Security header wsse:Security is missing in Response

> Hello CXF Devs,
>
> I am trying to access the secured (usernameToken) webservice deployed on
> tomcat by the java client. I intercepted the exchanged messages via tcpmon,
> which are following:
>
> Request:
> ----------
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:Password
> Type="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns2:processOrder
> xmlns:ns2="http://order.demo/"><arg0
> /></ns2:processOrder></soap:Body></soap:Envelope>
>
>
> Response:
> -------------
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:processOrderResponse
> xmlns:ns2="http://order.demo/
> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:Envelope>
>
>
> Unlike the Request, response does not have the security header. I want to
> know why **security header** (wsse:Security) is missing in the response. Am
> I missing something in the configurations?
>
> Can you please suggest what should I do to solve this problem?
>
> Here are the client and service side configurations:
>
> client-beans.xml
> ---------------------
>
> <beans xmlns="http://www.springframework.org/schema/beans"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xmlns:jaxws="http://cxf.apache.org/jaxws"
>     xsi:schemaLocation="
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
>
>     <bean id="client" class="demo.order.OrderProcess"
>       factory-bean="clientFactory" factory-method="create"/>
>
>    <bean id="logIn" class="org.apache.cxf.interceptor.LoggingInInterceptor"
> />
>   <bean id="logOut" class="org.apache.cxf.interceptor.LoggingOutInterceptor"
> />
>   <bean id="saajOut"
> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
>   <bean id="wss4jOut"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>     <constructor-arg>
>       <map>
>         <entry key="action" value="UsernameToken" />
>         <entry key="user" value="ws-client" />
>         <entry key="passwordType" value="PasswordText" />
>         <entry key="passwordCallbackClass"
> value="demo.order.client.ClientPasswordCallback" />
>       </map>
>     </constructor-arg>
>   </bean>
>
>     <bean id="clientFactory"
> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
>       <property name="serviceClass" value="demo.order.OrderProcess"/>
>       <property name="address" value="
> http://localhost:8080/neworderapp/OrderProcess"/>
>       <property name="inInterceptors">
>       <list>
>         <ref bean="logIn" />
>       </list>
>     </property>
>     <property name="outInterceptors">
>       <list>
>         <ref bean="logOut" />
>         <ref bean="saajOut" />
>         <ref bean="wss4jOut" />
>       </list>
>     </property>
>     </bean>
>
> </beans>
>
>
>
> beans.xml
> -------------
>
> <beans xmlns="http://www.springframework.org/schema/beans"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xmlns:jaxws="http://cxf.apache.org/jaxws"
>     xsi:schemaLocation="
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
>
>     <import resource="classpath:META-INF/cxf/cxf.xml" />
>     <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
>     <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>
>     <jaxws:endpoint
>       id="orderProcess"
>       implementor="demo.order.OrderProcessImpl"
>       address="/OrderProcess">
>       <jaxws:inInterceptors>
>       <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>       <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>         <constructor-arg>
>           <map>
>             <entry key="action" value="UsernameToken" />
>             <entry key="passwordType" value="PasswordText" />
>             <entry key="passwordCallbackClass"
> value="demo.order.ServerPasswordCallback" />
>           </map>
>         </constructor-arg>
>       </bean>
>     </jaxws:inInterceptors>
>    </jaxws:endpoint>
> </beans>
>
>  

> rahul.soa wrote:
>
>> Hello CXF Devs,
>>
>> I am trying to access the secured (usernameToken) webservice deployed on
>> tomcat by the java client. I intercepted the exchanged messages via
>> tcpmon,
>> which are following:
>>
>> Request:
>> ----------
>>
>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>> "><soap:Header><wsse:Security
>> xmlns:wsse="
>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> "
>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> "
>> xmlns:wsu="
>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> "
>>
>> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:Password
>> Type="
>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
>> ">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns2:processOrder
>> xmlns:ns2="http://order.demo/"><arg0
>> /></ns2:processOrder></soap:Body></soap:Envelope>
>>
>>
>> Response:
>> -------------
>>
>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>> "><soap:Body><ns2:processOrderResponse
>> xmlns:ns2="http://order.demo/
>>
>> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:Envelope>
>>
>>
>> Unlike the Request, response does not have the security header. I want to
>> know why **security header** (wsse:Security) is missing in the response.
