Comments on: Apache CXF Tutorial – WS-Security with Spring http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/ The software development weblog of Benjamin McCann. Fri, 03 Jul 2009 11:27:39 -0600 http://wordpress.org/?v=2.8 hourly 1 By: DeKapx http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-9219 DeKapx Mon, 27 Apr 2009 05:38:00 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-9219 Hi Ben, In addition to my previous comment, there is one scenario in our application. We have Metro based WS-Security enabled web service and its implementation is based on WS-Security using Symmetric Keys. I am trying to hit the service using Apache CXF client but its not working. Is there any compatibility issues with these technologies or is there any way out for this. DeKapx Hi Ben,

In addition to my previous comment, there is one scenario in our application. We have Metro based WS-Security enabled web service and its implementation is based on WS-Security using Symmetric Keys. I am trying to hit the service using Apache CXF client but its not working. Is there any compatibility issues with these technologies or is there any way out for this.

DeKapx

]]> By: DeKapx http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-9217 DeKapx Mon, 27 Apr 2009 05:24:04 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-9217 Hi Ben, This is really a very good tutorial. Sometimes back I explore WS-Security using Metro - WSIT. There 're multiple types of WS-Security can be created using Metro for example: 1. Message Security using Mutual Certificate 2. Message Security using Symmetric Keys. and few more. Is there any possibility to create such types of WS-Security using Apache CXF. Any information on this will be a great help. Thanks in advance. DeKapx Hi Ben,

This is really a very good tutorial. Sometimes back I explore WS-Security using Metro – WSIT. There ‘re multiple types of WS-Security can be created using Metro for example:
1. Message Security using Mutual Certificate
2. Message Security using Symmetric Keys.

and few more. Is there any possibility to create such types of WS-Security using Apache CXF. Any information on this will be a great help.

Thanks in advance.
DeKapx

]]> By: Dipesh http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-2881 Dipesh Thu, 04 Dec 2008 05:17:22 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-2881 Very good security tutorial, I was able to set it up quickly and test both swAuth and corporateAuth webservice endpoints. One thing which I did not realize and got confused is when 'passwordType' is 'PasswordText', responsibility to validate password lies with the CallbackHandler. I was trying to send wrong password from client and expecting the call to be rejected by WebService. But it was not happening. After some google found information on CXF wiki page http://cwiki.apache.org/CXF20DOC/ws-security.html This note is present under 'Username Token Authentication' section, "Note that for the special case of a plain-text password (or any other yet unknown password type), the password validation is delegated to the callback class". After reading this I modified ServerPasswordCallback.handle () method, so that the code looks something like: <pre><code> public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; // Set the password on the callback. This will be compared to the // password which was sent from the client. // We can call pc.getIdentifer() right here to check the username // if we want each client to have it's own password. if (!pc.getPassword().equals(password)) { throw new SecurityException ("Password is invalid"); } }</code></pre> After this modification in ServerPasswordCallback, service started responding in correct way. Failed for wrong password and get valid response with correct password. Very good security tutorial, I was able to set it up quickly and test both swAuth and corporateAuth webservice endpoints.

One thing which I did not realize and got confused is when ‘passwordType’ is ‘PasswordText’, responsibility to validate password lies with the CallbackHandler.

I was trying to send wrong password from client and expecting the call to be rejected by WebService. But it was not happening.

After some google found information on CXF wiki page

http://cwiki.apache.org/CXF20DOC/ws-security.html

This note is present under ‘Username Token Authentication’ section, “Note that for the special case of a plain-text password (or any other yet unknown password type), the password validation is delegated to the callback class”.

After reading this I modified ServerPasswordCallback.handle () method, so that the code looks something like: 

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        // Set the password on the callback. This will be compared to the
        //     password which was sent from the client.
        // We can call pc.getIdentifer() right here to check the username
        //     if we want each client to have it's own password.

        if (!pc.getPassword().equals(password)) {
			throw new SecurityException ("Password is invalid");
		}
    }

After this modification in ServerPasswordCallback, service started responding in correct way. Failed for wrong password and get valid response with correct password.

