Search code examples
javaweb-servicescxfws-security

CXF UsernameToken Issue


I'm trying to add an UsernameToken wss header to my ws Client. The client implements javax.xml.ws.Service and has been generated through WSDL2Java CFX 3.1.4

Since the wsdl contains

<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" wsu:Id="UsernameTokenPolicy">

     <sp:UsernameToken>
        <wsp:Policy>
          <sp:WssUsernameToken10/>
          <sp:HashPassword/>
        </wsp:Policy>
     </sp:UsernameToken>

 </wsp:Policy>

Usernametoken header must be added. Searching a bit I've found out that this is simple as

((BindingProvider)soapClient).getRequestContext().put("ws-security.username", usr);
((BindingProvider)soapClient).getRequestContext().put("ws-security.password", psw);

By the way when I try to perform a call I get the following error:

These policy alternatives can not be satisfied: 
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}UsernameToken: Password hashing policy not enforced

Any advice? Thank you.

P.S. I've already checked for similar post in stack overflow, but if I try a differente approach like the one suggested here I got a different error:

Interceptor for XXXX has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: No username available

Solution

  • As the cxf-documentation states

    From Apache CXF 3.1.0, the WS-SecurityPolicy and the XML Security (JAX-RS) components in CXF share a common set of configuration tags.

    So you shouldn't use ws-security.username and ws-security.password but security.username and security.password

    Also be sure that cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath so ws-policy will automatically be enabled, thus taking care of hashing the password, i.e. calculate the correct password digest.