Laabidi Raissi
Reputation: 3333
How to prevent CXF secured webservices access from browser
I am developing a basic WebService example using CXF and Spring. Here are my classes:
public interface AuthService {
@WebMethod
Person getPerson(@WebParam(name="user_id") Long userId);
}
The WS implementation is as follow:
public class AuthServiceImpl implements AuthService{
public Person getPerson(Long gid) {
Person p = new Person();
p.setUserId(gid);
p.setEmail("test"+gid+"@test.de");
p.setName("test"+gid);
return p;
}
}
My web.xml is as follow:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/cxf-beans.xml</param-value>
</context-param>
<servlet>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>
org.apache.cxf.transport.servlet.CXFServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
My cxf-beans.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml"/>
<bean id="logInBound" class="org.apache.cxf.interceptor.LoggingInInterceptor" />
<bean id="logOutBound" class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
</beans>
Here is my cxf-servlet.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:soap="http://cxf.apache.org/bindings/soap"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/configuration/soap.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:server id="jaxwsService" serviceClass="com.iptech.cxfws.service.AuthService" address="/auth_user">
<jaxws:serviceBean>
<bean class="com.iptech.cxfws.service.impl.AuthServiceImpl" />
</jaxws:serviceBean>
<jaxws:inInterceptors>
<ref bean="interceptor"/>
</jaxws:inInterceptors>
</jaxws:server>
<bean id="interceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackRef">
<ref bean="passwordCallback" />
</entry>
</map>
</constructor-arg>
</bean>
<bean id="passwordCallback" class="com.iptech.cxfws.service.callback.ServerPasswordCallback"/>
</beans>
And finally is my ServerPasswordCallback class:
public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String username = pc.getIdentifier();
String password = //get it from a business class
pc.setPassword(password);
}
}
As you can see this is a very simple example you can find in every CXF basic tutorial. Now, I have two problems: 1) When I call
http://localhost:8080/cxf-ws/auth_user/getPerson?user_id=11
from Internet browser (Chrome) I get a response, no username/password verification is done. However, when invoking the WS from a Java client, I can't get the response without including username/password in the SOAP message header. Is this normal ? 2) The second question has nothing to do with WS-Security. When deploying/publishing my WS to Tomcat, everything works as expected (except the security issue mentioned above). But, I have the following exception:
javax.xml.bind.UnmarshalException: unexpected element
(URI : "http://schemas.xmlsoap.org/ws/2005/04/discovery", local : "Probe").
Expected elements are <{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}AppSequence>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Bye>,
<{http://www.w3.org/2005/08/addressing}EndpointReference>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Hello>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}MetadataVersion>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Probe>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}ProbeMatches>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Resolve>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}ResolveMatches>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Scopes>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Security>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Sig>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}SupportedMatchingRules>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}Types>,
<{http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01}XAddrs>
Any help is very appreciated.
Upvotes: 2
Views: 1086
Answers (1)
Related Questions
- Apache CXF Policy Exception (WS Security)- Security configuration could not be detected
- How to secure a SOAP web service with WSS with CXF
- How to Enable Spring Security for Apache-CXF JAX-WS
- Spring Boot/Security/Apache CXF SOAP service access restriction
- Apache CXF: How to secure JAX-RS web service with basic authentication
- how to secure apache cxf webservice(jax-ws) using oAuth 2.0
- Apache CXF - JAX-RS Security
- Implementing Security for Java Web Services with Spring and Apache CXF
- Securing apache CXF REST and SOAP services and retrieving authorities in code
- Securing Web Service communication with SSL using CXF