> Rahul
>
>
> So that means
>
> On Wed, Jul 8, 2009 at 7:51 PM, Mayank Mishra <mayankm01@...> wrote:
> > rahul.soa wrote:
> >> Hello CXF Devs,
> >>
> >> I am trying to access the secured (usernameToken) webservice deployed on
> >> tomcat by the java client. I intercepted the exchanged messages via
> >> tcpmon,
> >> which are following:
> >>
> >> Request:
> >> ----------
> >>
> >> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
> >> "><soap:Header><wsse:Security
> >> xmlns:wsse="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
> >>t-1.0.xsd "
> >> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
> >>t-1.0.xsd "
> >> xmlns:wsu="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
> >>ty-1.0.xsd "
> >>
> >> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:P
> >>assword Type="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-p
> >>rofile-1.0#PasswordText
> >> ">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:He
> >>ader><soap:Body><ns2:processOrder xmlns:ns2="http://order.demo/"><arg0
> >> /></ns2:processOrder></soap:Body></soap:Envelope>
> >>
> >>
> >> Response:
> >> -------------
> >>
> >> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
> >> "><soap:Body><ns2:processOrderResponse
> >> xmlns:ns2="http://order.demo/
> >>
> >> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:
> >>Envelope>
> >>
> >>
> >> Unlike the Request, response does not have the security header. I want
> >> to know why **security header** (wsse:Security) is missing in the
> >> response. Am
> >> I missing something in the configurations?
> >>
> >> Can you please suggest what should I do to solve this problem?
> >>
> >> Here are the client and service side configurations:
> >>
> >> client-beans.xml
> >> ---------------------
> >>
> >> <beans xmlns="http://www.springframework.org/schema/beans"
> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >> xmlns:jaxws="http://cxf.apache.org/jaxws"
> >> xsi:schemaLocation="
> >> http://www.springframework.org/schema/beans
> >> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> >> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
> >>
> >> <bean id="client" class="demo.order.OrderProcess"
> >> factory-bean="clientFactory" factory-method="create"/>
> >>
> >> <bean id="logIn"
> >> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> >> <bean id="logOut"
> >> class="org.apache.cxf.interceptor.LoggingOutInterceptor"
> >> />
> >> <bean id="saajOut"
> >> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
> >> <bean id="wss4jOut"
> >> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> >> <constructor-arg>
> >> <map>
> >> <entry key="action" value="UsernameToken" />
> >> <entry key="user" value="ws-client" />
> >> <entry key="passwordType" value="PasswordText" />
> >> <entry key="passwordCallbackClass"
> >> value="demo.order.client.ClientPasswordCallback" />
> >> </map>
> >> </constructor-arg>
> >> </bean>
> >>
> >> <bean id="clientFactory"
> >> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
> >> <property name="serviceClass" value="demo.order.OrderProcess"/>
> >> <property name="address" value="
> >> http://localhost:8080/neworderapp/OrderProcess"/>
> >> <property name="inInterceptors">
> >> <list>
> >> <ref bean="logIn" />
> >> </list>
> >> </property>
> >> <property name="outInterceptors">
> >> <list>
> >> <ref bean="logOut" />
> >> <ref bean="saajOut" />
> >> <ref bean="wss4jOut" />
> >> </list>
> >> </property>
> >> </bean>
> >>
> >> </beans>
> >>
> >>
> >>
> >> beans.xml
> >> -------------
> >>
> >> <beans xmlns="http://www.springframework.org/schema/beans"
> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >> xmlns:jaxws="http://cxf.apache.org/jaxws"
> >> xsi:schemaLocation="
> >> http://www.springframework.org/schema/beans
> >> http://www.springframework.org/schema/beans/spring-beans.xsd
> >> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
> >>
> >> <import resource="classpath:META-INF/cxf/cxf.xml" />
> >> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> >> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> >>
> >> <jaxws:endpoint
> >> id="orderProcess"
> >> implementor="demo.order.OrderProcessImpl"
> >> address="/OrderProcess">
> >> <jaxws:inInterceptors>
> >> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> >> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> >> <constructor-arg>
> >> <map>
> >> <entry key="action" value="UsernameToken" />
> >> <entry key="passwordType" value="PasswordText" />
> >> <entry key="passwordCallbackClass"
> >> value="demo.order.ServerPasswordCallback" />
> >> </map>
> >> </constructor-arg>
> >> </bean>
> >> </jaxws:inInterceptors>
> >> </jaxws:endpoint>
> >> </beans>
> >
> > I am unable to see ServerOut-ClientIn WSS4J Interceptor configuration.
> > For each way you require to configure.
> >
> > With Regards,
> > Mayank
> >
> > Many Thanks in advance.
> >
> >> Best Regards,
> >> Rahul
--
Daniel Kulp
dkulp@...
http://www.dankulp.com/blog
> Thanks Mayank for the response. So that means Client should have
> WSS4JOutInterceptor configured to send the secured SOAP Request and should
> also be configured with WSS4JInInterceptor to receive the secured Response
> from Server. And contrary applies to Server.
That's right.
This is partially why using the WS-SecurityPolicy stuff makes it a bit easier.