>> Am
>> I missing something in the configurations?
>>
>> Can you please suggest what should I do to solve this problem?
>>
>> Here are the client and service side configurations:
>>
>> client-beans.xml
>> ---------------------
>>
>> <beans xmlns="http://www.springframework.org/schema/beans"
>>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>    xmlns:jaxws="http://cxf.apache.org/jaxws"
>>    xsi:schemaLocation="
>> http://www.springframework.org/schema/beans
>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
>>
>>    <bean id="client" class="demo.order.OrderProcess"
>>      factory-bean="clientFactory" factory-method="create"/>
>>
>>   <bean id="logIn" class="org.apache.cxf.interceptor.LoggingInInterceptor"
>> />
>>  <bean id="logOut"
>> class="org.apache.cxf.interceptor.LoggingOutInterceptor"
>> />
>>  <bean id="saajOut"
>> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
>>  <bean id="wss4jOut"
>> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>>    <constructor-arg>
>>      <map>
>>        <entry key="action" value="UsernameToken" />
>>        <entry key="user" value="ws-client" />
>>        <entry key="passwordType" value="PasswordText" />
>>        <entry key="passwordCallbackClass"
>> value="demo.order.client.ClientPasswordCallback" />
>>      </map>
>>    </constructor-arg>
>>  </bean>
>>
>>    <bean id="clientFactory"
>> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
>>      <property name="serviceClass" value="demo.order.OrderProcess"/>
>>      <property name="address" value="
>> http://localhost:8080/neworderapp/OrderProcess"/>
>>      <property name="inInterceptors">
>>      <list>
>>        <ref bean="logIn" />
>>      </list>
>>    </property>
>>    <property name="outInterceptors">
>>      <list>
>>        <ref bean="logOut" />
>>        <ref bean="saajOut" />
>>        <ref bean="wss4jOut" />
>>      </list>
>>    </property>
>>    </bean>
>>
>> </beans>
>>
>>
>>
>> beans.xml
>> -------------
>>
>> <beans xmlns="http://www.springframework.org/schema/beans"
>>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>    xmlns:jaxws="http://cxf.apache.org/jaxws"
>>    xsi:schemaLocation="
>> http://www.springframework.org/schema/beans
>> http://www.springframework.org/schema/beans/spring-beans.xsd
>> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
>>
>>    <import resource="classpath:META-INF/cxf/cxf.xml" />
>>    <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
>>    <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>>
>>    <jaxws:endpoint
>>      id="orderProcess"
>>      implementor="demo.order.OrderProcessImpl"
>>      address="/OrderProcess">
>>      <jaxws:inInterceptors>
>>      <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>>      <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>>        <constructor-arg>
>>          <map>
>>            <entry key="action" value="UsernameToken" />
>>            <entry key="passwordType" value="PasswordText" />
>>            <entry key="passwordCallbackClass"
>> value="demo.order.ServerPasswordCallback" />
>>          </map>
>>        </constructor-arg>
>>      </bean>
>>    </jaxws:inInterceptors>
>>   </jaxws:endpoint>
>> </beans>
>>
>>
>>
>
> I am unable to see ServerOut-ClientIn WSS4J Interceptor configuration. For
> each way you require to configure.
>
> With Regards,
> Mayank
>
>  Many Thanks in advance.
