CODEWITHSUNDEEP
javaweb-servicessoapbasic-authenticationwss4j
vikingsteve
vikingsteve

Reputation: 40438

Basic Auth with WSS4J / camel cxf (Https)

For a SOAP web service, I have a working example of the configuration for PasswordDigest authentication via camel-cxf and WSS4J :

<camel-cxf:cxfEndpoint id="myService"
                       address="${ws.endpoint.address}"
                       serviceName="es:MyService"
                       wsdlURL="wsdl/myservice.wsdl"
                       endpointName="es:MyServicePort"
                       serviceClass="com.us.MyServiceEndpoint"
                       xmlns:es="http://us.com/services/MyService">
    <camel-cxf:inInterceptors>
        <bean class="org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor">
            <property name="properties">
                <map>
                    <entry key="action" value="UsernameToken"/>
                    <entry key="passwordType" value="PasswordDigest"/>
                    <entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
                </map>
            </property>
        </bean>
    </camel-cxf:inInterceptors>
</camel-cxf:cxfEndpoint>

We have a request to enable the same resource for BASIC authentication - how can this configuration be modified to do that?

I have changed the following line and tested via SOAP UI:

                    <entry key="passwordType" value="PasswordText"/>

However the result is a SOAP fault from UsernameTokenValidator.java:

  <soap:Fault>
     <faultcode>soap:Server</faultcode>
     <faultstring>These policy alternatives can not be satisfied: 
         {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
         UsernameToken: Password hashing policy not enforced</faultstring>
  </soap:Fault>

If anyone has some guidance here it would be appreciated.

Upvotes: 1

Views: 2188

Answers (2)

vikingsteve
vikingsteve

Reputation: 40438

The WSS-PasswordType needed to change from PasswordText to PasswordDigest.

Upvotes: 0

Colm O hEigeartaigh
Colm O hEigeartaigh

Reputation: 1900

You are mixing up the two different ways of configuring WS-Security in CXF.

The "PolicyBasedWSS4JInInterceptor" is used when you have a WS-SecurityPolicy to configure security. You don't need to actually add it at all, as CXF will automatically add it to the interceptor chain. It's configured via the configuration tags specified here: http://cxf.apache.org/docs/ws-securitypolicy.html. The configuration tags you are specifying as "properties" are ignored for the security policy case.

If you want to configure security via a policy in this case, you will need to remove the "HashPassword" policy if you want to support plaintext passwords.

If you want to only configure via "actions" you should be using the "WSS4JInInterceptor" instead (which the policy based interceptor extends).

Colm.

Upvotes: 1

Related Questions