Supporting WCF UsernamePassword WS-Profile spec violations in CXF

If you have clients using .Net connecting to your CXF web service, they may encounter the following exception:

An invalid security token was provided (An error happened processing a Username Token “{0}”)

This is actually due to Microsoft .Net violating the WS-BasicProfile spec for the username token.  They are qualifying the Type attribute which is not allowed.

A few posts on the subject:

http://marc.info/?l=wss4j-dev&m=124386256631302&w=2

http://mail-archives.apache.org/mod_mbox/servicemix-users/201004.mbox/%3C28242884.post@talk.nabble.com%3E

https://issues.apache.org/jira/browse/WSS-148

 

A work around is to provide a custom WSSConfig object and inject it.  I am using a feature.

https://github.com/pellcorp/cxf/commit/0797863188ebf90beddf0d704eadf8208f916d5a

WS Policy Config

This approach only works where you are not using WS-Policy.  If you are using WS-Policy the code overwrites the custom WSSConfig object.

The call chain is:

com.pellcorp.server.ReadonlyWSSConfig.setAllowNamespaceQualifiedPasswordTypes(ReadonlyWSSConfig.java:27)
 at org.apache.ws.security.handler.WSHandler.doReceiverAction(WSHandler.java:297)
 at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:258)
 at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
 at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)

 

So instead of the custom WSSConfig object, you need to pass in some properties to the endpoint definition, either in the application context:

<jaxws:properties>
 <entry key="allowNamespaceQualifiedPasswordTypes" value="true" />
 <entry key="isBSPCompliant" value="false" />
 </jaxws:properties>

You can also add the following code to the ServerConfigFeature:

properties.put(WSHandlerConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES, "true");
 properties.put(WSHandlerConstants.IS_BSP_COMPLIANT, "false");

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *