JAAS does not determine what authentication information should look like in SOAP, but WS-Security determines what standard tokens you can use during client-server exchanges (username + password token / X.509 / SAML / Kerberos Token certificate).
EDIT: As for the Metro WebService stack, you need to (steps taken from here and here ):
- Embed a handler that implements
javax.xml.ws.handler.soap.SOAPHandler in the JAX-WS handler chain either programmatically via ((BindingProvider)port).getBinding().setHandlerChain(Collections.singletonList(handler)) , or declaratively by adding @HandlerChain(file = "handlers.xml") annotation @HandlerChain(file = "handlers.xml") to your WS endpoint interface. - The handler must instantiate the
XWSSProcessor using the XWSSProcessorFactory , which is passed in by the callback handler, which implements javax.security.auth.callback.CallbackHandler . - Callback handler, for example. defines the validator on the callback (depends on the type of callback).
This is the same as doing manually (since in any case the first step is to cross the SOAP message), with WSS sugar on top. But WSIT (and CXF) use the JAAS API and provide standard implementations for various authentication tokens. Some configuration / encoding is required to use them, but the advantage is that if you later decide to switch from Kerberos authentication to authentication, you do not need a lot of code. In addition, βdoing manuallyβ means that you need to deal with authentication information at the XML level, and what you do is implement one of the standards.
I suggest using Apache CXF , which is based on WSS4J - an implementation of WS-Security from Apache. You can easily find tutorials (for example, here and here for user + password, here and here for SAML) that show to define callback / interceptors for checking authentication information. The advantage of CXF is that it has nice integration with Spring.
dma_k
source share