I have a webservice, running on JBoss 7.x, that accepts 2 authentication methods specified by 2 policies:
@WebService
@EndpointProperties(value = {
@EndpointProperty(key = SecurityConstants.BST_TOKEN_VALIDATOR, beanClass = util.ws.KerberosTokenValidator.class),
@EndpointProperty(key = SecurityConstants.USERNAME_TOKEN_VALIDATOR, beanClass = util.ws.UsernameTokenValidator.class),
})
@Policies({ @Policy(placement = Policy.Placement.BINDING, uri = "ws-policy.xml")
})
public class PaymentNotification implements PaymentNotificationInterface {
the policy file (ws-policy.xml):
<wsp:ExactlyOne>
<!-- KERBEROS TOKEN (http or https) -->
<wsp:Policy>
<sp:KerberosToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssGssKerberosV5ApReqToken11 />
</wsp:Policy>
</sp:KerberosToken>
</wsp:Policy>
<!-- USERNAME TOMEN WITH HASHED PASSWORD (http or https) -->
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<!-- <sp:HashPassword /> -->
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</wsp:ExactlyOne>
I would like to add a new policy that reads a custom header from the HTTP request (CLIENT-CERT) and use the certificate for authentication.
Is this possible? Any example would be highly appreciated or even some pointers to specific documentation or simple tutorials.
I can't find any predefined policy and assertions that would check the value of a custom header, so I think I need to create a custom one, but I'm not sure this is the correct way of adding a new authentication method.
Thank you in advance.
