I'm new to ADF mobile application development. I'm currently blocked in a scenario. I have a web service(from third party) which needs to retrieve data. In soapUI, the web service will retrieve the response only when there is this security tag. Otherwise it will give response as invalid security. The web service looks like this:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xx="http://xmlns.oracle.com/apps/csf/soaprovider/plsql/xx_fs_mob_login/" xmlns:get="http://xmlns.oracle.com/apps/csf/soaprovider/plsql/xx_fs_mob_login/get_login/">
<soapenv:Header>
<xx:SOAHeader>
<!--Optional:-->
<xx:Responsibility>XXX</xx:Responsibility>
<!--Optional:-->
<xx:RespApplication>XXX</xx:RespApplication>
<!--Optional:-->
<xx:SecurityGroup>XXX</xx:SecurityGroup>
<!--Optional:-->
<xx:NLSLanguage>XXX</xx:NLSLanguage>
<!--Optional:-->
<xx:Org_Id>XXX</xx:Org_Id>
</xx:SOAHeader>
<The portion which is excluded from the soap, but which is required for getting response>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1">
<wsse:Username>XXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXX</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">XXX</wsse:Nonce>
<wsu:Created>2013-02-13T08:58:50.649Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<The portion which is excluded from the soap, but which is required for getting response>
</soapenv:Header>
<soapenv:Body>
<get:InputParameters>
<!--Optional:-->
<get:P_USERNAME>XXX</get:P_USERNAME>
</get:InputParameters>
</soapenv:Body>
</soapenv:Envelope>
I tried the steps described in ADF mobile tutorial to get web service data. But I'm getting response code 500 from the server. I tried the steps for secured web service also. But I'm not sure which security policy has been implemented in the web service. I tried with oracle/wss_username_client_token_policy and some others but didn't succeed. Later I tried by creating web service client/proxy. But as Oracle ADF only supports java 1.4, I got errors in the generated code(errors on generics and annotation).
The WSDL for the web service is as follows:
<definitions xmlns:tns="http://xmlns.oracle.com/apps/csf/soaprovider/plsql/xx_fs_mob_login/" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns1="http://xmlns.oracle.com/apps/csf/soaprovider/plsql/xx_fs_mob_login/get_login/" name="XX_FS_MOB_LOGIN" targetNamespace="http://xmlns.oracle.com/apps/csf/soaprovider/plsql/xx_fs_mob_login/">
<types>
<schema xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://xmlns.oracle.com/apps/csf/soaprovider/plsql/xx_fs_mob_login/get_login/">
<include schemaLocation="http://27.251.157.211:8000/webservices/SOAProvider/plsql/xx_fs_mob_login/APPS_XX_FS_MOB_LOGIN_GET_LOGIN.xsd"/>
</schema>
<schema xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://xmlns.oracle.com/apps/csf/soaprovider/plsql/xx_fs_mob_login/">
<element name="SOAHeader">
<complexType>
<sequence>
<element name="Responsibility" minOccurs="0" type="string"/>
<element name="RespApplication" minOccurs="0" type="string"/>
<element name="SecurityGroup" minOccurs="0" type="string"/>
<element name="NLSLanguage" minOccurs="0" type="string"/>
<element name="Org_Id" minOccurs="0" type="string"/>
</sequence>
</complexType>
</element>
</schema>
</types>
<message name="GET_LOGIN_Input_Msg">
<part name="header" element="tns:SOAHeader"/>
<part name="body" element="tns1:InputParameters"/>
</message>
<message name="GET_LOGIN_Output_Msg">
<part name="body" element="tns1:OutputParameters"/>
</message>
<portType name="XX_FS_MOB_LOGIN_PortType">
<operation name="GET_LOGIN">
<input message="tns:GET_LOGIN_Input_Msg"/>
<output message="tns:GET_LOGIN_Output_Msg"/>
</operation>
</portType>
<binding name="XX_FS_MOB_LOGIN_Binding" type="tns:XX_FS_MOB_LOGIN_PortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="GET_LOGIN">
<soap:operation soapAction="http://XXX:8000/webservices/SOAProvider/plsql/xx_fs_mob_login/"/>
<input>
<soap:header message="tns:GET_LOGIN_Input_Msg" part="header" use="literal"/>
<soap:body parts="body" use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>
<service name="XX_FS_MOB_LOGIN_Service">
<port name="XX_FS_MOB_LOGIN_Port" binding="tns:XX_FS_MOB_LOGIN_Binding">
<soap:address location="http://XXX:8000/webservices/SOAProvider/plsql/xx_fs_mob_login/"/>
</port>
</service>
</definitions>
Please help me to figure out a solution for this.