>>
>> Best Regards,
>> Rahul
>>
>>
>>
>
>

> Best Regards,
> Rahul
>
>
> So that means
>
> On Wed, Jul 8, 2009 at 7:51 PM, Mayank Mishra <mayankm01@...> wrote:
> > rahul.soa wrote:
> >> Hello CXF Devs,
> >>
> >> I am trying to access the secured (usernameToken) webservice deployed on
> >> tomcat by the java client. I intercepted the exchanged messages via
> >> tcpmon,
> >> which are following:
> >>
> >> Request:
> >> ----------
> >>
> >> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
> >> "><soap:Header><wsse:Security
> >> xmlns:wsse="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
> >>t-1.0.xsd "
> >> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
> >>t-1.0.xsd "
> >> xmlns:wsu="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
> >>ty-1.0.xsd "
> >>
> >> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:P
> >>assword Type="
> >>
> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-p
> >>rofile-1.0#PasswordText
> >> ">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:He
> >>ader><soap:Body><ns2:processOrder xmlns:ns2="http://order.demo/"><arg0
> >> /></ns2:processOrder></soap:Body></soap:Envelope>
> >>
> >>
> >> Response:
> >> -------------
> >>
> >> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
> >> "><soap:Body><ns2:processOrderResponse
> >> xmlns:ns2="http://order.demo/
> >>
> >> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:
> >>Envelope>
> >>
> >>
> >> Unlike the Request, response does not have the security header. I want
> >> to know why **security header** (wsse:Security) is missing in the
> >> response. Am
> >> I missing something in the configurations?
> >>
> >> Can you please suggest what should I do to solve this problem?
> >>
> >> Here are the client and service side configurations:
> >>
> >> client-beans.xml
> >> ---------------------
> >>
> >> <beans xmlns="http://www.springframework.org/schema/beans"
> >>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >>    xmlns:jaxws="http://cxf.apache.org/jaxws"
> >>    xsi:schemaLocation="
> >> http://www.springframework.org/schema/beans
> >> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> >> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
> >>
> >>    <bean id="client" class="demo.order.OrderProcess"
> >>      factory-bean="clientFactory" factory-method="create"/>
> >>
> >>   <bean id="logIn"
> >> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
> >>  <bean id="logOut"
> >> class="org.apache.cxf.interceptor.LoggingOutInterceptor"
> >> />
> >>  <bean id="saajOut"
> >> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
> >>  <bean id="wss4jOut"
> >> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> >>    <constructor-arg>
> >>      <map>
> >>        <entry key="action" value="UsernameToken" />
> >>        <entry key="user" value="ws-client" />
> >>        <entry key="passwordType" value="PasswordText" />
> >>        <entry key="passwordCallbackClass"
> >> value="demo.order.client.ClientPasswordCallback" />
> >>      </map>
> >>    </constructor-arg>
> >>  </bean>
> >>
> >>    <bean id="clientFactory"
> >> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
> >>      <property name="serviceClass" value="demo.order.OrderProcess"/>
> >>      <property name="address" value="
> >> http://localhost:8080/neworderapp/OrderProcess"/>
> >>      <property name="inInterceptors">
> >>      <list>
> >>        <ref bean="logIn" />
> >>      </list>
> >>    </property>
> >>    <property name="outInterceptors">
> >>      <list>
> >>        <ref bean="logOut" />
> >>        <ref bean="saajOut" />
> >>        <ref bean="wss4jOut" />
> >>      </list>
> >>    </property>
> >>    </bean>
> >>
> >> </beans>
> >>
> >>
> >>
> >> beans.xml
> >> -------------
> >>
> >> <beans xmlns="http://www.springframework.org/schema/beans"
> >>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >>    xmlns:jaxws="http://cxf.apache.org/jaxws"
> >>    xsi:schemaLocation="
> >> http://www.springframework.org/schema/beans
> >> http://www.springframework.org/schema/beans/spring-beans.xsd
> >> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
> >>
> >>    <import resource="classpath:META-INF/cxf/cxf.xml" />
> >>    <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> >>    <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> >>
> >>    <jaxws:endpoint
> >>      id="orderProcess"
> >>      implementor="demo.order.OrderProcessImpl"
> >>      address="/OrderProcess">
> >>      <jaxws:inInterceptors>
> >>      <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> >>      <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> >>        <constructor-arg>
> >>          <map>
> >>            <entry key="action" value="UsernameToken" />
> >>            <entry key="passwordType" value="PasswordText" />
> >>            <entry key="passwordCallbackClass"
> >> value="demo.order.ServerPasswordCallback" />
> >>          </map>
> >>        </constructor-arg>
> >>      </bean>
> >>    </jaxws:inInterceptors>
> >>   </jaxws:endpoint>
> >> </beans>
> >
> > I am unable to see ServerOut-ClientIn WSS4J Interceptor configuration.
