Versions Compared

Old Version 46

changes.mady.by.user Freeman Fang

Saved on

compared with

New Version 47

changes.mady.by.user Glen Mazza

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added UsernameToken config info from Security page (would be good if we could point to an example showing config info though)

...

Here is an example of WS-Security implemented using annotations for interceptors (uses UsernameToken).

WS-Security UsernameToken and Custom Authentication

If needed, one may want to configure a jaxws:endpoint with a "ws-security.validate.token" property set to false and register a custom org.apache.cxf.interceptor.security.AbstractUsernameTokenInInterceptor implementation for using a WSS4J UsernameToken wrapped in a CXF specific UsernameToken for the custom authentication and Subject creation. The JAASLoginInterceptor will also recognize a CXF UsernameToken and thus can be used instead of the custom org.apache.cxf.interceptor.security.AbstractUsernameTokenInterceptor. (Prior to CXF 2.4.0, use "ws-security.ut.no-callbacks" instead of "ws-security.validate.token" with the value of true instead of false to postpone the validation of the token.)

Using X.509 Certificates

The X.509 Certificate Token Profile (pdf) provides another option for implementing WS-Security. For the Signature and Encryption actions, you'll need to create a public & private key for the entities involved. You can generate a self-signed key pair for your development environment via the following steps. Keep in mind these will not be signed by an external authority like Verisign, so are inappropriate for production use.

...