Thanks in advance
Rino
You won't be able to get far in accessing a secure Web service directly from ADF Mobile if you don't know the type of security it uses.
If you can create a proxy client that invokes the web service, then one solution is to run that on the server, and expose that client as a web service that the ADF Mobile layer can access.
Related
I'm using WSO2 with the VFS. I need to take the incoming file, fileinput.xml and log the id fields together. The VFS is enabled and functional and when I move my fileinput.xml into my test_in folder it appropriately gets handled and put into test_out or test_failure correctly. I've read a lot of online documentation but have been unable to wrap my head around how to do the following.
My Question is
How do I get a property from my fileinput.xml ?
How do I iterate over the ids and concatenate them together in a log?
fileinput.xml
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<customers>
<customer>
<id>testid1</id>
<prop1>a</prop1>
<prop2>b</prop2>
<customer/>
<customer>
<id>testid2</id>
<prop1>3</prop1>
<prop2>4</prop2>
<customer/>
</customers>
</soapenv:Body>
</soapenv:Envelope>
My wso2 proxy file
<?xml version="1.0" encoding="UTF-8"?>
<proxy
xmlns="http://ws.apache.org/ns/synapse" name="FileProxy" transports="vfs" startOnLoad="true" trace="disable">
<target>
<parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
<parameter name="transport.vfs.ActionAfterFailure">MOVE</parameter>
<parameter name="transport.PollInterval">5</parameter>
<parameter name="transport.vfs.FileURI">file:///Users/myuser/test_in</parameter>
<parameter name="transport.vfs.MoveAfterProcess">file:///Users/myusertest_out</parameter>
<parameter name="transport.vfs.MoveAfterFailure">file:///Users/myuser/test_failure</parameter>
<parameter name="transport.vfs.FileNamePattern">.*.xml</parameter>
<parameter name="transport.vfs.ContentType">text/xml</parameter>
<inSequence>
<log category="WARN" level="full">
<property name="MESSAGE" value="In Sequence"/>
</log>
<clone>
<target sequence="fileWriteSequence"/>
</clone>
</inSequence>
</target>
<outSequence>
<log category="WARN" level="full">
<property name="MESSAGE" value="Out Sequence"/>
</log>
<send/>
</outSequence>
</proxy>
My fileWriteSequence
<?xml version="1.0" encoding="UTF-8"?>
<sequence name="fileWriteSequence">
<log level="full">
<property name="sequence" value="fileWriteSequence"/>
</log>
<property name="transport.vfs.ReplyFileName" expression="fn:concat(fn:substring-after(get-property('MessageID'), 'urn:uuid:'), '.txt')" scope="transport"/>
<property name="OUT_ONLY" value="true"/>
<send>
<endpoint name="FileEpr">
<address uri="vfs:file:///Users/myuser/test_out"/>
</endpoint>
</send>
</sequence>
You can use the iterate mediator to iterate over 'id' element and use a property in the operation scope to concatenate all the id values. Refer this
I am inserting into three tables using Box_caring feature, insertion happening properly but if some error comes in between while inserting into tables its not roll backing the data.
I'm looking for a solution to the following challenge:Have a set of related tables. They are related by primary/foreign key relations and need to update/insert objects in the related tables. Insert/update happening inside iterator mediator. what happens when one of the updates/insert fails? Will all the inserted/updated objects rolled back?.
Please give any ideas or links or code snippet to make it work.
Note: Am using wso2 esb-4.8.1, wso2 dss-3.2.2 and MSSQL database
Gone through below links:
http://charithaka.blogspot.in/2014/02/common-mistakes-to-avoid-in-wso2-esb-1.html
How we can ROLLBACK the Transaction in WSO2DSS or WSO2ESB
Thanks in advance
Here you have to implement Distributed XA transactions. Could you please refer to the article [1] which will guide you through this.
[1]https://docs.wso2.com/display/ESB490/Sample+657%3A+Distributed+Transaction+Management
When you are using box_carring feature, you have to maintain same session across all the operation calls. Otherwise, it will evaluates as separated calls and will not be atomic. Here is a sample synapse config that can be used to maintain the same session.