> > For each way you require to configure.
> >
> > With Regards,
> > Mayank
> >
> >  Many Thanks in advance.
> >
> >> Best Regards,
> >> Rahul

> On Wed July 8 2009 5:29:16 pm rahul.soa wrote:
>  
>> Thanks Mayank for the response. So that means Client should have
>> WSS4JOutInterceptor configured to send the secured SOAP Request and should
>> also be configured with WSS4JInInterceptor to receive the secured Response
>> from Server. And contrary applies to Server.
>>    
>
> That's right.
>
> This is partially why using the WS-SecurityPolicy stuff makes it a bit easier.  
> You don't need to mess with interceptors as the Policy framework handles that.  
> You just need to add a little configuration to the endpoint or client (via
> standard JAX-WS context property mechanisms) and the policy framework does the
> rest.
>
> Dan
>
>  

>  
>> Best Regards,
>> Rahul
>>
>>
>> So that means
>>
>> On Wed, Jul 8, 2009 at 7:51 PM, Mayank Mishra <mayankm01@...> wrote:
>>    
>>> rahul.soa wrote:
>>>      
>>>> Hello CXF Devs,
>>>>
>>>> I am trying to access the secured (usernameToken) webservice deployed on
>>>> tomcat by the java client. I intercepted the exchanged messages via
>>>> tcpmon,
>>>> which are following:
>>>>
>>>> Request:
>>>> ----------
>>>>
>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>>>> "><soap:Header><wsse:Security
>>>> xmlns:wsse="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
>>>> t-1.0.xsd "
>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
>>>> t-1.0.xsd "
>>>> xmlns:wsu="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
>>>> ty-1.0.xsd "
>>>>
>>>> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:P
>>>> assword Type="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-p
>>>> rofile-1.0#PasswordText
>>>> ">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:He
>>>> ader><soap:Body><ns2:processOrder xmlns:ns2="http://order.demo/"><arg0
>>>> /></ns2:processOrder></soap:Body></soap:Envelope>
>>>>
>>>>
>>>> Response:
>>>> -------------
>>>>
>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>>>> "><soap:Body><ns2:processOrderResponse
>>>> xmlns:ns2="http://order.demo/
>>>>
>>>> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:
>>>> Envelope>
>>>>
>>>>
>>>> Unlike the Request, response does not have the security header. I want
>>>> to know why **security header** (wsse:Security) is missing in the
>>>> response. Am
>>>> I missing something in the configurations?
>>>>
>>>> Can you please suggest what should I do to solve this problem?
