We are using wsdl2java and the cxf codegen plugin to create a client for a ws-security protected service.
Calling the service via the auto-generated client class (OrganisationsEinheitenCoreService) is pretty easy:
OrganisationsEinheitenCoreService service = new OrganisationsEinheitenCoreService();
IOrganisationsEinheitenCoreService serviceEndpoint = service.getServiceEndpoint();
BindingProvider bindingProvider = (BindingProvider) serviceEndpoint;
Map<String, Object> ctx = bindingProvider.getRequestContext();
ctx.put("ws-security.username", "MyUsername");
ctx.put("ws-security.password", "MyPassword");
ArrayOfStaat staaten = serviceEndpoint.getStaaten();
When calling the method "getStaaten" from the service, cxf automatically requests an SecurityContextToken with the username and password (action = http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT), before calling the actual method "getStaaten". After receiving an SCT from the service, cxf stores the sct and uses it for the next call(s).
For some reason, cxf never calls http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancel to terminate the SCT. We also couldn't figure out how to do this explicitly, we tried several things like try-with-resource with the class, or getting the client and call the close method.
SCTs usally expire by themselves after certain amount of time, unfortunately we need to close them right after calling the service.
Any ideas?
