Announcement Announcement Module
Collapse
No announcement yet.
Integrating Spring WS with Axis (Security) Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Integrating Spring WS with Axis (Security)

    Hi cool Spring WS crowd!

    We are stuck to use Axis for some of our old web service client implementation. Hence the question ( Spring question, I promise )

    The request that has to be sent, needs to be injected with WSSE header - usual deal, right? However in Axis, the way it is done, there is a "wsdd" file that specifies a WsDoAllHandler with two things "injected in" (not Spring):

    1. WsPasswordCallbackHandler (custom)
    2. username

    WsPasswordCallbackHandler returns a password according to the username.

    This "wsdd" file is injected in Axis generated (from "wsdl") ServiceLocator stub, and this way it wraps the request with WSSE header by calling "WsDoAllHandler" behind the scenes.

    This works, BUT we would like to use much simpler approach ( to store username/password pairs in ONE place ) - we would like to use a Spring's Wss4jSecurityInterceptor:

    Code:
    	<bean id="wss4jInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    
    	    <property name="securementActions" value="UsernameToken"/>
    	    <property name="securementUsername" value="vipUser"/>
    	    <property name="securementPassword" value="t0p5ecret"/>
    	    <property name="securementPasswordType" value="PasswordText"/>
    	    <property name="securementUsernameTokenElements" value="Nonce Created"/>
    
    	</bean>
    We still need to keep Axis (1.4) on - client's will. So we cannot just switch to Spring.

    How would we be able to use "Wss4jSecurityInterceptor" (or something as simple) with Axis auto-generated stubs to wrap our top secret requests with WSSE header?

    Thank you VERY much,
    litius
    Last edited by litius; Apr 16th, 2008, 05:27 PM.

  • #2
    One possible solution that we found so far would be to mimic Spring's "Wss4jSecurityInterceptor" behavior, since internally it also uses a real Wss4j handler, but overwrites getPassword(), so if password is provided (to Wss4jSecurityInterceptor), it'll just return that, if not, it would look it up.

    Once I write a custom handler that just returns a password (if it is provided), I can pass "password" to the handler, and "username + handler" to my webservice client, and set it on the Axis Stub (username and handler that will just return a password).

    Any other, more elegant ideas?

    Thank you!
    Last edited by litius; Apr 16th, 2008, 05:28 PM.

    Comment

    Working...
    X