>>>>
>>>> Here are the client and service side configurations:
>>>>
>>>> client-beans.xml
>>>> ---------------------
>>>>
>>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>    xmlns:jaxws="http://cxf.apache.org/jaxws"
>>>>    xsi:schemaLocation="
>>>> http://www.springframework.org/schema/beans
>>>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>>>> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
>>>>
>>>>    <bean id="client" class="demo.order.OrderProcess"
>>>>      factory-bean="clientFactory" factory-method="create"/>
>>>>
>>>>   <bean id="logIn"
>>>> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
>>>>  <bean id="logOut"
>>>> class="org.apache.cxf.interceptor.LoggingOutInterceptor"
>>>> />
>>>>  <bean id="saajOut"
>>>> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
>>>>  <bean id="wss4jOut"
>>>> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>>>>    <constructor-arg>
>>>>      <map>
>>>>        <entry key="action" value="UsernameToken" />
>>>>        <entry key="user" value="ws-client" />
>>>>        <entry key="passwordType" value="PasswordText" />
>>>>        <entry key="passwordCallbackClass"
>>>> value="demo.order.client.ClientPasswordCallback" />
>>>>      </map>
>>>>    </constructor-arg>
>>>>  </bean>
>>>>
>>>>    <bean id="clientFactory"
>>>> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
>>>>      <property name="serviceClass" value="demo.order.OrderProcess"/>
>>>>      <property name="address" value="
>>>> http://localhost:8080/neworderapp/OrderProcess"/>
>>>>      <property name="inInterceptors">
>>>>      <list>
>>>>        <ref bean="logIn" />
>>>>      </list>
>>>>    </property>
>>>>    <property name="outInterceptors">
>>>>      <list>
>>>>        <ref bean="logOut" />
>>>>        <ref bean="saajOut" />
>>>>        <ref bean="wss4jOut" />
>>>>      </list>
>>>>    </property>
>>>>    </bean>
>>>>
>>>> </beans>
>>>>
>>>>
>>>>
>>>> beans.xml
>>>> -------------
>>>>
>>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>    xmlns:jaxws="http://cxf.apache.org/jaxws"
>>>>    xsi:schemaLocation="
>>>> http://www.springframework.org/schema/beans
>>>> http://www.springframework.org/schema/beans/spring-beans.xsd
>>>> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
>>>>
>>>>    <import resource="classpath:META-INF/cxf/cxf.xml" />
>>>>    <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
>>>>    <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>>>>
>>>>    <jaxws:endpoint
>>>>      id="orderProcess"
>>>>      implementor="demo.order.OrderProcessImpl"
>>>>      address="/OrderProcess">
>>>>      <jaxws:inInterceptors>
>>>>      <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>>>>      <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>>>>        <constructor-arg>
>>>>          <map>
>>>>            <entry key="action" value="UsernameToken" />
>>>>            <entry key="passwordType" value="PasswordText" />
>>>>            <entry key="passwordCallbackClass"
>>>> value="demo.order.ServerPasswordCallback" />
>>>>          </map>
>>>>        </constructor-arg>
>>>>      </bean>
>>>>    </jaxws:inInterceptors>
>>>>   </jaxws:endpoint>
>>>> </beans>
>>>>        
>>> I am unable to see ServerOut-ClientIn WSS4J Interceptor configuration.
>>> For each way you require to configure.
>>>
>>> With Regards,
>>> Mayank
>>>
>>>  Many Thanks in advance.
>>>
>>>      
>>>> Best Regards,
>>>> Rahul
>>>>        
>
>  

> On Wed July 8 2009 5:29:16 pm rahul.soa wrote:
>  
>> Thanks Mayank for the response. So that means Client should have
>> WSS4JOutInterceptor configured to send the secured SOAP Request and should
>> also be configured with WSS4JInInterceptor to receive the secured Response
>> from Server. And contrary applies to Server.
>>    
>
> That's right.
>
> This is partially why using the WS-SecurityPolicy stuff makes it a bit easier.  
> You don't need to mess with interceptors as the Policy framework handles that.  
> You just need to add a little configuration to the endpoint or client (via
> standard JAX-WS context property mechanisms) and the policy framework does the
> rest.
>
> Dan
>
>  

>  
>> Best Regards,
>> Rahul
>>
>>
>> So that means
>>
>> On Wed, Jul 8, 2009 at 7:51 PM, Mayank Mishra <mayankm01@...> wrote:
>>    
>>> rahul.soa wrote:
>>>      
>>>> Hello CXF Devs,
>>>>
>>>> I am trying to access the secured (usernameToken) webservice deployed on
>>>> tomcat by the java client. I intercepted the exchanged messages via
>>>> tcpmon,
>>>> which are following:
>>>>
>>>> Request:
>>>> ----------
>>>>
>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>>>> "><soap:Header><wsse:Security
>>>> xmlns:wsse="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
>>>> t-1.0.xsd "
>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
>>>> t-1.0.xsd "
>>>> xmlns:wsu="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
>>>> ty-1.0.xsd "
>>>>
>>>> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:P
>>>> assword Type="
>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-p
>>>> rofile-1.0#PasswordText
>>>> ">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:He
>>>> ader><soap:Body><ns2:processOrder xmlns:ns2="http://order.demo/"><arg0
>>>> /></ns2:processOrder></soap:Body></soap:Envelope>
>>>>
>>>>
>>>> Response:
>>>> -------------
>>>>
>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>>>> "><soap:Body><ns2:processOrderResponse
>>>> xmlns:ns2="http://order.demo/
>>>>
>>>> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:
>>>> Envelope>
>>>>
>>>>
>>>> Unlike the Request, response does not have the security header. I want
>>>> to know why **security header** (wsse:Security) is missing in the
>>>> response. Am
>>>> I missing something in the configurations?
