WS-Security demo

This guide will lead you through how to configure a client and
Service to use WS-Security. It assumes you 've already got a basic
Client and server running. If you don't, please refer to the previous
Sections for how to set this up.

• General set up
• UserNameToken Configuration
• Server Side
• Mule Configuration
• Cxf Configuration
• Serverpasswordcallback
• Client Configuration
• Mule Configuration
• Cxf Configuration
• Client password callback

General set up

The first thing you need to do is configure the mule cxf Connector
To load up an external cxf configuration file. This configuration file
Is where we'll configure WS-Security.

<mule-configuration id="myConfiguration" version="1.0">
    <connector name="cxf"
        className="org.mule.providers.soap.cxf.CxfConnector">
<properties>
<property name="configurationLocation" value="my-cxf-config.xml" />
</properties>
</connector>

UserNameToken Configuration

The userNameToken feature in WS-Security is an interoperable way
Exchange security tokens inside a SOAP message. In the following
Section we'll take a look at how to configure the client and server
Exchange a username/password security token.

Server Side

On the server side we need:

• Add a section in your my-cxf-config.xml file for the server
• Configure the wss4jininterceptor and the saajininterceptor. The former is responsible for checking the security of your message.
• Write a server passwordcallback which verifies the password.

Mule Configuration

In the mule configuration we need to configure our server. You
Shoshould already be familiar with how to do this, but for completeness
Sake, here is the configuration for this example:

<mule-descriptor name="greeterService" 
    implementation="org.apache.hello_world_soap_http.GreeterImpl"
    singleton="true">
<inbound-router>
<endpoint address="cxf:http://localhost:63081/greeter">
<properties>
<property name="wsdlLocation" value="hello_world.wsdl" />
</properties>
</endpoint>
</inbound-router>
</mule-descriptor>

Cxf Configuration

We need to write a cxf configuration file which contains our server configuration.

The <jaxws: Server> element is what we use to configure
Incoming interceptors on our service. The name attribute is very
Important. It is the QNAME of the WSDL port you wish to apply this
Configuration to. It is in the form your {service-namespace} Local-port.

To determine your service namespace and Port name Go To Your WSDL
URL (just append? WSDL to your service address in the browser).
"Targetnamespace" attribute on the <definitions> element is your
Service namespace. The <port> element near the bottom contains
"Name" attribute which is your port name.

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:c="http://cxf.apache.org/core"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">

<jaxws:server name="{http://apache.org/hello_world_soap_http}SoapPort" createdFromAPI="true">
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordCallbackRef" value-ref="serverCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>

</jaxws:server>

<bean id="serverCallback" class="org.mule.providers.soap.cxf.wssec.ServerPasswordCallback"/>
...
</beans>

Key things to note here:

• We're re installing the saajininterceptor. The wss4j
  Implementation requires that we have a SAAJ tree in memory to work, so
  This is required.
• We're re installing teh wss4jininterceptor.
  We 've configured it so it requires a userNameToken. We 've also told it
  About our serverpasswordcallback which will verify the actual password.

Serverpasswordcallback

Our server callback simplify verifies the password. It does this
Supplying the password which will be compared to the incoming password.

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class ServerPasswordCallback implements CallbackHandler
{

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

if (pc.getIdentifer().equals("joe")) {
// set the password on the callback. This will be compared to the
            // password which was sent from the client.
            pc.setPassword("password");
        }
    }
}

Client Configuration

On the client side, we need:

• Set up the cxf outbound endpoint
• Configure the cxf client so that it uses WS-Security
• Set up a clientpasswordcallback which supplies the password for the invocation

Mule Configuration

Here's a simple example which configures a cxf outbound endpoint:

<mule-descriptor 
    name="cxfClient"
    implementation="org.mule.providers.soap.cxf.jaxws.ClientMessageGenerator"
    inboundEndpoint="quartz.in" 
    singleton="true">

<!-- An outbound endpoint which submits messages via a CXF client -->
<outbound-router>
<router className="org.mule.routing.outbound.OutboundPassThroughRouter">
<endpoint address="cxf:http://localhost:63081/greeter">
<properties>
<property name="clientClass" value="org.apache.hello_world_soap_http.SOAPService" />
<property name="port" value="SoapPort" />
<property name="wsdlLocation" value="/org/mule/providers/soap/cxf/wsa/hello_world.wsdl" />
<property name="operation" value="greetMe" />
</properties>
</endpoint>
</router>
</outbound-router>

</mule-descriptor>

Cxf Configuration

We also need to add a configuration section to your "my-cxf-config.xml" file.

NOTE: If your client and your server are on separate machines, you
Will have two separate files, and then a cxf connector configuration on
Each one.

<jaxws:client name="{http://apache.org/hello_world_soap_http}SoapPort" createdFromAPI="true">
<jaxws:outInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="user" value="joe" />
<entry key="passwordType" value="PasswordDigest" />
<!-- The callback supplies the password so its not stored in our config file -->
<entry key="passwordCallbackRef" value-ref="clientCallback" />
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:client>

<bean id="clientCallback" class="org.mule.providers.soap.cxf.wssec.ClientPasswordCallback"/>

In this configuration snippet we're:

• Telling cxf we wish to invoke the userNameToken action.
• Our username is "Joe"
• We want to send our password in Digest form.
• We shocould use the "clientcallback" bean to supply the password. (see below)

Client password callback

Here is an example client password callback. As you can see, it is
Fairly simple. It just sets the password you want to use for
Outgoing invocation:

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class ClientPasswordCallback implements CallbackHandler
{
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

// set the password for our message.
        pc.setPassword("yourpassword");
    }
}