]]> By: Dave http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-2630 Dave Thu, 27 Nov 2008 18:39:41 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-2630 Hi Ben, Thank you for your help! Following your examples definitely cleared up a lot of my questions. Hi Ben,

Thank you for your help! Following your examples definitely cleared up a lot of my questions.

]]> By: Ben http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-2608 Ben Thu, 27 Nov 2008 00:15:57 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-2608 Hey Dave, I agree CXF is really tricky. I think it took me a week or two to get a sample app up and running. You should read the other CXF tutorial on this site first. It will show you how to create a client to access your service. Definitely do that and create an unprotected service first. Then come back to this writeup and add in the security portions. -Ben Hey Dave,
I agree CXF is really tricky. I think it took me a week or two to get a sample app up and running.
You should read the other CXF tutorial on this site first. It will show you how to create a client to access your service. Definitely do that and create an unprotected service first. Then come back to this writeup and add in the security portions.

-Ben

]]> By: Dave http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-2607 Dave Thu, 27 Nov 2008 00:04:01 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-2607 This is an excellent article! It's what I've been looking for for hours. I've followed everything but don't see how to actually make use of the protected service... Am I supposed to be visiting the address for the protected service (/corporateAuth) or something else? I'm somewhat familiar with CXF, but am really having trouble understanding how to implement WS-Security. Thank you for your time! This is an excellent article! It’s what I’ve been looking for for hours. I’ve followed everything but don’t see how to actually make use of the protected service… Am I supposed to be visiting the address for the protected service (/corporateAuth) or something else?

I’m somewhat familiar with CXF, but am really having trouble understanding how to implement WS-Security. Thank you for your time!

]]> By: Manisha http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-752 Manisha Mon, 15 Sep 2008 20:14:20 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-752 It's really a great tutorial, I could make it work on my local. Here I am trying to understand the client part, which uses org.apache.ws.security.WSPasswordCallback in ClientPasswordCallback() class. Would really appreciate if you could let me know one thing, if my client is .Net - what changes shall I make ? It’s really a great tutorial, I could make it work on my local. Here I am trying to understand the client part, which uses org.apache.ws.security.WSPasswordCallback in ClientPasswordCallback() class. Would really appreciate if you could let me know one thing, if my client is .Net – what changes shall I make ?

]]> By: Blair http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-647 Blair Fri, 29 Aug 2008 17:29:50 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-647 Hello, This is a great tutorial. Does anyone know if a tutorial like this one exists for a JAXRS (RESTful) service. In my service I pass simple XML back and forth. I try using what is shown here in this tutorial and get a bunch of SOAP errors. Thanks. Hello,

This is a great tutorial. Does anyone know if a tutorial like this one exists for a JAXRS (RESTful) service. In my service I pass simple XML back and forth. I try using what is shown here in this tutorial and get a bunch of SOAP errors.

Thanks.

]]> By: Av http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-603 Av Thu, 21 Aug 2008 22:13:53 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-603 Nice tutorial. Do you know if there is a preferred method of authorizing a web service using cxf? I mean, after authentication, one needs to ensure that the specified user is actually authorized to execute the web service method in question. Does cxf offer any support for this, do you know? Thanks. Nice tutorial.
Do you know if there is a preferred method of authorizing a web service using cxf? I mean, after authentication, one needs to ensure that the specified user is actually authorized to execute the web service method in question. Does cxf offer any support for this, do you know?

Thanks.

]]> By: Ben http://www.benmccann.com/dev-blog/apache-cxf-tutorial-ws-security-with-spring/comment-page-1/#comment-507 Ben Mon, 04 Aug 2008 21:29:55 +0000 http://www.lumidant.com/blog/apache-cxf-tutorial-ws-security-with-spring/#comment-507 Hi Mike, The interceptors are setup on a per endpoint basis, so you shouldn't have any trouble doing that. Simply copy everything between the jaxws:endpoint tags to create a new endpoint and leave out the wss4j interceptor for the endpoints you don't want to secure. -Ben Hi Mike,
The interceptors are setup on a per endpoint basis, so you shouldn’t have any trouble doing that. Simply copy everything between the jaxws:endpoint tags to create a new endpoint and leave out the wss4j interceptor for the endpoints you don’t want to secure.

-Ben

]]>