JAX-WS ws-security UsernameToken authorization on server

I have created a web service in netbeans with METRO. I modified my web service wsit config for using Usernametoken authentication (without encryption).

<?xml version="1.0" encoding="UTF-8"?> 
 xmlns:soap="" name="NewWebService" targetNamespace="" xmlns:tns="" xmlns:wsp="" xmlns:wsu="" xmlns:fi="" xmlns:tcp="" xmlns:wsam="" xmlns:sp="" xmlns:sc="" xmlns:wspp="" 
    <message name="hello"/>
    <message name="helloResponse"/>
    <portType name="NewWebService">
        <operation name="hello">
            <input message="tns:hello"/>
            <output message="tns:helloResponse"/>
    <binding name="NewWebServicePortBinding" type="tns:NewWebService">
        <wsp:PolicyReference xmlns:wsp="" URI="#UsernameToken"/>
        <operation name="hello">
    <service name="NewWebService">
        <port name="NewWebServicePort" binding="tns:NewWebServicePortBinding"/>
    <!-- Policy for Username Token with plaintext password, sent from client to server only -->
    <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu="" xmlns:wsp="">
                <sp:SupportingTokens xmlns:sp="">
                        <sp:UsernameToken sp:IncludeToken=".../IncludeToken/AlwaysToRecipient"/>
                <wsss:ValidatorConfiguration wspp:visibility="private" xmlns:wsss="" xmlns:wspp="">
                    <wsss:Validator name="usernameValidator" classname="org.test.MyAuth"/>

My PasswordValidator

package org.test;
import com.sun.xml.wss.impl.callback.PasswordValidationCallback;
import com.sun.xml.wss.impl.callback.PasswordValidationCallback.PasswordValidationException;
import com.sun.xml.wss.impl.callback.PasswordValidationCallback.Request;
public class MyAuth implements PasswordValidationCallback.PasswordValidator
    public boolean validate(Request request) throws PasswordValidationException {
        PasswordValidationCallback.PlainTextPasswordRequest ptreq 
            = (PasswordValidationCallback.PlainTextPasswordRequest)request;
        //Database query
        return CheckUserInDateBase(ptreq.getPassword(), ptreq.getUsername());

Now i need authorize user with his username and password and check his role (every method of web service has annotation RolesAllowed). I have created SOAP handler for my web service where I trying to get username and password from soap headers, but header doesnt contains this information (when i get this header in handler). Actually SOAP message looks like

<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="" xmlns:wsse="" xmlns:wsu="" xmlns:xs="">
        <macAddress xmlns="" xmlns:SOAP-ENV="" SOAP-ENV:actor="">F8-D1-11-01-36-20</macAddress>
        <wsse:Security S:mustUnderstand="1">
            <wsse:UsernameToken xmlns:ns15="" xmlns:ns14="" xmlns:ns13="" wsu:Id="uuid_48e60f1c-aea9-4bcc-897f-ef661fe2895b">
                <wsse:Password Type="">mypass</wsse:Password>
        <ns2:hello xmlns:ns2="">

When I trying to extract header's child elements I'm getting only macAddress header (my custom header)

public boolean handleMessage(SOAPMessageContext context) {  
    Iterator i = context.getMessage().getSOAPPart().getEnvelope().getHeader().getChildElements();
    return true;

So. How can I access to wssecurity headers? Or maybe has another way to check user role before execution web service method?


  • Instead of checking at your validator, store the username and password using ThreadLocal then apply your authentication roles within the service implementation as below. In my case, I used this approach to throw a custom exception.

    My Validator:

    * @author SaudAlajmi
    public class PasswordValidator implements PasswordValidationCallback.PasswordValidator {
    /* I used this approach because they need to throw a custom exception in case of authentication failure, as far as I know there is no such way
     * to do it especially since the validator does not have access to the WebServiceContext, but this way and it is safe because every thread has
     * it is own copy and that's why I used ThreadLocal;
    private static final ThreadLocal<String> username = new ThreadLocal<String>();
    private static final ThreadLocal<String> password = new ThreadLocal<String>();
    public boolean validate(Request request) throws PasswordValidationException {
        PasswordValidationCallback.PlainTextPasswordRequest ptreq = (PasswordValidationCallback.PlainTextPasswordRequest) request;
        return true;
    public static String getUsername() {
        String user = username.get();
        return user;
    public static String getPassword() {
        String pwd= password.get();
        return pwd;


    My Service Impl:

    String username = PasswordValidator.getUsername();
    String password = PasswordValidator.getPassword();
    if(username == null || !"test".equals(username) || password == null ||!"test".equals(password)){
    faultInfo = new CommonErrorStructure();
    faultInfo.setErrorText("Username/Password is incorrect");
    throw new GetPatientRecordError("Authentication Failure", faultInfo);

