Comments on: Apache CXF Tutorial – WS-Security with Spring http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/ The software development weblog of Benjamin McCann. Sun, 21 Mar 2010 13:30:26 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Bart Ottenkamp http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-20528 Bart Ottenkamp Tue, 09 Feb 2010 11:30:54 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-20528 Hi Ben.. great writing and I got almost everything working... One thing though: if I set uo de thes ecurity like you explain, I get while calling the service: com.company.auth.service.ServerPasswordCallback cannot be cast to java.lang.String And I don't see what's happening... Do you have a clue? Hi Ben..

great writing and I got almost everything working…
One thing though: if I set uo de thes ecurity like you explain, I get while calling the service:

com.company.auth.service.ServerPasswordCallback cannot be cast to java.lang.String

And I don’t see what’s happening…
Do you have a clue?

]]> By: Stalin Mohapatra http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-20331 Stalin Mohapatra Fri, 05 Feb 2010 06:47:59 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-20331 Hi Ben... This tutorial was of immense help. I did learn a few new things. Keep up the good work and help beginners like us. Hi Ben…

This tutorial was of immense help. I did learn a few new things. Keep up the good work and help beginners like us.

]]> By: jerome bulanadi http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-16954 jerome bulanadi Thu, 12 Nov 2009 21:30:49 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-16954 Hi Ben, Thanks a lot for the previous tutorial, and this security tutorial. It got me up and running CXF on Tomcat in no time. Hi Dipesh, Thanks too, for your handling of wrong client password. It saved me a lot of time searching over CXF documentation. You dudes rock! Hi Ben,

Thanks a lot for the previous tutorial, and this security tutorial. It got me up and running CXF on Tomcat in no time.

Hi Dipesh,

Thanks too, for your handling of wrong client password. It saved me a lot of time searching over CXF documentation.

You dudes rock!

]]> By: Ben http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-16567 Ben Mon, 02 Nov 2009 16:36:40 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-16567 Hi David, I'm sorry, but I don't have the code for this tutorial still. Hi David, I’m sorry, but I don’t have the code for this tutorial still.

]]> By: david http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-16495 david Sun, 01 Nov 2009 01:44:11 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-16495 Hi Ben, Is it possible to have the completed project in a zip file. I could not run the client with my limited spring background. Also when I use the web services explorer, no matter what password I provide, I get the service executed. Hi Ben,
Is it possible to have the completed project in a zip file. I could not run the client with my limited spring background.
Also when I use the web services explorer, no matter what password I provide, I get the service executed.

]]> By: Ben http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-14786 Ben Tue, 22 Sep 2009 17:46:27 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-14786 Hi Manoj, cxf-extension-soap.xml and cxf-servlet.xml come from the jar files. You do not need to create them yourself Hi Manoj,
cxf-extension-soap.xml and cxf-servlet.xml come from the jar files. You do not need to create them yourself

]]> By: Manoj http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-14771 Manoj Tue, 22 Sep 2009 08:38:55 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-14771 Hi Ben, Can you tell me where from this "cxf-extension-soap.xml" and 'cxf-servlet.xml" have come as you have not mentioned any where about these files. What should i write in these files? Manoj Hi Ben,

Can you tell me where from this “cxf-extension-soap.xml” and ‘cxf-servlet.xml” have come as you have not mentioned any where about these files.

What should i write in these files?

Manoj

]]> By: DeKapx http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-9219 DeKapx Mon, 27 Apr 2009 05:38:00 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-9219 Hi Ben, In addition to my previous comment, there is one scenario in our application. We have Metro based WS-Security enabled web service and its implementation is based on WS-Security using Symmetric Keys. I am trying to hit the service using Apache CXF client but its not working. Is there any compatibility issues with these technologies or is there any way out for this. DeKapx Hi Ben,

In addition to my previous comment, there is one scenario in our application. We have Metro based WS-Security enabled web service and its implementation is based on WS-Security using Symmetric Keys. I am trying to hit the service using Apache CXF client but its not working. Is there any compatibility issues with these technologies or is there any way out for this.

DeKapx

]]> By: DeKapx http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-9217 DeKapx Mon, 27 Apr 2009 05:24:04 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-9217 Hi Ben, This is really a very good tutorial. Sometimes back I explore WS-Security using Metro - WSIT. There 're multiple types of WS-Security can be created using Metro for example: 1. Message Security using Mutual Certificate 2. Message Security using Symmetric Keys. and few more. Is there any possibility to create such types of WS-Security using Apache CXF. Any information on this will be a great help. Thanks in advance. DeKapx Hi Ben,

This is really a very good tutorial. Sometimes back I explore WS-Security using Metro – WSIT. There ‘re multiple types of WS-Security can be created using Metro for example:
1. Message Security using Mutual Certificate
2. Message Security using Symmetric Keys.

and few more. Is there any possibility to create such types of WS-Security using Apache CXF. Any information on this will be a great help.

Thanks in advance.
DeKapx

]]> By: Dipesh http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-2881 Dipesh Thu, 04 Dec 2008 05:17:22 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-2881 Very good security tutorial, I was able to set it up quickly and test both swAuth and corporateAuth webservice endpoints. One thing which I did not realize and got confused is when 'passwordType' is 'PasswordText', responsibility to validate password lies with the CallbackHandler. I was trying to send wrong password from client and expecting the call to be rejected by WebService. But it was not happening. After some google found information on CXF wiki page http://cwiki.apache.org/CXF20DOC/ws-security.html This note is present under 'Username Token Authentication' section, "Note that for the special case of a plain-text password (or any other yet unknown password type), the password validation is delegated to the callback class". After reading this I modified ServerPasswordCallback.handle () method, so that the code looks something like: <pre><code> public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; // Set the password on the callback. This will be compared to the // password which was sent from the client. // We can call pc.getIdentifer() right here to check the username // if we want each client to have it's own password. if (!pc.getPassword().equals(password)) { throw new SecurityException ("Password is invalid"); } }</code></pre> After this modification in ServerPasswordCallback, service started responding in correct way. Failed for wrong password and get valid response with correct password. Very good security tutorial, I was able to set it up quickly and test both swAuth and corporateAuth webservice endpoints.

One thing which I did not realize and got confused is when ‘passwordType’ is ‘PasswordText’, responsibility to validate password lies with the CallbackHandler.

I was trying to send wrong password from client and expecting the call to be rejected by WebService. But it was not happening.

After some google found information on CXF wiki page

http://cwiki.apache.org/CXF20DOC/ws-security.html

This note is present under ‘Username Token Authentication’ section, “Note that for the special case of a plain-text password (or any other yet unknown password type), the password validation is delegated to the callback class”.

After reading this I modified ServerPasswordCallback.handle () method, so that the code looks something like: 

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        // Set the password on the callback. This will be compared to the
        //     password which was sent from the client.
        // We can call pc.getIdentifer() right here to check the username
        //     if we want each client to have it's own password.

        if (!pc.getPassword().equals(password)) {
			throw new SecurityException ("Password is invalid");
		}
    }

After this modification in ServerPasswordCallback, service started responding in correct way. Failed for wrong password and get valid response with correct password.

]]>