CXF With UsernameToken (WS-Security Policy)

CXF With UsernameToken (WS-Security Policy) explains about step by step details of securing a Web service using UsernameToken Profile

WS-SecurityPolicy  is the binding and/or operation used in the wsdl, a WS-Policy fragment that describes the basic security requirements for interacting consumer.

Here we are implementing security policy by CXF UsernameToken


CXF gives two different techniques for adding UsernameToken

1) WS-SecurityPolicy -> In WS-SecurityPolicy, we are applying on WSDL 
level, Here we are defining WS-SecurityPolicy elements on WSDL and 
implement the security mechanism. This could be the best approach 
because client can able to understand which security mechanism is 
implemented and client can able to proceed accordingly.

2) Using CXF interceptors -> Here we are manually adding security 
mechanism to CXF interceptors,the problem on this approach client 
cant able to understand which security mechanism is implemented 
because it is not available on wsdl

If you are interested to add WS-Security using CXF interceptors, you can use following article

CXF With UsernameToken (Interceptor)

Required Libraries

You need to download

  1. JDK 6
  2. Eclipse 3.7
  3. CXF-2.7.3
  4. Tomcat 7

Following jar must be in ClassPath

  1. commons-logging-1.1.1.jar
  2. cxf-2.7.3.jar
  3. httpasyncclient-4.0-beta3.jar
  4. httpclient-4.2.1.jar
  5. httpcore-4.2.2.jar
  6. httpcore-nio-4.2.2.jar
  7. jaxb-api-2.2.6.jar
  8. jaxb-impl-2.2.6.jar
  9. neethi-3.0.2.jar
  10. spring-aop-3.0.7.RELEASE.jar
  11. spring-asm-3.0.7.RELEASE.jar
  12. spring-beans-3.0.7.RELEASE.jar
  13. spring-context-3.0.7.RELEASE.jar
  14. spring-core-3.0.7.RELEASE.jar
  15. spring-expression-3.0.7.RELEASE.jar
  16. spring-web-3.0.7.RELEASE.jar
  17. wsdl4j-1.6.2.jar
  18. wss4j-1.6.9.jar
  19. xmlschema-core-2.0.3.jar
  20. xmlsec-1.5.3.jar

CXF With UsernameToken(WS-security policy) Example

I am creating a sample web service project that pass Student object and return with some changes on that object. The service is using simple POJO (Plain Old Java Object) bean.

Firstly create a Dynamic Web Project (File->New->Dynamic Web Project) named "CXFTutorial" according to following screenshot

CXF With UsernameToken (WS-Security Policy) CXF With UsernameToken (WS-Security Policy)

Create a Student Object

package com.student;

public class Student {
private String name;
public String getName() {
return name;
public void setName(String name) { = name;

Create a Service Interface

This service interface will defines which methods of web service, to be invoked by the client

package com.student;

import javax.jws.WebService;

public interface ChangeStudentDetails {
Student changeName(Student student);

Implement the Service Interface

Here we implement the service interface created on the previous step

package com.student;

import javax.jws.WebService;

@WebService(endpointInterface = "com.student.ChangeStudentDetails")
public class ChangeStudentDetailsImpl implements ChangeStudentDetails {
public Student changeName(Student student) {
student.setName("Hello "+student.getName());
return student;

Create ServerPasswordCallback

Here we are created myPasswordCallback bean in order to check the username token credentials

package service;


public class ServerPasswordCallback implements CallbackHandler {

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

if ("joe".equals(pc.getIdentifier())) {
System.out.println("pc.getPassword() " + pc.getPassword());

Create ChangeStudent.wsdl

Here we are creating a wsdl file in order to utilize contract first approach, We also using WS-Security with UsernameTokens. You can see this declaration on wsdl file