You don't need to mess with interceptors as the Policy framework handles that.
You just need to add a little configuration to the endpoint or client (via
standard JAX-WS context property mechanisms) and the policy framework does the
rest.
Dan
> Best Regards,
> Rahul
>
>
> So that means
>
> On Wed, Jul 8, 2009 at 7:51 PM, Mayank Mishra <mayankm01@...> wrote:
> > rahul.soa wrote:
> >> Hello CXF Devs,
> >>
> >> I am trying to access the secured (usernameToken) webservice deployed on
> >> tomcat by the java client. I intercepted the exchanged messages via
> >> tcpmon,
> >> which are following:
> >>
> >> Request:
> >> ----------
> >>
> >> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
> >> "><soap:Header><wsse:Security
> >> xmlns:wsse="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
> >>t-1.0.xsd "
> >> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
> >>t-1.0.xsd "
> >> xmlns:wsu="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
> >>ty-1.0.xsd "
> >>
> >> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:P
> >>assword Type="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-p
> >>rofile-1.0#PasswordText
> >> ">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:He
> >>ader><soap:Body><ns2:processOrder xmlns:ns2="http://order.demo/"><arg0
> >> /></ns2:processOrder></soap:Body></soap:Envelope>
> >>
> >>
> >> Response:
> >> -------------
> >>
> >> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
> >> "><soap:Body><ns2:processOrderResponse
> >> xmlns:ns2="http://order.demo/
> >>
> >> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:
> >>Envelope>
> >>
> >>
> >> Unlike the Request, response does not have the security header. I want
> >> to know why **security header** (wsse:Security) is missing in the
> >> response. Am
> >> I missing something in the configurations?
> >>
> >> Can you please suggest what should I do to solve this problem?
> >>
> >> Here are the client and service side configurations:
> >>
> >> client-beans.xml
> >> ---------------------
> >>
> >> <beans xmlns="http://www.springframework.org/schema/beans"
> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >> xmlns:jaxws="http://cxf.apache.org/jaxws"
> >> xsi:schemaLocation="
> >> http://www.springframework.org/schema/beans
> >> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> >> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
> >>
> >> <bean id="client" class="demo.order.OrderProcess"
> >> factory-bean="clientFactory" factory-method="create"/>
> >>
> >> <bean id="logIn"
> >> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> >> <bean id="logOut"
> >> class="org.apache.cxf.interceptor.LoggingOutInterceptor"
> >> />
> >> <bean id="saajOut"
> >> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
> >> <bean id="wss4jOut"
> >> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> >> <constructor-arg>
> >> <map>
> >> <entry key="action" value="UsernameToken" />
> >> <entry key="user" value="ws-client" />
> >> <entry key="passwordType" value="PasswordText" />
> >> <entry key="passwordCallbackClass"
> >> value="demo.order.client.ClientPasswordCallback" />
> >> </map>
> >> </constructor-arg>
> >> </bean>
> >>
> >> <bean id="clientFactory"
> >> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
> >> <property name="serviceClass" value="demo.order.OrderProcess"/>
> >> <property name="address" value="
> >> http://localhost:8080/neworderapp/OrderProcess"/>
> >> <property name="inInterceptors">
> >> <list>
> >> <ref bean="logIn" />
> >> </list>
> >> </property>
> >> <property name="outInterceptors">
> >> <list>
> >> <ref bean="logOut" />
> >> <ref bean="saajOut" />
> >> <ref bean="wss4jOut" />
> >> </list>
> >> </property>
> >> </bean>
> >>
> >> </beans>
> >>
> >>
> >>
> >> beans.xml
> >> -------------
> >>
> >> <beans xmlns="http://www.springframework.org/schema/beans"
> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >> xmlns:jaxws="http://cxf.apache.org/jaxws"
> >> xsi:schemaLocation="
> >> http://www.springframework.org/schema/beans
> >> http://www.springframework.org/schema/beans/spring-beans.xsd
> >> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
> >>
> >> <import resource="classpath:META-INF/cxf/cxf.xml" />
> >> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> >> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> >>
> >> <jaxws:endpoint
> >> id="orderProcess"
> >> implementor="demo.order.OrderProcessImpl"
> >> address="/OrderProcess">
> >> <jaxws:inInterceptors>
> >> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> >> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> >> <constructor-arg>
> >> <map>
> >> <entry key="action" value="UsernameToken" />
> >> <entry key="passwordType" value="PasswordText" />
> >> <entry key="passwordCallbackClass"
> >> value="demo.order.ServerPasswordCallback" />
> >> </map>
> >> </constructor-arg>
> >> </bean>
> >> </jaxws:inInterceptors>
> >> </jaxws:endpoint>
> >> </beans>
> >
> > I am unable to see ServerOut-ClientIn WSS4J Interceptor configuration.
> > For each way you require to configure.
> >
> > With Regards,
> > Mayank
> >
> > Many Thanks in advance.
> >
> >> Best Regards,
> >> Rahul
--
Daniel Kulp
dkulp@...
http://www.dankulp.com/blog
« Return to Thread: Security header wsse:Security is missing in Response
| Free embeddable forum powered by Nabble | Forum Help |
