Many Thanks David for your efforts in helping me out. That will be very helpful.
Will it be a good idea to forward my doubt to CXF and WSS4J developers community?
Best Regards,

On Mon, Jul 27, 2009 at 1:35 AM, David Jencks <> wrote:
I chatted with Rahul on IRC a bit, and it looks to me as if his code is doing what cxf and wss4j expect.

I think the next step is to figure out exactly where the fault is coming from.

I would grep the cxf and wss4j source code for "but a password is needed".  If that doesn't find the source I would run geronimo in the debugger and put a breakpoint at the end of the handle(CallbackHandler handler) method and step through the code.

I also wonder if the fault is from the WSS4jOutInterceptor.

david jencks

On Jul 26, 2009, at 4:20 PM, rahul.soa wrote:

Just one amendment here in my speculation about the fault cause.

I wrote this in the previous thread,

"but I dont know why I am getting this error pwd == null but a password is needed at pwcb.setPassword(passwd);"

Now, i dont think this fault is coming from here

as I have tested it by removing the following code to be sure about the fault

  if (!pwcb.getPassword().equals(passwd)) {
                    LOG.debug("wrong password");
                    throw new IOException("wrong password");
                } else {
                    LOG.debug("I am setting the password here   ::::" + passwd);

from ServerPasswordHandler and I still have the same fault error in the response.

Please correct me if I am wrong somewhere. I am not sure where this fault come from?

Thank you.

Best Regards,
On Mon, Jul 27, 2009 at 12:07 AM, rahul.soa <> wrote:
Hello David/Devs,

Objective: trying to set web service security at serverside:

I am getting an error while accessing the secured webservice. The soap fault I am receiving is below:


<soap:Envelope xmlns:soap=""><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>pwd == null but a password is needed</faultstring></soap:Fault></soap:Body></soap:Envelope>


<soap:Envelope xmlns:soap=""><soap:Header><wsse:Security xmlns:wsse="" soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="" xmlns:wsu="" wsu:Id="UsernameToken-32620541"><wsse:Username xmlns:wsse="">system</wsse:Username><wsse:Password xmlns:wsse="" Type="">manager</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><add xmlns=""><value1>2</value1><value2>2</value2></add></soap:Body></soap:Envelope>

How I am trying to do is,

1. At, server side (in the doPublish method of CXFEndpoint), I am setting the WSS4JIn/OutInterceptor property for user token (please note: this is not generic code at this moment)

 protected void doPublish(String baseAddress) {
        // XXX: assume port 8080 by default since we don't know the actual port
        // at startup
        String address = (baseAddress == null) ? "http://localhost:8080"
                : baseAddress;

        JaxWsServerFactoryBean svrFactory = new GeronimoJaxWsServerFactoryBean();
        svrFactory.setAddress(address + this.portInfo.getLocation());

        if (HTTPBinding.HTTP_BINDING.equals(implInfo.getBindingType())) {

       // to receive the incoming username/password in soap request
        Map inProps = new HashMap();
        inProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
        inProps.put(WSHandlerConstants.USER, "system");
                new ServerPasswordHandler());
        server = svrFactory.create();
        // to receive the secure header
        WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
       // to send the secure soap header
       WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(inProps);

        org.apache.cxf.endpoint.Endpoint endpoint = getEndpoint();

                new org.apache.cxf.binding.soap.saaj.SAAJInInterceptor());

                new org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor());
        LOG.debug("So far set the interceptor");

        if (getBinding() instanceof SOAPBinding
                && this.portInfo.isMTOMEnabled() != null) {
            ((SOAPBinding) getBinding()).setMTOMEnabled(this.portInfo



I am setting up the login authentication and setting the password in the Server Handler, like following:

public class ServerPasswordHandler implements CallbackHandler {

    private static final Logger LOG = LoggerFactory

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {

        for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback) callbacks[i];
            if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
                LOG.debug("I am inside the ServerPasswordHandler");
                String username = pwcb.getIdentifier();
                String passwd = pwcb.getPassword();

                LoginContext context = null;
                try {
                    // Login authentication goes here
                    // use the existing security realm for the moment for testing
                    context = ContextManager.login("geronimo-admin",
                            new UsernamePasswordCallbackHandler(username,
                    // ContextManager.login(realm, callbackHandler,
                    // configuration)
                    LOG.debug("login is successful");
                } catch (LoginException e) {
                    LOG.debug("login failed");
                    throw new IOException("Unable to verify " + username
                            + " and " + passwd);

                //TODO: what to do with subject
                Subject subject = context.getSubject();
                ContextManager.setCallers(subject, subject);
                    if (!pwcb.getPassword().equals(passwd)) {
                        LOG.debug("wrong password");
                        throw new IOException("wrong password");
                    } else {
                        LOG.debug("I am setting the password here   ::::"
                                + passwd);




In the traces, I can see the password value is "manager" which is sent by client
I am setting the password here   ::::manager

but I dont know why I am getting this error pwd == null but a password is needed at pwcb.setPassword(passwd);

Login authentication goes sucessful when the client provides the correct username and password (which are "system and "manager" respectively). and goes unsuccessful otherwise.

