Securing a service using WS-Security

<p>We have an existing Web-Service accessible to everyone who knows the address of the endpoint. The software used on the server:</p><ul><li>Java 6</li><li>Apache CXF 2.2.3</li><li>SOAP Webservice</li></ul><p>Because of massive abuse in the past the access should be limited to authorized people only. The login credentials are stored in a database and should be checked with every request made on the service. The login data should be transmitted in the SOAP-Envelope header and an interceptor should&nbsp; verify the data before the actual invocation of a webservice method. The solution should be based on an open standard which is well defined.</p>
1 answer

WS-Security Username Token Authentication

  • On the server-side you have to initialise your webservice.
  • The intercepters can be configured by adding a HashMap with specific values to the WSS4JInInterceptor-instance. You also need, if you're using Apache CXF <=2.0, an SAAJInInterceptor-instance.
  • To add the interceptors you have to determine the endpoint of the service.
  • On the client-side you have to do the same steps but with out-interceptors (SAAJOutInterceptor as well as WSS4JOutInterceptor).
  • On both sides you need PasswordHandlers which are callback-classes/methods to verify/set the login-credentials.