4 Replies Latest reply: Jul 16, 2012 1:55 PM by 904111 RSS

    Reading Security Header in JAX-WS web service

      Hi All,

      How can we read WS-Security header (Usernametoken and password ) at the Server side in the End Point? Do we need to write a Handler for this? If we have to user Handler, can you please let me know the code that can be used to read the security header from the SOAP Message. Ultimately, my authentication of the username and password logic is there in the Service. I am using 10.3.4 Web Logic Server as the deployment server. Please advise.

        • 1. Re: Reading Security Header in JAX-WS web service
          Step 1:

          The security context is available in the message context, but at handler level, not at application level. To make it available at application level, you can add a Handler like this:

          import javax.xml.ws.handler.soap.SOAPHandler;
          import javax.xml.ws.handler.soap.SOAPMessageContext;
          import weblogic.xml.crypto.wss.WSSecurityContext;

          public class MyHandler implements SOAPHandler<SOAPMessageContext> {

          public boolean handleMessage(SOAPMessageContext context) {

          context.setScope(WSSecurityContext.WS_SECURITY_CONTEXT, MessageContext.Scope.APPLICATION);
          return true;



          Step 2

          In the service implementation add the following:

          import weblogic.xml.crypto.wss.WSSecurityContext;
          import weblogic.xml.crypto.wss.WSSecurityInfo;
          import weblogic.xml.crypto.wss.api.UsernameToken;
          import weblogic.xml.crypto.wss.provider.SecurityToken;

          WSSecurityInfo info = (WSSecurityInfo)ctx.getMessageContext().get(WSSecurityContext.WS_SECURITY_CONTEXT);

          java.util.Iterator it = info.getSecurityTokens().iterator();
          while (it.hasNext()) {

          SecurityToken st = (SecurityToken)it.next();
          if (st instanceof UsernameToken) {

          UsernameToken unt = (UsernameToken)st;
          System.out.println("TOKEN=" + "USER=" + unt.getUsername() + ", PASSWORD=" + new String(unt.getPassword()));



          Hope that helps.
          Sunil Polineni
          • 2. Re: Reading Security Header in JAX-WS web service
            Hi Sunil,

            Thanks for your response. I will try that. But, I also some more questions related to WS-Security.

            I want to implement usernametoken security for my web service. I am using Jdeveloper 11g for my development.

            1. How do I mention the WS-security information in the WSDL file?
            2. Do we need to do some annotation in the Service Implementation class? What I am looking is to use the code/logic you have given for the Handler and to intercept the SOAP message with security header, read it and do the validation. I am trying to implement the application level security; not relying on any WLS roles etc.

            • 3. Re: Reading Security Header in JAX-WS web service
              Ronald van Luttikhuizen
              Hi Ramesh,

              1) WSDLs are mostly for defining the functionality of Web Services (operations, input and output), not so much header information and non-functionals. You can however use the WS-Policy standard for this (see http://www.w3.org/TR/ws-policy/).
              2) You can either use out-of-the box policies (OWSM or WebLogic/WLS) that authenticate against WebLogic's authentication provider or add a handler class in which you can implement your own logic. In JDeveloper if you create a new Web Service you go through a wizard that has steps for defining policies and message handlers. Btw, it's a good practice to authenticate against a standard authentication provider instead of writing your own authentication code.

              Regards, Ronald
              • 4. Re: Reading Security Header in JAX-WS web service
                Hi Ronald, Sunil, anybody.. Please take a look at my issue I posted at SOAP handler is not getting the message

                Please help me to figure out why soap message is not passing through my handler ? I will provide you the code if you require. Please help me out.

                thanks a lot in advance.