The full trace from the geronimo.log is attached here: (there are some debug statement to see the traces )

2009-07-27 01:26:17,809 DEBUG [JAXWSServiceReference] Initializing service with: file:/home/rahul/new_workspace1/GerominoWebClient/WEB-INF/wsdl/CalculatorService.wsdl {}Calculator
2009-07-27 01:26:18,031 DEBUG [PortMethodInterceptor] Set address property: http://localhost:8080/GerominoWeb/calculator
2009-07-27 01:26:18,031 DEBUG [CXFPortMethodInterceptor] Username and password sent by Clients are  :  system   manager
2009-07-27 01:26:18,126 DEBUG [CXFPasswordHandler] I HAVE SET THE VALUES       system and   manager
2009-07-27 01:26:18,142 DEBUG [ServerPasswordHandler] I am inside the ServerPasswordHandler
2009-07-27 01:26:18,143 DEBUG [UsernamePasswordCallbackHandler] WHAT I GOT HERE:  system   and   manager
2009-07-27 01:26:18,143 DEBUG [UsernamePasswordCallbackHandler] Username set to:   system
2009-07-27 01:26:18,143 DEBUG [UsernamePasswordCallbackHandler] password set to:   manager
2009-07-27 01:26:18,144 DEBUG [UsernamePasswordCallbackHandler] WHAT I GOT HERE:  system   and   manager
2009-07-27 01:26:18,144 DEBUG [UsernamePasswordCallbackHandler] Username set to:   system
2009-07-27 01:26:18,144 DEBUG [UsernamePasswordCallbackHandler] password set to:   manager
2009-07-27 01:26:18,144 DEBUG [ServerPasswordHandler] login is successful
2009-07-27 01:26:18,145 DEBUG [ServerPasswordHandler] I am setting the password here   ::::manager
2009-07-27 01:26:18,313 INFO  [PhaseInterceptorChain] Interceptor has thrown exception, unwinding now pwd == null but a password is needed
2009-07-27 01:26:18,376 ERROR [log] /jaxws-calculator/calculator pwd == null but a password is needed
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
    at $Proxy67.add(Unknown Source)
    at CalculatorServlet.doGet(
    at javax.servlet.http.HttpServlet.service(
    at javax.servlet.http.HttpServlet.service(
    at org.eclipse.jetty.servlet.ServletHolder.handle(
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(
    at org.eclipse.jetty.server.session.SessionHandler.handle(
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(
    at org.eclipse.jetty.servlet.ServletHandler.doScope(
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(
    at org.apache.geronimo.jetty7.handler.GeronimoWebAppContext.doScope(
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
    at org.eclipse.jetty.server.Server.handle(
    at org.eclipse.jetty.server.HttpConnection.handleRequest(
    at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(
    at org.eclipse.jetty.http.HttpParser.parseNext(
    at org.eclipse.jetty.http.HttpParser.parseAvailable(
    at org.eclipse.jetty.server.HttpConnection.handle(
    at org.apache.geronimo.pool.ThreadPool$
    at org.apache.geronimo.pool.ThreadPool$
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
    at java.util.concurrent.ThreadPoolExecutor$
Caused by: org.apache.cxf.binding.soap.SoapFault: pwd == null but a password is needed
    at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(
    at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(
    at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
    at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(
    at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(
    at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
    at org.apache.cxf.endpoint.ClientImpl.onMessage(
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(
    at org.apache.cxf.transport.AbstractConduit.close(
    at org.apache.cxf.transport.http.HTTPConduit.close(
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
    at org.apache.cxf.endpoint.ClientImpl.invoke(
    at org.apache.cxf.endpoint.ClientImpl.invoke(
    at org.apache.cxf.endpoint.ClientImpl.invoke(
    at org.apache.cxf.frontend.ClientProxy.invokeSync(
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
    ... 28 more

Can you please let me know or correct me, why this is happening?, I think if password is set correctly in the pwcb.setPassword(passwd);  then client should be able to access the secure web service. I am getting the correct password "manager" (as seen in the logs) and setting the same but  I dont know why I am getting this fault.

Second thing is, I am not sure what to do with subject?

Am I missing something in the above code? Please correct me and help me in this.

Many Thanks in advance for your response.