cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: MTOM + WS-Security X.509 Certificate Token Profile Question
Date Thu, 05 Mar 2009 02:38:52 GMT

Currently, WSS4J (and thus CXF) doesn't support encrypting/signing of 
attachments.   Thus, for security sake, by default, the WSS4JOutInterceptor 
turns off MTOM to make sure any data is properly protected. 

If you want, you can configure the WSS4JOutInterceptor to allow MTOM to remain 
on.   There is an AllowMTOM property on it.    Just set it to true.   Just 
keep in mind that the attachments would not be signed/encrypted.

Dan




On Wed March 4 2009 11:25:14 am XyLus wrote:
> Hi All
>
> I have client abd server that use MTOM to send message with attachment. (it
> works fine I can see
> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
> href="$reference"/> in message and attachment bytes afterwards in Outbound
> log)
>
> I am wondering if it is possible to combine MTOM and WS-Security X.509
> Certificate Token Profile  signing
>
>
> I checked out WS-Security and MTOM tutorials available on CXF page and now
> I have  client code as follows:
>
>
>  UploadService ss = new UploadService(wsdlURL, SERVICE_NAME);
>         UploadServicePortType port = ss.getUploadServicePort();
>
>
>         //WS-Security via API
>
>         Map<String,Object> outProps = new HashMap<String,Object>();
>
>         outProps.put(WSHandlerConstants.ACTION, "Signature");
>         outProps.put(WSHandlerConstants.USER, "myAlias");
>         outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientPasswordCallback.class.getName());
>         outProps.put(WSHandlerConstants.SIG_PROP_FILE,
> "client_sign.properties");
>
>         org.apache.cxf.endpoint.Client client =
> org.apache.cxf.frontend.ClientProxy.getClient(port);
>         org.apache.cxf.endpoint.Endpoint cxfEndpoint =
> client.getEndpoint();
>
>         WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
>         cxfEndpoint.getOutInterceptors().add(wssOut);
>         cxfEndpoint.getOutInterceptors().add(new SAAJOutInterceptor()); //
> 2.0.x only; not needed in 2.1+
>
>         //WS-Security via API END
>
>         Binding binding = ((BindingProvider)port).getBinding();
>         ((SOAPBinding)binding).setMTOMEnabled(true);
>
>
> I've made matching changes on server side and everything works fine.
> However there is no
> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
> href="$reference"/>
> in client Inbound anymore. Instead of reference in message there is
> attachment data coded with base64 :/
>
>
> Please confirm whether my client configuration is not correct or combining
> MTOM and WS-Security at the same time is not possible.
>
> Any help would be appreciated,
> Maciej

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

Mime
View raw message