Security Policy for Apache CXF Java Client

Question

I have been given the task of creating a Java client for an existing Soap web service with a security policy defined as the following:

<wsp:Policy wsu:Id="security_policy_id">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken
                            sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:WssUsernameToken10/>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy/>
            </sp:Wss10>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

I have generated the stubs via Maven and wsdl2java, but I haven't been successful with authentication. I am not sure where to begin with fulfilling the policy in the client. I've found several examples using just a UsernameToken or X.509 certificate, but nothing with the apparent complexity of this policy. I'm struggling to put all the pieces together. Here is a sample from the CXF site which is hopefully a start to what I'm looking for.

        Client client = ClientProxy.getClient(greeter);
        Map<String, Object> props = new HashMap<String, Object>();
        props.put("action", "UsernameToken");
        props.put("user", "alice");
        props.put("passwordType", "PasswordText");
        WSS4JOutInterceptor wss4jOut = new WSS4JOutInterceptor(props);

        client.getOutInterceptors().add(wss4jOut);    ((BindingProvider)greeter).getRequestContext().put("password","password");

Note: I have no control over the wsdl or web service.

Answer 1

Since you are using wsdl2java maven plugin from CXF, a lot of classes would have been generated including a Service class. So what you need to do is get the stub from the service class generated and inject username and password provided and then it should work. Something like this:

final YourService service = new YourService();
final YourStub stub = service.getService();

final Map ctx = ((BindingProvider)stub).getRequestContext();

ctx.put("ws-security.username", userName);
ctx.put("ws-security.password", password);

stub.callYourMethod();

PS: Please make sure you have the right libraries, I just used cxf-bundle and nothing else from cxf and it worked! Earlier it was not working as I had individually included libraries from cxf.

The code will automatically take care of all the policies mentioned in the wsdl file