<wsdl:definitions xmlns:xsd=""
	xmlns:wsdl="" xmlns:tns=""
	xmlns:soap="" xmlns:ns1=""
	xmlns:wsaws="" xmlns:sp=""
	xmlns:sp13="" name="ChangeStudentDetailsImplService"
		<xs:schema xmlns:xs="" xmlns:tns=""
			elementFormDefault="unqualified" targetNamespace=""
			<xs:element name="Student" type="tns:student"></xs:element>
			<xs:element name="changeName" type="tns:changeName"></xs:element>
			<xs:element name="changeNameResponse" type="tns:changeNameResponse"></xs:element>
			<xs:complexType name="changeName">
					<xs:element minOccurs="0" name="arg0" type="tns:student"></xs:element>
			<xs:complexType name="student">
					<xs:element minOccurs="0" name="name" type="xs:string"></xs:element>
			<xs:complexType name="changeNameResponse">
					<xs:element minOccurs="0" name="return" type="tns:student"></xs:element>
	<wsdl:message name="changeName">
		<wsdl:part element="tns:changeName" name="parameters">
	<wsdl:message name="changeNameResponse">
		<wsdl:part element="tns:changeNameResponse" name="parameters">
	<wsdl:portType name="ChangeStudentDetails">
		<wsdl:operation name="changeName">
			<wsdl:input message="tns:changeName" name="changeName">
			<wsdl:output message="tns:changeNameResponse" name="changeNameResponse">
	<wsdl:binding name="ChangeStudentDetailsImplServiceSoapBinding"
		<wsp:PolicyReference URI="#ChangeStudentDetailsImplServiceSoapBindingPolicy" />
		<soap:binding style="document" transport=""></soap:binding>
		<wsdl:operation name="changeName">
			<soap:operation soapAction="" style="document"></soap:operation>
			<wsdl:input name="changeName">
				<soap:body use="literal"></soap:body>
			<wsdl:output name="changeNameResponse">
				<soap:body use="literal"></soap:body>
	<wsdl:service name="ChangeStudentDetailsImplService">
		<wsdl:port binding="tns:ChangeStudentDetailsImplServiceSoapBinding"
			<wsp:PolicyReference xmlns:wsp=""
				URI="#ChangeStudentDetailsImplServiceSoapBindingPolicy" />
			<soap:address location="http://localhost:8080/CXFTutorial/ChangeStudent"></soap:address>
	<wsp:Policy wsu:Id="ChangeStudentDetailsImplServiceSoapBindingPolicy"
								<sp:WssUsernameToken11 />

Create a cxf.xml

<beans xmlns="" xmlns:cxf=""
	xmlns:jaxws="" xmlns:soap=""
	xmlns:wsa="" xmlns:xsi=""
	<bean class="org.apache.cxf.interceptor.LoggingInInterceptor" id="loggingInInterceptor" />
	<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" id="logOutInterceptor" />
			<ref bean="loggingInInterceptor" />
			<ref bean="logOutInterceptor" />
	<jaxws:endpoint address="/ChangeStudent" id="changeStudent"
		implementor="com.student.ChangeStudentDetailsImpl" wsdlLocation="WEB-INF/ChangeStudent.wsdl">
			<entry key="ws-security.callback-handler" value-ref="myPasswordCallback" />
	<!--Added callback for checking the usernametoken credential -->
	<bean class="com.student.ServerPasswordCallback" id="myPasswordCallback" />


Change the web.xml file to find CXF servlet and cxf.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi=""
    xmlns="" xmlns:web=""
    id="WebApp_ID" version="3.0">




Publishing CXF Web Service

CXF UsernameToken structure


You can Find all the deployed JAX-WS/JAX-RS services you need to append 'services' at the end of the URL so URL will become following


Deployed CXF Web Service

CXF With UsernameToken (WS-Security Policy)

Testing CXF UsernameToken Example With soapUI

Here we are using soapUI for testing CXF UsernameToken example

New soapUI Project soapUI WSDL Import


On following screen shot, you can see the blue lines, which is specifying username as "joe", password as "joespassword" and WSS-Password Type as "PasswordText"

soapUI With UsernameToken


You can also use wsimport tool for testing this service. Only thing need to change is modify the Main class according to below class

package com.client;

import java.util.Map;

import com.student.ChangeStudentDetails;
import com.student.ChangeStudentDetailsImplService;
import com.student.Student;
//CXF UsernameToken Example
public class Main {
public static void main(String[] args) {
ChangeStudentDetailsImplService service = new ChangeStudentDetailsImplService();
    ChangeStudentDetails changeStudentDetailsImplPort = service.getChangeStudentDetailsImplPort

    Map ctx =
((BindingProvider) changeStudentDetailsImplPort).getRequestContext();
("ws-security.username", "joe");
("ws-security.password", "joespassword");

    Student student =
new Student();
    student = changeStudentDetailsImplPort.changeName


Hello Rockey


11 Responses to "CXF With UsernameToken (WS-Security Policy)"
  1. Rone 2012-08-23 10:00:02.0
  1. Reality 2012-08-24 10:00:02.0
  1. admin 2012-08-25 10:00:02.0
  1. nityananda 2012-08-26 10:00:02.0
  1. admin 2012-08-27 10:00:02.0
  1. linuxks 2012-08-27 20:00:02.0
  1. Vishnu.K 2012-08-28 00:00:02.0
  1. admin 2012-08-28 10:00:02.0
  1. Ashley 2012-08-28 20:00:02.0
  1. Ashley 2012-08-29 00:00:02.0
  1. Kerim 2012-08-29 10:00:02.0

Your email address will not be published. Required fields are marked *