CXF generated WSDL doesn't contain WS-SecurityPolicy definition_问答_开发者

CXF generated WSDL doesn't contain WS-SecurityPolicy definition

开发者 https://www.devze.com 2023-03-22 20:21 出处：网络

I would like to use WS-Security to protect my web service. I\'m using CXF to expose my endpoint, and use WSDL generation from Java code (aka CXF code first service).

I would like to use WS-Security to protect my web service. I'm using CXF to expose my endpoint, and use WSDL generation from Java code (aka CXF code first service).

This tutorial explain how to use WS-Security with CXF when the WSDL is manually managed: http://www.ibm.com/developerworks/java/library/j-jws13/index.html

However, I'm using CXF to automatically generate the WSDL. The generated WSDL doesn't indicate that the client should use WS-Security. I would expect something similar to this in the WSDL:

开发者_开发知识库<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
 "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
  <wsp:All>
    <sp:TransportBinding/>
    <sp:SupportingTokens>
      <wsp:Policy>
        <sp:UsernameToken sp:IncludeToken=".../IncludeToken/AlwaysToRecipient"/>
      </wsp:Policy>
    </sp:SupportingTokens>
  </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

I'm not using Spring, but I use an embedded Jetty. Here is how I wire everything:

CXFNonSpringServlet cxfServlet = new CXFNonSpringServlet() {
  private static final long serialVersionUID = 1L;

  @Override
  protected void loadBus(ServletConfig sc) {
    super.loadBus(sc);

    Map<String, Object> inProps = new HashMap<String, Object>();
    inProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    inProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    inProps.put(WSHandlerConstants.PW_CALLBACK_REF, new TestCallback());

    JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
    factory.setBus(bus);
    factory.setServiceBean(new MyServiceEndpointImpl());
    factory.setAddress("/myservice");
    factory.getInInterceptors().add(new WSS4JInInterceptor(inProps));
    factory.create();
  }
};

Server server = new Server(8080);
ContextHandlerCollection contexts = new ContextHandlerCollection();
server.setHandler(contexts);
ServletContextHandler rootContext = new ServletContextHandler(contexts, "/");
rootContext.addServlet(new ServletHolder(cxfServlet), "/soap/*");
server.start();

It's not supported right now.

Note: at this point, WS-SecurityPolicy support is ONLY available for "WSDL first" scenarios. The WS-SecurityPolicy fragments can only be pulled from WSDL. In the future, we plan to enable various code first scenarios as well, but at this time, only WSDL first is available.

http://cxf.apache.org/docs/ws-securitypolicy.html

Someone explains the same problem here, and expose a solution with @Policy. However, the solution is boggy with CXF <=2.4.1 (the policy is added twice in the WSDL).

http://cxf.547215.n5.nabble.com/WS-Security-policy-in-wsdl-for-java-first-approach-td569052.html

The duplication problem is now fixed and will be release in 2.4.2 (see https://issues.apache.org/jira/browse/CXF-3668)