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="ESBService"
transports="https http"
startOnLoad="true"
trace="disable">
<description/>
<target>
<inSequence>
<transaction action="new"/>
<property name="id" expression="json-eval($.id)"/>
<property name="userName" expression="json-eval($.userName)"/>
<property name="firstName" expression="json-eval($.firstName)"/>
<property name="lastName" expression="json-eval($.lastName)"/>
<property name="address" expression="json-eval($.address)"/>
<enrich>
<source type="body" clone="true"/>
<target type="property" property="FirstBody"/>
</enrich>
<property name="messageType" value="application/xml" scope="axis2"/>
<header name="Action" value="urn:begin_boxcar"/>
<payloadFactory media-type="xml">
<format>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:dat="http://ws.wso2.org/dataservice">
<soapenv:Header/>
<soapenv:Body>
<dat:begin_boxcar/>
</soapenv:Body>
</soapenv:Envelope>
</format>
<args/>
</payloadFactory>
<call>
<endpoint>
<address uri="http://localhost:9764/services/testService.SOAP11Endpoint/"/>
</endpoint>
</call>
<property name="setCookieHeader" expression="$trp:Set-Cookie"/>
<property name="Cookie"
expression="get-property('setCookieHeader')"
scope="transport"/>
<property name="OUT_ONLY" value="true"/>
<payloadFactory media-type="xml">
<format>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:dat="http://ws.wso2.org/dataservice">
<soapenv:Header/>
<soapenv:Body>
<p:insert_employee xmlns:p="http://ws.wso2.org/dataservice">
<xs:UserId xmlns:xs="http://ws.wso2.org/dataservice">$1</xs:UserId>
<xs:userName xmlns:xs="http://ws.wso2.org/dataservice">$2</xs:userName>
<xs:firstName xmlns:xs="http://ws.wso2.org/dataservice">$3</xs:firstName>
<xs:lastName xmlns:xs="http://ws.wso2.org/dataservice">$4</xs:lastName>
</p:insert_employee>
</soapenv:Body>
</soapenv:Envelope>
</format>
<args>
<arg evaluator="xml" expression="get-property('id')"/>
<arg evaluator="xml" expression="get-property('userName')"/>
<arg evaluator="xml" expression="get-property('firstName')"/>
<arg evaluator="xml" expression="get-property('lastName')"/>
</args>
</payloadFactory>
<property name="Content-Encoding" scope="transport" action="remove"/>
<property name="Cookie"
expression="get-property('setCookieHeader')"
scope="transport"/>
<call>
<endpoint>
<address uri="http://localhost:9764/services/testService.SOAP11Endpoint/"/>
</endpoint>
</call>
<payloadFactory media-type="xml">
<format>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:dat="http://ws.wso2.org/dataservice">
<soapenv:Header/>
<soapenv:Body>
<dat:end_boxcar/>
</soapenv:Body>
</soapenv:Envelope>
</format>
<args/>
</payloadFactory>
<property name="Content-Encoding" scope="transport" action="remove"/>
<property name="Cookie"
expression="get-property('setCookieHeader')"
scope="transport"/>
<call>
<endpoint>
<address uri="http://localhost:9764/services/testService.SOAP11Endpoint/"/>
</endpoint>
</call>
<respond/>
</inSequence>
<faultSequence>
<log>
<property name="END" value="****ROLLBACK****"/>
</log>
<transaction action="rollback"/>
<respond/>
</faultSequence>
</target>
</proxy>
However, you can use request_box feature, where you do not have to maintain the session across operations.
Thanks
I am new to wso2 and working on a few POCs where i have to create a file at some location , i have looked into all vfs examples where there is always a file processed and written to a new location.
What i want to achieve is write a new file to a directory by the content i receive in a sequence.
For my requirement process i have exposed a REST service and it calls this sequence.
The sequence configuration is as follows.
<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="http://ws.apache.org/ns/synapse" name="FileWriteSequence">
<clone>
<target>
<sequence>
<property name="OUT_ONLY" value="true" scope="default" type="STRING"/>
<property name="transport.vfs.ReplyFileName" value="myOutputFile.txt" scope="transport" type="STRING"/>
<send>
<endpoint name="FileEpr">
<address uri="vfs:file://D:/Tools"/>
</endpoint>
</send>
</sequence>
</target>
</clone>
This sequence creates a file from the latest message from the REST resource but the file name is always the project name.