>>>>
>>>> Can you please suggest what should I do to solve this problem?
>>>>
>>>> Here are the client and service side configurations:
>>>>
>>>> client-beans.xml
>>>> ---------------------
>>>>
>>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>    xmlns:jaxws="http://cxf.apache.org/jaxws"
>>>>    xsi:schemaLocation="
>>>> http://www.springframework.org/schema/beans
>>>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>>>> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
>>>>
>>>>    <bean id="client" class="demo.order.OrderProcess"
>>>>      factory-bean="clientFactory" factory-method="create"/>
>>>>
>>>>   <bean id="logIn"
>>>> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
>>>>  <bean id="logOut"
>>>> class="org.apache.cxf.interceptor.LoggingOutInterceptor"
>>>> />
>>>>  <bean id="saajOut"
>>>> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
>>>>  <bean id="wss4jOut"
>>>> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>>>>    <constructor-arg>
>>>>      <map>
>>>>        <entry key="action" value="UsernameToken" />
>>>>        <entry key="user" value="ws-client" />
>>>>        <entry key="passwordType" value="PasswordText" />
>>>>        <entry key="passwordCallbackClass"
>>>> value="demo.order.client.ClientPasswordCallback" />
>>>>      </map>
>>>>    </constructor-arg>
>>>>  </bean>
>>>>
>>>>    <bean id="clientFactory"
>>>> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
>>>>      <property name="serviceClass" value="demo.order.OrderProcess"/>
>>>>      <property name="address" value="
>>>> http://localhost:8080/neworderapp/OrderProcess"/>
>>>>      <property name="inInterceptors">
>>>>      <list>
>>>>        <ref bean="logIn" />
>>>>      </list>
>>>>    </property>
>>>>    <property name="outInterceptors">
>>>>      <list>
>>>>        <ref bean="logOut" />
>>>>        <ref bean="saajOut" />
>>>>        <ref bean="wss4jOut" />
>>>>      </list>
>>>>    </property>
>>>>    </bean>
>>>>
>>>> </beans>
>>>>
>>>>
>>>>
>>>> beans.xml
>>>> -------------
>>>>
>>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>    xmlns:jaxws="http://cxf.apache.org/jaxws"
>>>>    xsi:schemaLocation="
>>>> http://www.springframework.org/schema/beans
>>>> http://www.springframework.org/schema/beans/spring-beans.xsd
>>>> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
>>>>
>>>>    <import resource="classpath:META-INF/cxf/cxf.xml" />
>>>>    <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
>>>>    <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>>>>
>>>>    <jaxws:endpoint
>>>>      id="orderProcess"
>>>>      implementor="demo.order.OrderProcessImpl"
>>>>      address="/OrderProcess">
>>>>      <jaxws:inInterceptors>
>>>>      <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>>>>      <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>>>>        <constructor-arg>
>>>>          <map>
>>>>            <entry key="action" value="UsernameToken" />
>>>>            <entry key="passwordType" value="PasswordText" />
>>>>            <entry key="passwordCallbackClass"
>>>> value="demo.order.ServerPasswordCallback" />
>>>>          </map>
>>>>        </constructor-arg>
>>>>      </bean>
>>>>    </jaxws:inInterceptors>
>>>>   </jaxws:endpoint>
>>>> </beans>
>>>>        
>>> I am unable to see ServerOut-ClientIn WSS4J Interceptor configuration.
