Well, yes, I've already found and studied this (especially http://docs.jboss.org/jbossas/6/WebServices_Guide/en-US/html/chap_JBossWS-StackCXFUserGuide.html) via Google.
However, in the examples, they mess with heavy XML configuration which would break my approach using annotations for all the web services. Furthermore, Spring is required in order for this to work. This is not what I call a "lightwight" solution
So I don't want to rely on any container magic, I just want to inject my stateless session bean somewhere in the handler chain to parse the SOAP header and to check the username in the database...
No one has an idea?
What's the default procedure to add WS-Security UsernameToken capabilities to JBoss AS 6?
I think this should be a quite common task...
1 of 1 people found this helpful
If you want to use the full WS-Security facilities coming with Apache CXF and hence JBossWS-CXF, you need to go through the Spring configuration, which covers the stack specific aspect of configuring the security engine, similarly to what you did with the jboss-wsse-endpoint.xml on JBossWS-Native stack.
The documentation on WS-Security w/ JBossWS-CXF is at http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide#WSSecurity . Please also consider taking a look at the mentioned Apache CXF doc there.
On the countrary, if you just want to implement and home brew solution for checking some of the WS-Security headers, you can avoid setting up security at all and install your custom handlers / interceptors. Handlers configuration is covered by standard specs and hence can be done in a stack agnostic way (see the @HandlerChain annotation). Alternatively, you can use CXF interceptors, declared through @InInterceptor/@OutInterceptor/.. (see Apache CXF doc on that).
Okay, thanks a lot for this clear statement.
Since I only need a few base functionalities, I absolutely prefer the "home brew" solution. I'll hava a look at the suggested methods, maybe I'll come back later ;-)
I am trying to migrate to the cxf stack an application that wa previously using the jboss-wsse-endpoint.xml on JBossWS-Native stack to implement username token authentication.
I have installed the spring deployer and used the jbossw-cxf.xml file to define username token authentication as in
What i want to ask is how to do this part that is indicated there :
"Authentication and authorization will simply be delegated to the security domain configured for the endpoint. Of course you can specify the login module you prefer for that security domain (refer the application server / security documentation for that)."
How do I do that ? I mean, is if sufficient to annotate my endpoint with @SecurityDomain and specify the application policy in login-config.xml ?
Consider taking a look at the package org.jboss.test.ws.jaxws.samples.wsse* in the jbossws-cxf sources.