0

I am using the usernameToken security policy to secure a soap webservice. I don't want the client to send the username/password on each requests. Is it possible to make the webservice statefull ? Currently the ServerPasswordCallback is called for each requests.

Here is my code :

ComputeWS.java

@WebService(
    serviceName = "ComputeWS",
    targetNamespace = "http://org.test/compute",
    name = "ComputeWS")
@EndpointProperties(
    value = { @EndpointProperty(key = "ws-security.callback-handler", value = "org.test.ServerPasswordCallback") })
@Policy(placement = Policy.Placement.BINDING, uri = "WSPolicy.xml")
public class ComputeWS {

@WebMethod
public int add(int x, int y) {
    return x * y;
}

}

WSPolicy.xml

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="WSPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
    <wsp:All>
        <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssUsernameToken11/>
                    </wsp:Policy>
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

ServerPasswordCallback.java

public class ServerPasswordCallback implements CallbackHandler {

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

    if ("joe".equals(pc.getIdentifier())) {
        pc.setPassword("joespassword"); 
    }
}

}
Olivier Boissé
  • 15,834
  • 6
  • 38
  • 56

1 Answers1

0

There's no "out of the box" way of doing it. You could change the "IncludeToken" policy of the UsernameToken from "AlwaysToRecipient" to "Once". Then on the server side you'll have to implement some way of keeping track of the client, via something like Spring Security or Apache Shiro etc.

Colm O hEigeartaigh
  • 1,882
  • 1
  • 12
  • 7
  • Do you have any example of a SecurityPolicy with IncludeToken to Once ? I am really surprise to not find any sample project using this mechanism, this is a common requirement when you autenticate a user using a database. – Olivier Boissé Mar 02 '16 at 10:40