>>> For each way you require to configure.
>>>
>>> With Regards,
>>> Mayank
>>>
>>>  Many Thanks in advance.
>>>
>>>      
>>>> Best Regards,
>>>> Rahul
>>>>        
>
>  

> Daniel Kulp wrote:
>
>> On Wed July 8 2009 5:29:16 pm rahul.soa wrote:
>>
>>
>>> Thanks Mayank for the response. So that means Client should have
>>> WSS4JOutInterceptor configured to send the secured SOAP Request and
>>> should
>>> also be configured with WSS4JInInterceptor to receive the secured
>>> Response
>>> from Server. And contrary applies to Server.
>>>
>>>
>>
>> That's right.
>>
>> This is partially why using the WS-SecurityPolicy stuff makes it a bit
>> easier.   You don't need to mess with interceptors as the Policy framework
>> handles that.   You just need to add a little configuration to the endpoint
>> or client (via standard JAX-WS context property mechanisms) and the policy
>> framework does the rest.
>>
>> Dan
>>
>>
>>
> True. You can provide the WS-SecurityPolicy for input and output elements
> (if you want to configure them differently), or operation level/binding
> level (they applies to all input and output messages for all operations
> inside Binding).
> You can write an external policy file or can embed the policy element
> inside using the PolicyReference element of WS-Policy. It's quite neat and
> compatible with all WS Engines (of course a few assertions for configuring
>  keystore, callbacks etc which are not there is WS-SecurityPolicy
> specification.
>
> With Regards,
> Mayank
>
>
>>
>>> Best Regards,
>>> Rahul
>>>
>>>
>>> So that means
>>>
>>> On Wed, Jul 8, 2009 at 7:51 PM, Mayank Mishra <mayankm01@...>
>>> wrote:
>>>
>>>
>>>> rahul.soa wrote:
>>>>
>>>>
>>>>> Hello CXF Devs,
>>>>>
>>>>> I am trying to access the secured (usernameToken) webservice deployed
>>>>> on
>>>>> tomcat by the java client. I intercepted the exchanged messages via
>>>>> tcpmon,
>>>>> which are following:
>>>>>
>>>>> Request:
>>>>> ----------
>>>>>
>>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>>>>> "><soap:Header><wsse:Security
>>>>> xmlns:wsse="
>>>>>
>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
>>>>> t-1.0.xsd "
>>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="
>>>>>
>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
>>>>> t-1.0.xsd "
>>>>> xmlns:wsu="
>>>>>
>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
>>>>> ty-1.0.xsd "
>>>>>
>>>>>
>>>>> wsu:Id="UsernameToken-1"><wsse:Username>ws-client</wsse:Username><wsse:P
>>>>> assword Type="
>>>>>
>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-p
>>>>> rofile-1.0#PasswordText
>>>>>
>>>>> ">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:He
>>>>> ader><soap:Body><ns2:processOrder xmlns:ns2="http://order.demo/"><arg0
>>>>> /></ns2:processOrder></soap:Body></soap:Envelope>
>>>>>
>>>>>
>>>>> Response:
>>>>> -------------
>>>>>
>>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
>>>>> "><soap:Body><ns2:processOrderResponse
>>>>> xmlns:ns2="http://order.demo/
>>>>>
>>>>>
>>>>> "><return>ORD1234</return></ns2:processOrderResponse></soap:Body></soap:
>>>>> Envelope>
>>>>>
>>>>>
>>>>> Unlike the Request, response does not have the security header. I want
>>>>> to know why **security header** (wsse:Security) is missing in the
>>>>> response. Am
>>>>> I missing something in the configurations?
>>>>>
>>>>> Can you please suggest what should I do to solve this problem?
