WS-Security
Stable • Since 0.14.0
Provides CXF framework’s WS-Security implementation.
Maven coordinates
Create a new project using quarkus-cxf-rt-ws-security on code.quarkus.io
or add these coordinates to your existing project:
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf-rt-ws-security</artifactId>
</dependency>| Check the User guide and especially its Dependency management section for more information about writing applications with CXF Extensions for Quarkus. |
Usage
The CXF framework’s WS-Security implementation is based on WSS4J. The example below shows how to integrate with WSS4J using interceptors.
Currently, only the programmatic WSS4JInterceptors are supported. Actions like Timestamp, UsernameToken, Signature, Encryption, etc., can be applied to the interceptors by passing the appropriate configuration properties.
|
A SOAP Service with WS-Security
Add the WSS4JInInterceptor to in-interceptors of your web service in application.properties:
quarkus.cxf.endpoint."/rounder".in-interceptors = org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor| The sample code snippets used in this section come from the WS-Security server integration test in the source tree of CXF Extensions for Quarkus |
Then you can configure your WSS4JInInterceptor using CDI like the following:
@ApplicationScoped
public class WSS4JInInterceptorProducer {
/** Produced in CxfWssServerTestResource */
@ConfigProperty(name = "wss.username", defaultValue = "cxf")
String username;
/** Produced in CxfWssServerTestResource */
@ConfigProperty(name = "wss.password", defaultValue = "pwd")
String password;
@Produces
@Unremovable
@ApplicationScoped
WSS4JInInterceptor wssInterceptor() {
final CallbackHandler passwordCallback = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof WSPasswordCallback) {
final WSPasswordCallback pc = (WSPasswordCallback) callback;
if (username.equals(pc.getIdentifier())) {
pc.setPassword(password);
}
return;
}
}
}
};
final Map<String, Object> props = new HashMap<>();
props.put(ConfigurationConstants.ACTION, "UsernameToken");
props.put(ConfigurationConstants.PASSWORD_TYPE, "PasswordText");
props.put(ConfigurationConstants.USER, username);
props.put(ConfigurationConstants.PW_CALLBACK_REF, passwordCallback);
return new WSS4JInInterceptor(props);
}
}A SOAP client using WS-Security
The corresponding client implementation would be slightly different:
we will use WSS4JOutInterceptor and out-interceptors in application.properties:
quarkus.cxf.client."wss-client".out-interceptors=org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor| The sample code snippets used in this section come from the WS-Security client integration test in the source tree of CXF Extensions for Quarkus |
Then producing the WSS4JOutInterceptor could look like the following.
@ApplicationScoped
public class WSS4JOutInterceptorProducer {
/** Produced in CxfWssClientTestResource */
@ConfigProperty(name = "wss.username")
String username;
/** Produced in CxfWssClientTestResource */
@ConfigProperty(name = "wss.password")
String password;
@Produces
@Unremovable
@ApplicationScoped
WSS4JOutInterceptor wssInterceptor() {
final CallbackHandler passwordCallback = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof WSPasswordCallback) {
((WSPasswordCallback) callback).setPassword(password);
}
return;
}
}
};
final Map<String, Object> props = new HashMap<>();
props.put(ConfigurationConstants.ACTION, "UsernameToken");
props.put(ConfigurationConstants.PASSWORD_TYPE, "PasswordText");
props.put(ConfigurationConstants.USER, username);
props.put(ConfigurationConstants.PW_CALLBACK_REF, passwordCallback);
props.put(ConfigurationConstants.ADD_USERNAMETOKEN_NONCE, "true");
props.put(ConfigurationConstants.ADD_USERNAMETOKEN_CREATED, "true");
return new WSS4JOutInterceptor(props);
}
}Please refer to WS-Security and WSS4J documentation for details.