How to authenticate ws-security soap header with jaxws on a tomcat server

Question

I have developed a simple web service with JAX-WS RT and deployed it on a Tomcat 6 server. I need to authenticate calls to my web service using ws-security in the SOAP header.

My approach was to use a chain handler to extract the username and password in the soap header and authenticate in my code. Is this the correct approach or not and if not, what is the correct approach for this?

Using soapUI I have sent through the following header

 <soapenv:Header> 
  <wsse:Security soapenv:mustUnderstand="1" 
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">  
     <wsse:UsernameToken> 
        <wsse:Username>test</wsse:Username> 
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password> 
     </wsse:UsernameToken> 
  </wsse:Security> 

with this header I get the following error

  <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
  <S:Body>
  <SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
     <faultstring>MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood</faultstring>
     <faultcode>SOAP-ENV:MustUnderstand</faultcode>
  </SOAP-ENV:Fault>

Using JAX-WS rt how do I set up my web service to accept this type of header and authenticate.

Answer 1

Using chain handlers is one way to handle ws-security headers, it is just a lower level approach compared to frameworks like rampart (although these frameworks usually just implement these handlers for you). If you write your own message handler you have to override

Set<QName> getHeaders()

to declare which headers you understand. In this case return a set containing

QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security")

to avoid the "MustUnderstand" error.