We need to access a service with username/password protection and message
protection, against an Oracle server. After some tests we realised that it
did not protect against replay attacks. Configuring the server to require
timestamp and nonce resulted in an error.
To simplify tings I then configured the service without message protection.
I can call the service succesfully by setting:
Map<String, Object> props = client.getRequestContext();
props.put(SecurityConstants.CALLBACK_HANDLER,
new
Invoker_CXFNameCallbackHandler("password");
props.put(SecurityConstants.USERNAME, "user");
This adds:
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="true">
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-bcfd47d6-33cd-477f-8847-0cf21f2b0006">
<wsse:Username>user</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
However I tried adding the nonce and timestamp:
props.put(ConfigurationConstants.ADD_USERNAMETOKEN_NONCE,
"true");
props.put(ConfigurationConstants.ADD_USERNAMETOKEN_CREATED, "true");
This made no difference - the nonce and timestamp are still not set. I also
tried Boolean values instead of the String "true" and "false"
I have also tried removing the above code and setting:
Map<String, Object> iprops = new HashMap<String,Object>();
iprops.put(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN);
iprops.put(WSHandlerConstants.USER , "user");
iprops.put(WSHandlerConstants.PW_CALLBACK_REF,
new
Invoker_CXFNameCallbackHandler("password");
iprops.put(WSHandlerConstants.ADD_USERNAMETOKEN_CREATED, "true");
iprops.put(WSHandlerConstants.ADD_USERNAMETOKEN_NONCE, "true");
iprops.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
//client.getEndpoint().getInInterceptors().clear();
client.getEndpoint().getInInterceptors().add(new
WSS4JInInterceptor(iprops));
//client.getEndpoint().getOutInterceptors().clear();
client.getEndpoint().getOutInterceptors().add(new
WSS4JOutInterceptor());
This gives an error:
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: No username
available
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:159)
at com.sun.proxy.$Proxy33.whoAmI(Unknown Source)
at uk.co.ybs.ep10test.Invoker.main(Invoker.java:132)
Caused by: org.apache.cxf.ws.policy.PolicyException: No username available
at
org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor.policyNotAsserted(AbstractTokenInterceptor.java:277)
at
org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addUsernameToken(UsernameTokenInterceptor.java:395)
at
org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addToken(UsernameTokenInterceptor.java:340)
I think I need to find how to pass the ADD_USERNAMETOKEN_NONCE and
ADD_USERNAMETOKEN_CREATED to the underlying wss4j. How do I do this?
Thanks
protection, against an Oracle server. After some tests we realised that it
did not protect against replay attacks. Configuring the server to require
timestamp and nonce resulted in an error.
To simplify tings I then configured the service without message protection.
I can call the service succesfully by setting:
Map<String, Object> props = client.getRequestContext();
props.put(SecurityConstants.CALLBACK_HANDLER,
new
Invoker_CXFNameCallbackHandler("password");
props.put(SecurityConstants.USERNAME, "user");
This adds:
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="true">
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-bcfd47d6-33cd-477f-8847-0cf21f2b0006">
<wsse:Username>user</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
However I tried adding the nonce and timestamp:
props.put(ConfigurationConstants.ADD_USERNAMETOKEN_NONCE,
"true");
props.put(ConfigurationConstants.ADD_USERNAMETOKEN_CREATED, "true");
This made no difference - the nonce and timestamp are still not set. I also
tried Boolean values instead of the String "true" and "false"
I have also tried removing the above code and setting:
Map<String, Object> iprops = new HashMap<String,Object>();
iprops.put(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN);
iprops.put(WSHandlerConstants.USER , "user");
iprops.put(WSHandlerConstants.PW_CALLBACK_REF,
new
Invoker_CXFNameCallbackHandler("password");
iprops.put(WSHandlerConstants.ADD_USERNAMETOKEN_CREATED, "true");
iprops.put(WSHandlerConstants.ADD_USERNAMETOKEN_NONCE, "true");
iprops.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
//client.getEndpoint().getInInterceptors().clear();
client.getEndpoint().getInInterceptors().add(new
WSS4JInInterceptor(iprops));
//client.getEndpoint().getOutInterceptors().clear();
client.getEndpoint().getOutInterceptors().add(new
WSS4JOutInterceptor());
This gives an error:
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: No username
available
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:159)
at com.sun.proxy.$Proxy33.whoAmI(Unknown Source)
at uk.co.ybs.ep10test.Invoker.main(Invoker.java:132)
Caused by: org.apache.cxf.ws.policy.PolicyException: No username available
at
org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor.policyNotAsserted(AbstractTokenInterceptor.java:277)
at
org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addUsernameToken(UsernameTokenInterceptor.java:395)
at
org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.addToken(UsernameTokenInterceptor.java:340)
I think I need to find how to pass the ADD_USERNAMETOKEN_NONCE and
ADD_USERNAMETOKEN_CREATED to the underlying wss4j. How do I do this?
Thanks