I have published spring web services using spring boot. in WsConfigurerAdapter, I used XwsSecurityInterceptor with SimplePasswordValidationCallback to authenticate users and this went fine.
Web config,
@Bean
XwsSecurityInterceptor securityInterceptor() {
XwsSecurityInterceptor securityInterceptor = new XwsSecurityInterceptor();
securityInterceptor.setCallbackHandler(callbackHandler());
securityInterceptor.setPolicyConfiguration(new ClassPathResource("securityPolicy.xml"));
return securityInterceptor;
}
@Bean
CallBackHandlerHelper callbackHandler() {
CallBackHandlerHelper callbackHandler = new CallBackHandlerHelper();
callbackHandler.loadUsers(); // loading users from DB
return callbackHandler;
}
sample soap header.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="XWSSGID-14072105829651149256297" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">1</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Now I'm struggling with these 02 concerns,
1) How to use a password digest and nonce, than a plainText. (In my policy xml, i have set them to false and loading wss:usernameToken in plaintext format via SOAP header. But i prefer to get the password digest than a plainText format).
2) I need to setup this services as stateful by keeping a session key. Don't want to send each and every time user/pwd. Idea is to use Username token only to login request and hereafter manage the session with an unique key til user sends logoff request.(hoping to keep this generated session key in-memory until the session went off) How could I suppose to solve this in a given context?