Whatever i try it doesnt change.
I have tried giving other proxy parameters shown below as property above my sequence as well .Instead of paramters i passed them above the property <property name="OUT_ONLY" value="true" scope="default" type="STRING"/>
Namely :-
<parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
<parameter name="transport.vfs.MoveAfterProcess">file://D:/Tools</parameter>
<parameter name="transport.vfs.MoveAfterFailure">file://D:/backup</parameter>
<parameter name="transport.vfs.FileNamePattern">.*.txt</parameter>
<parameter name="transport.vfs.ContentType">text/plain</parameter>
<parameter name="transport.vfs.ActionAfterFailure">MOVE</parameter>
Still no progress.
Can anyone help me here?
Regards,
Rahul.
In case anyone wants to know i have made a workaround for this i called a proxy service from my rest resource and it worked .
In my resource i called endpoint like this
<send>
<endpoint key="FileProxyEndPt"/>
</send>
Then i created a proxy service as follows
<proxy xmlns="http://ws.apache.org/ns/synapse" name="FileWriteProxy"
transports="http https vfs" startOnLoad="true" trace="enable">
<target>
<inSequence>
<clone>
<target sequence="FileWriteSequence" />
</clone>
</inSequence>
<outSequence />
<faultSequence />
</target>
<parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
<parameter name="transport.vfs.MoveAfterProcess">file://D:/Tools</parameter>
<parameter name="transport.vfs.MoveAfterFailure">file://D:/backup</parameter>
<parameter name="transport.vfs.ContentType">text/plain; charset=ISO-8859-1</parameter>
<parameter name="transport.vfs.ActionAfterFailure">MOVE</parameter>
This way it worked it but never worked exactly in a resource.So had to take a longer route , hope somebody provides a solution which can be implemented directly.
I use mule CE 3.3.0. My project has the following:
<mule xmlns:http="http://www.mulesoft.org/schema/mule/http"
xmlns:cxf="http://www.mulesoft.org/schema/mule/cxf" xmlns:scripting="http://www.mulesoft.org/schema/mule/scripting"
xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:spring="http://www.springframework.org/schema/beans" version="CE-3.3.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/cxf http://www.mulesoft.org/schema/mule/cxf/current/mule-cxf.xsd
http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/3.3/mule-spring-security.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/scripting http://www.mulesoft.org/schema/mule/scripting/current/mule-scripting.xsd ">
<global-property name="allowed" value="192.168.3.76,192.168.3.74,192.168.3.75" />
<configuration>
<expression-language>
<global-functions>
def parseIp(fullIp) {
return fullIp.substring(fullIp.indexOf('/') + 1, fullIp.indexOf(':'))
}
</global-functions>
</expression-language>
</configuration>
<http:connector name="httpConnector" doc:name="HTTP\HTTPS">
<service-overrides sessionHandler="org.mule.session.NullSessionHandler" />
</http:connector>
<mule-ss:security-manager>
<mule-ss:delegate-security-provider
name="memory-dao" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager
xmlns:ss="http://www.springframework.org/schema/security" alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="weather" password="weather" authorities="ROLE_ADMIN" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<flow name="OML_News" doc:name="OML_News">
<http:inbound-endpoint host="localhost" port="9091"
path="iran/oml_news" exchange-pattern="request-response" doc:name="HTTP">
<mule-ss:http-security-filter realm="mule-realm" />
</http:inbound-endpoint>
<expression-filter
expression="#['${allowed}'.contains(parseIp(message.inboundProperties['MULE_REMOTE_CLIENT_ADDRESS']))]"
doc:name="Expression" />
<cxf:proxy-service
service="Weather"
wsdlLocation="http://wsf.cdyne.com/WeatherWS/Weather.asmx?wsdl"
namespace="http://ws.cdyne.com/WeatherWS/"
validationEnabled="true" doc:name="SOAP">
</cxf:proxy-service>
<copy-properties propertyName="SOAPAction" doc:name="Property" />
<cxf:proxy-client doc:name="SOAP" />
<outbound-endpoint
address="http://wsf.cdyne.com/WeatherWS/Weather.asmx"
exchange-pattern="request-response" doc:name="Generic">
</outbound-endpoint>
</flow>
I launch a cxf service. There are some customers who use wsdl address in my cxf service and they implemented web services. Now I want that will be possible to determine how many users are using my wsdl address and each of them how many requests do send to my server? In fact, I want create a report system.
