Supporting WCF UsernamePassword WS-Profile spec violations in CXF

If you have clients using .Net connecting to your CXF web service, they may encounter the following exception:

An invalid security token was provided (An error happened processing a Username Token “{0}”)

This is actually due to Microsoft .Net violating the WS-BasicProfile spec for the username token.  They are qualifying the Type attribute which is not allowed.

A few posts on the subject:


A work around is to provide a custom WSSConfig object and inject it.  I am using a feature.

WS Policy Config

This approach only works where you are not using WS-Policy.  If you are using WS-Policy the code overwrites the custom WSSConfig object.

The call chain is:



So instead of the custom WSSConfig object, you need to pass in some properties to the endpoint definition, either in the application context:

 <entry key="allowNamespaceQualifiedPasswordTypes" value="true" />
 <entry key="isBSPCompliant" value="false" />

You can also add the following code to the ServerConfigFeature:

properties.put(WSHandlerConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES, "true");
 properties.put(WSHandlerConstants.IS_BSP_COMPLIANT, "false");




Leave a Reply

Your email address will not be published. Required fields are marked *