>>>>>
>>>>> Here are the client and service side configurations:
>>>>>
>>>>> client-beans.xml
>>>>> ---------------------
>>>>>
>>>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>>>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>>   xmlns:jaxws="http://cxf.apache.org/jaxws"
>>>>>   xsi:schemaLocation="
>>>>> http://www.springframework.org/schema/beans
>>>>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>>>>> http://cxf.apache.org/jaxws http://cxf.apache.org/schema/jaxws.xsd">
>>>>>
>>>>>   <bean id="client" class="demo.order.OrderProcess"
>>>>>     factory-bean="clientFactory" factory-method="create"/>
>>>>>
>>>>>  <bean id="logIn"
>>>>> class="org.apache.cxf.interceptor.LoggingInInterceptor" />
>>>>>  <bean id="logOut"
>>>>> class="org.apache.cxf.interceptor.LoggingOutInterceptor"
>>>>> />
>>>>>  <bean id="saajOut"
>>>>> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
>>>>>  <bean id="wss4jOut"
>>>>> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>>>>>   <constructor-arg>
>>>>>     <map>
>>>>>       <entry key="action" value="UsernameToken" />
>>>>>       <entry key="user" value="ws-client" />
>>>>>       <entry key="passwordType" value="PasswordText" />
>>>>>       <entry key="passwordCallbackClass"
>>>>> value="demo.order.client.ClientPasswordCallback" />
>>>>>     </map>
>>>>>   </constructor-arg>
>>>>>  </bean>
>>>>>
>>>>>   <bean id="clientFactory"
>>>>> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
>>>>>     <property name="serviceClass" value="demo.order.OrderProcess"/>
>>>>>     <property name="address" value="
>>>>> http://localhost:8080/neworderapp/OrderProcess"/>
>>>>>     <property name="inInterceptors">
>>>>>     <list>
>>>>>       <ref bean="logIn" />
>>>>>     </list>
>>>>>   </property>
>>>>>   <property name="outInterceptors">
>>>>>     <list>
>>>>>       <ref bean="logOut" />
>>>>>       <ref bean="saajOut" />
>>>>>       <ref bean="wss4jOut" />
>>>>>     </list>
>>>>>   </property>
>>>>>   </bean>
>>>>>
>>>>> </beans>
>>>>>
>>>>>
>>>>>
>>>>> beans.xml
>>>>> -------------
>>>>>
>>>>> <beans xmlns="http://www.springframework.org/schema/beans"
>>>>>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>>   xmlns:jaxws="http://cxf.apache.org/jaxws"
>>>>>   xsi:schemaLocation="
>>>>> http://www.springframework.org/schema/beans
>>>>> http://www.springframework.org/schema/beans/spring-beans.xsd
>>>>> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
>>>>>
>>>>>   <import resource="classpath:META-INF/cxf/cxf.xml" />
>>>>>   <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
>>>>>   <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>>>>>
>>>>>   <jaxws:endpoint
>>>>>     id="orderProcess"
>>>>>     implementor="demo.order.OrderProcessImpl"
>>>>>     address="/OrderProcess">
>>>>>     <jaxws:inInterceptors>
>>>>>     <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>>>>>     <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>>>>>       <constructor-arg>
>>>>>         <map>
>>>>>           <entry key="action" value="UsernameToken" />
>>>>>           <entry key="passwordType" value="PasswordText" />
>>>>>           <entry key="passwordCallbackClass"
>>>>> value="demo.order.ServerPasswordCallback" />
>>>>>         </map>
>>>>>       </constructor-arg>
>>>>>     </bean>
>>>>>   </jaxws:inInterceptors>
>>>>>  </jaxws:endpoint>
>>>>> </beans>
>>>>>
>>>>>
>>>> I am unable to see ServerOut-ClientIn WSS4J Interceptor configuration.
>>>> For each way you require to configure.
>>>>
>>>> With Regards,
>>>> Mayank
>>>>
>>>>  Many Thanks in advance.
>>>>
>>>>
>>>>
>>>>> Best Regards,
>>>>> Rahul
>>>>>
>>>>>
>>>>
>>
>>
>
>