cxf security headers for client using java

Question

My requirement is to implement a method to generate ws security headers by using incoming username, password.

So some one can invoke my method from xslt by providing username and password and my method should able to return security headers and further they can append this security headers in soap request to call third party web service.

i am looking for api which can generate soap security headers by taking username and password.

i found WSS4JOutInterceptor which needs port and service info,but in my case i have only 2 paramters(UserName, PassWord).

please suggest if any other api/approach than creating SoapEnvelop and adding security elements to it ?

<oas:Security xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">     <oas:UsernameToken xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" oas1:Id="UsernameToken-1">      <oas:Username> lakshmi </oas:Username><oas:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MTQ2NzA5NTg3MjM5Mw==</oas:Nonce>       <oas:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">uSlFkVhDynZoCXFojlM1w4UrJYY=</oas:Password><oas1:Created>2016-06-28T06:37:52.425Z</oas1:Created></oas:UsernameToken></oas:Security>

Answer 1

You can use WSS4J to generate the security header

 public Node buildSecurityHeader(String username, String password) 
        throws WSSecurityException, ParserConfigurationException, SAXException, IOException{

    //XML Document builder with a root node
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    DocumentBuilder builder = factory.newDocumentBuilder();
    InputSource inStream = new InputSource();
    inStream.setCharacterStream(new StringReader("<root></root>"));
    Document document = builder.parse(inStream);

    //<wsse:UsernameToken>
    WSSecUsernameToken usernametoken = new WSSecUsernameToken();
    usernametoken.setPasswordType(WSConstants.PASSWORD_DIGEST);
    usernametoken.setUserInfo(username, password);

    //<wsse:Security>
    WSSecHeader secHeader = new WSSecHeader(document);
    secHeader.insertSecurityHeader();

    //Generates the Document with <root><Header><wsse:Security>...
    usernametoken.build(document, secHeader);

    //Extract the desired node
    Node securityNode = document.getElementsByTagName("wsse:Security").item(0);

    return securityNode;

}

To print the node as String use this

public String nodeToString(Node node) throws TransformerFactoryConfigurationError, TransformerException {
    StringWriter sw = new StringWriter();

    Transformer t = TransformerFactory.newInstance().newTransformer();
    t.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
    t.setOutputProperty(OutputKeys.INDENT, "yes");
    t.transform(new DOMSource(node), new StreamResult(sw));
    return sw.toString();
}

And use it in this way

 String securityHeader = nodeToString(buildSecurityHeader(username,password));

The result will be similar to this. Parametrize the WSSecUsernameToken and WSSecHeader code at your convenience

<wsse:Security xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
    <wsse:UsernameToken wsu:Id="UsernameToken-39dba965-c4a8-4b2d-826e-ade8c0931f3f">
       <wsse:Username>username</wsse:Username>
       <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">BxJH0G5PzPfBFbBGimF0bq3vjsY=</wsse:Password>
       <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iaO1xilL6qfuN2apbSdfPQ==</wsse:Nonce>
       <wsu:Created>2016-06-30T07:17:26.552Z</wsu:Created>
    </wsse:UsernameToken>
</wsse:Security>