Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.3.7
-
None
-
Unknown
Description
I have a WSDL with the following wsp:policy:
<wsp:UsingPolicy wsdl:Required="true" /> <wsp:Policy wsu:Id="MyPolicy"> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssUsernameToken10 /> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:Policy>
I create the binding using the following:
JAXWSSpringClientProxyFactoryBean factory = new JAXWSSpringClientProxyFactoryBean(); // set service class, wsdl location, etc. on factory factory.getProperties().put(SecurityConstants.ACTOR, "myactor"); factory.getProperties().put(SecurityConstants.USERNAME, "myusername"); factory.getProperties().put(SecurityConstants.PASSWORD, "mypassword");
The above code results in the following SOAP header, which has the correct username and password but is missing the actor:
<soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-019185dc-94b7-4e62-b0fb-93577736a912"> <wsse:Username>myusername</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">mypassword</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header>
The expected output header should also include soap:actor="myactor" attribute in the wsse:Security element.
I believe this can be fixed by setting the actor in the AbstractTokenInterceptor.findSecurityHeader method.