First things first:
Configuration:
application-context.xml
<!-- Import for camel config and beans -->
<import resource="./cxf-beans-testws.xml" />
<import resource="./camel-testws.xml" />
camel-testws.xml
<!-- CAMEL CONTEXT -->
<camelContext id="camelContextTest" xmlns="http://camel.apache.org/schema/spring">
<!-- CAMEL ROUTE -->
<route id="TestWSRoute">
<description>
Camel route for testws
</description>
<from uri="cxf:bean:serviceTestProvider" />
<log message="Process" loggingLevel="DEBUG" />
<to uri="cxf:bean:serviceTestClient" />
</route>
</camelContext>
cxf-beans-testws.xml (just the relevant part)
<bean id="wss4JOutInterceptorRea" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Encrypt Signature"/>
<entry key="useSingleCertificate" value="true" />
<entry key="user" value="xxxx" />
<entry key="signaturePropRefId" value="signaturePropertiesBean" />
<entry key="signaturePropertiesBean" value-ref="signaturePropertiesTest" />
<entry key="signatureUser" value="${test.signature.certificate.alias}" />
<entry key="passwordCallbackRef" value-ref="clientCallbackTest" />
<entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<entry key="signatureKeyIdentifier" value="DirectReference" />
<entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
<entry key="encryptionUser" value="${test.encryption.certificate.alias}" />
<entry key="encryptionPropRefId" value="encryptionPropertiesBean" />
<entry key="encryptionPropertiesBean" value-ref="encryptionPropertiesTest" />
</map>
</constructor-arg>
</bean>
When I call the web service exposed (serviceTestProvider), the SOAP message comes in, the log appears and the WSS configuration is placed. Then the message is sent to the endPoint... and always returns:
HTTP response '403: Forbidden' when communicating with http://...
If I remove the wss4jOutInterceptor, then the response is that there is no wss security (expected response).
But if I put log level to DEBUG, take the Outbound message from the log after all the interceptor chain handling and send it manually from REST Console or SoapUI... then works OK, no 403. So it seems that the message is well formed. Both calls are made from the same computer and without proxy or similar.
2016-06-17 08:59:12 INFO WSTestCXFService:234 - Outbound Message
---------------------------
ID: 4
Address: http://correct-ws-url
Http-Method: POST
Content-Type: text/xml;charset=UTF-8
Headers: {Accept=[text/xml;charset=UTF-8], accept-encoding=[gzip,deflate], breadcrumbId=[ID-MACHINENAME-55387-1466145154908-1-4], Cache-Control=[No-Cache], Connection=[Keep-Alive], host=[correct-host], SOAPAction=[method], User-Agent=[Apache-HttpClient/4.1.1 (java 1.5)]}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">...</wsse:Security></SOAP-ENV:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-5"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content">...</xenc:EncryptedData></soap:Body></soap:Envelope>
No https, just http endpoint. Tried with conduit to add headers just to match REST Console or SoapUI raw messages with no luck. Any guess?
Finally, it was a Windows/network problem. Some days later (2-3), no changes at all... it started working.