0

My requirement is to implement a method to generate ws security headers by using incoming username, password.

So some one can invoke my method from xslt by providing username and password and my method should able to return security headers and further they can append this security headers in soap request to call third party web service.

i am looking for api which can generate soap security headers by taking username and password.

i found WSS4JOutInterceptor which needs port and service info,but in my case i have only 2 paramters(UserName, PassWord).

please suggest if any other api/approach than creating SoapEnvelop and adding security elements to it ?

<oas:Security xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">     <oas:UsernameToken xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" oas1:Id="UsernameToken-1">      <oas:Username> lakshmi </oas:Username><oas:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MTQ2NzA5NTg3MjM5Mw==</oas:Nonce>       <oas:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">uSlFkVhDynZoCXFojlM1w4UrJYY=</oas:Password><oas1:Created>2016-06-28T06:37:52.425Z</oas1:Created></oas:UsernameToken></oas:Security>
lkreddy1231
  • 95
  • 12
  • What ist the reason to build your request with xslt when using cxf? What should the output of your method be? A xmlstring? Please add more information what you exactly need. – Frank Jun 29 '16 at 06:20
  • @Frank you are wright. output of my method should be xmlString. In our project we are converting incoming request(XML) into soap format through xslt only.May be i conveyed wrong in post, we are not using any CXF to convert incoming XML to SOAP format. Current requirement is to create security header by taking username and password. – lkreddy1231 Jun 29 '16 at 14:32
  • So you need to generate the soap header for outbound connections and not worry about how body is generated:xslt etc Isn't it? Probably you do not need CXF. Please add an example of the desired header format if you know, or at least of the binary security token restrictions set by your server – pedrofb Jun 29 '16 at 16:33
  • @pedrofb that is what exactly i am looking for. Soap body and other headers part is taken care by XSLT. I edited question ad added expected header format. please have look.(i didn't have idea how to link a file, So i added to question). currently we hard coded all the headers and creating password digest , Nonce, etc using Base64 encoding format and appending to security headers and returning that String back. this stuff i want to create using some api. – lkreddy1231 Jun 30 '16 at 06:45
  • Hi @lkredy1231, have you checked the answer? – pedrofb Jul 05 '16 at 15:24
  • @pedrofb sorry for delay in responding . i guess your suggestion will solve my issue.you saved lots of time. – lkreddy1231 Jul 12 '16 at 13:46

1 Answers1

2

You can use WSS4J to generate the security header

 public Node buildSecurityHeader(String username, String password) 
        throws WSSecurityException, ParserConfigurationException, SAXException, IOException{

    //XML Document builder with a root node
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    DocumentBuilder builder = factory.newDocumentBuilder();
    InputSource inStream = new InputSource();
    inStream.setCharacterStream(new StringReader("<root></root>"));
    Document document = builder.parse(inStream);

    //<wsse:UsernameToken>
    WSSecUsernameToken usernametoken = new WSSecUsernameToken();
    usernametoken.setPasswordType(WSConstants.PASSWORD_DIGEST);
    usernametoken.setUserInfo(username, password);

    //<wsse:Security>
    WSSecHeader secHeader = new WSSecHeader(document);
    secHeader.insertSecurityHeader();

    //Generates the Document with <root><Header><wsse:Security>...
    usernametoken.build(document, secHeader);

    //Extract the desired node
    Node securityNode = document.getElementsByTagName("wsse:Security").item(0);

    return securityNode;

}

To print the node as String use this

public String nodeToString(Node node) throws TransformerFactoryConfigurationError, TransformerException {
    StringWriter sw = new StringWriter();

    Transformer t = TransformerFactory.newInstance().newTransformer();
    t.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
    t.setOutputProperty(OutputKeys.INDENT, "yes");
    t.transform(new DOMSource(node), new StreamResult(sw));
    return sw.toString();
}

And use it in this way

 String securityHeader = nodeToString(buildSecurityHeader(username,password));

The result will be similar to this. Parametrize the WSSecUsernameToken and WSSecHeader code at your convenience

<wsse:Security xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
    <wsse:UsernameToken wsu:Id="UsernameToken-39dba965-c4a8-4b2d-826e-ade8c0931f3f">
       <wsse:Username>username</wsse:Username>
       <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">BxJH0G5PzPfBFbBGimF0bq3vjsY=</wsse:Password>
       <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iaO1xilL6qfuN2apbSdfPQ==</wsse:Nonce>
       <wsu:Created>2016-06-30T07:17:26.552Z</wsu:Created>
    </wsse:UsernameToken>
</wsse:Security>
pedrofb
  • 37,271
  • 5
  • 94
  • 142