There are several ways you can do this, for example you can add a wiretap after your http inbound endpoint and invoke either a custom component that gather statistics in a database or more elegantly call a flow that does this.
<http:inbound-endpoint address="http://yourendpointaddress:8080/path" />
<wire-tap>
<vm:outbound-endpoint path="stats" />
</wire-tap>
And then
<flow name="statsFlow">
<vm:inbound-endpoint path="stats" />
<!-- gather stats from the headers -->
<jdbc:outbound-endpoint queryKey="insertStatsIntoDB" />
</flow>
This should gather statistics without affecting performance.
I was wondering if it is possible to build a cxf-bc with WS-SecurityPolicy instead of just the WS-Security. WS-SecurityPolicy seems to be a more elegant solution since everything is in the WSDL. Examples welcome. :)
Well with David's help I got the CXF-BC to install and running on the ESB, but I can't seem to test it. It keeps coming back with:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
My msg:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://nwec.faa.gov/wxrec/UserAccount/types">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-25" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>bob</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobspassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:Action>http://nwec.faa.gov/wxrec/UserAccount/UserAccountPortType/ApproveDenyAccountRequest</wsa:Action>
</soapenv:Header>
<soapenv:Body>
...
</soapenv:Body>
Here's the policy in the wsdl:
<wsp:Policy wsu:Id="UserAccountBindingPolicy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
<wsp:All>
<wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" wsp:Optional="true" />
<wsp:Policy >
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
As of the resolution of https://issues.apache.org/activemq/browse/SMXCOMP-711 and https://issues.apache.org/activemq/browse/SMXCOMP-712 (servicemix-cxf-bc-2010.01) it should be possible and easy to do.
See http://fisheye6.atlassian.com/browse/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcSecurityJAASTest.java?r=HEAD for an example. Specifically the testJAASPolicy method.
As for the error relating to asserting the UsernameToken assertion, you may want to try putting the UsernameToken assertion inside of a SupportingToken or binding assertion depending on what you want to do with the token. It looks like you just want a username and password to be passed in the message without any other security such as a cryptographic binding of the token to the message or encryption so a supporting token will likely fit your needs.
I also urge you to consider the following additional precautions when using a UsernameToken:
Cryptographically bind the token to the message using a signature.
Use a nonce and created timestamp and cache the token on the server to prevent replay
Consider encrypting the token (before signing if you also sign) using XML enc
Using TLS either in lieu of or in addition to the above suggestions
With david's and Freeman over at the servicemix-user mailing-list. I was able finally get the correct configuration to implement WS-Security Policy.
Here's my final beans.xml for the my BC
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cxfbc="http://servicemix.apache.org/cxfbc/1.0" xmlns:util="http://www.springframework.org/schema/util"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:person="http://www.mycompany.com/ws-sec-proto"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd
http://servicemix.apache.org/cxfbc/1.0
http://repo2.maven.org/maven2/org/apache/servicemix/servicemix-cxf-bc/2010.01/servicemix-cxf-bc-2010.01.xsd
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.oarg/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-http.xml" />
<import resource="classpath:META-INF/cxf/osgi/cxf-extension-osgi.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml" />
<bean id="myPasswordCallback" class="com.mycompany.ServerPasswordCallback" />
<cxfbc:consumer wsdl="classpath:wsdl/person.wsdl"
targetService="person:PersonService" targetInterface="person:Person"
properties="#properties" delegateToJaas="false" >
<!-- not important for ws-security
<cxfbc:inInterceptors>
<bean class="com.mycompany.SaveSubjectInterceptor" />
<bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
</cxfbc:inInterceptors>
-->
</cxfbc:consumer>
<util:map id="properties">
<entry>
<key>
<util:constant
static-field="org.apache.cxf.ws.security.SecurityConstants.CALLBACK_HANDLER" />
</key>
<ref bean="myPasswordCallback" />
</entry>
</util:map>
<httpj:engine-factory bus="cxf">
<httpj:engine port="9001">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" resource="certs/cherry.jks" />
</sec:keyManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_WITH_3DES_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:exclude>.*_WITH_NULL_.*</sec:exclude>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
<sec:clientAuthentication want="false"
required="false" />
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
<bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl" />
<bean class="org.apache.servicemix.common.osgi.EndpointExporter" />
</beans>
Full example can be found here but it may not be there after a while.