cxf setting Nonce and created in SOAP wsse header

Question

I wanted to inject Nonce and Created element in WSSE security header using CXF.

<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:UsernameToken wsu:Id="UsernameToken-6">
            <wsse:Username>==Username==</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">==Password==</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">===EncodeString===</wsse:Nonce>
            <wsu:Created>2016-05-20T10:51:24.795Z</wsu:Created>
        </wsse:UsernameToken>
    </wsse:Security>
</soapenv:Header>

I'm using org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor class to populate the CXF headers. But this populates only wsse:Username and wsse:Password. I wanted wsse:Nonce and wsse:Created as well in my header. Which Approach I should take to populate above elements in my security header?

Below is the code which I'm using to populate this,

Map<String, Object> properties = new HashMap<String, Object>();
properties.put(WSHandlerConstants.ACTION, "UsernameToken");
properties.put(WSHandlerConstants.USER, "userName-Text");
properties.put(WSHandlerConstants.PASSWORD_TYPE, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
properties.put(WSHandlerConstants.MUST_UNDERSTAND, "true");
properties.put(WSHandlerConstants.PW_CALLBACK_REF, new CustomWSPasswordCallback(passwordText));

WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor();
wss4jOutInterceptor.setProperties(properties);

I appreciate your help.

Thanks, Ashish Mishra

score 4 · Accepted Answer · answered May 24 '16 at 07:06

4

Add this to your properties if you are using WSS4J < 2.0:

properties.put(WSHandlerConstants.ADD_UT_ELEMENTS, WSConstants.NONCE_LN + " " + WSConstants.CREATED_LN);

if using WSS4J >= 2.0 then it should be:

properties.put(WSHandlerConstants.ADD_USERNAMETOKEN_NONCE, "true");
properties.put(WSHandlerConstants.ADD_USERNAMETOKEN_CREATED, "true");

answered May 24 '16 at 07:06

Frank

2,036
1
20
32

Thanks for your response. My WSS4J < 2.0 hence above didn't worked for me. But you suggestion help me find out the things. I'm posting my answer as below. Thanks! – Ashish Mishra Jun 01 '16 at 04:38
This post helped me solve the same problem, thanks! However, I noticed that WSHandlerConstants inherits those constants from org.apache.wss4j.common.ConfigurationConstants - you'd be better off referencing them directly from ConfigurationConstants as this will work with either the Stax or Dom implementations of the WSS4J interceptor. The above implementation forces you to have the DOM module on the buildpath. – Fr Jeremy Krieg Sep 29 '20 at 01:31

score 0 · Answer 2 · answered Jun 01 '16 at 04:40

I have managed to inject Nonce and Created element in WSSE header through adding below property in my property map,

properties.put(WSHandlerConstants.ADD_UT_ELEMENTS, WSConstants.NONCE_LN + " " + WSConstants.CREATED_LN);

This worked for me.

For more you can refer http://tobiasbayer.com/post/apache-cxf-usernametoken-authentication-with-nonce/

Thanks Guys. Ashish Mishra

cxf setting Nonce and created in SOAP wsse header

2 Answers2

Linked

Related