THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The entry keys and values given in the constructor-arg element above (action, signaturePropFile, etc.) map to the text strings in WSS4J's WSHandlerConstants and WSConstants classes for the corresponding WSHandlerConstants.XXXXX and WSConstants.XXXX constants you see in the section below. So by viewing WSHandlerConstants, for example, you can see that the WSHandlerConstants.USERNAME_TOKEN value given below would need to be "UsernameToken" instead when doing Spring configuration.
If you want to avoid looking up the text keys for the WSHandlerConstants.XXXXX and WSConstants.XXXX constants, you can also use the Spring util namespace to reference static constants in your Spring context as shown below.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<beans
...
xmlns:util="http://www.springframework.org/schema/util"
...
xsi:schemaLocation="
...
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
...
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry value="UsernameToken">
<key>
<util:constant static-field="org.apache.ws.security.handler.WSHandlerConstants.ACTION"/>
</key>
</entry>
...
</map>
</constructor-arg>
</bean>
...
|
Additional Configuration Options
While the CXF WSS4J interceptors support the standard configuration properties available in WSHandlerConstants.XXXXX and WSConstants.XXXX, CXF also provides access to some additional low level configuration capabilities in WSS4J and some other security related interceptors.
Validating Signature and/or Encryption of Message Contents
As of CXF 2.2.8, the CryptoCoverageChecker interceptor allows one to validate signature and encryption coverage of message contents without migrating to a WS-SecurityPolicy based configuration. The interceptor can support enforcement of signature and encryption coverage at both the element and content level (be aware that the combination of signature and content do not represent a valid combination of coverage type and coverage scope). To configure this interceptor using the API, follow the example below.
| Code Block | ||||
|---|---|---|---|---|
| ||||
import org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
Map<String, String> prefixes = new HashMap<String, String>();
prefixes.put("ser", "http://www.sdj.pl");
prefixes.put("soap", "http://schemas.xmlsoap.org/soap/envelope/");
List<XPathExpression> xpaths = Arrays.asList(
new XPathExpression("//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT),
new XPathExpression("//soap:Body", CoverageType.ENCRYPTED, CoverageScope.CONTENT));
CryptoCoverageChecker checker = new CryptoCoverageChecker(prefixes, xpaths);
|
The interceptor can also be configured in Spring using the conventional bean definition format.
After configuring the interceptor as above, simply add the interceptor to your client or server interceptor chain as shown previsouly with the WSS4J interceptors. Ensure that you include the WSS4JInInterceptor in the chain or all requests will be denied if you enforce any coverage XPaths.
Custom Processors
As of CXF 2.0.10 and 2.1.4, you can specify custom WSS4J Processor configurations on the WSS4JInInterceptor. To activate this configuration option, one provides a non-WSS4J defined property, wss4j.processor.map, to the WSS4JInInterceptor as shown in the following Spring example. The same configuratoin can be acheieved through the API as well. The key value is an XML qualified name of the WS-S header element to process with the given processor implementation. The entry values can be a String representing a class name of the processor to instantiate, an Object implementing Processor, or null to disable processing of the given WS-S header element.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
...
<!-- This reconfigures the processor implementation that WSS4j uses to
process a WS-S Signature element. -->
<entry key="wss4j.processor.map">
<map key-type="javax.xml.namespace.QName">
<entry value="my.class">
<key>
<bean class="javax.xml.namespace.QName">
<constructor-arg value="http://www.w3.org/2000/09/xmldsig#"/>
<constructor-arg value="Signature"/>
</bean>
</key>
</entry>
</map>
</entry>
...
</map>
</constructor-arg>
</bean>
|
Custom Actions
As of CXF 2.2.6, you can specify custom WSS4J Action configurations on the WSS4JOutInterceptor. To activate this configuration option, one provides a non-WSS4J defined property, wss4j.action.map, to the WSS4JOutInterceptor as shown in the following Spring example. The same configuratoin can be acheieved through the API as well. The key value is an integer representing the WSS4J action identifier. The entry values can be a String representing a class name of the action to instantiate or an Object implementing Action. This configuration option allows you to override built-in action implementations or add your own.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
...
<!-- Redefines the action for SAMLTokenSigned to use a custom implementation. -->
<entry key="wss4j.action.map">
<map key-type="java.lang.Integer" value-type="java.lang.Object">
<entry key="0x10" value-ref="mySamlTokenSignedAction"/>
</map>
</entry> ...
</map>
</constructor-arg>
</bean>
|
Configuring WS-Security Actions
...