如果用XFire 实现WS-Secuiry 在http://xfire.codehaus.org/WS-Security 

下面说说如何写Client 去 调用User Token Authentication 的 WS-Security.

1.用Xfire 根据WSDL 去生成 Client stub.
通常,用eclipse的XFire plug-in, 里面有一个Code generation from WSDL document的Wizard.生成的java文件里通常有xxxxServiceClient.java xxxxServcie.java xxxxServiceImpl.java 等文件.

如果不考虑WS-Security Client code 很容易写
例如:

xxxxServiceClient service = new xxxxxServiceClient();

xxxxService client = service.getxxxServiceHttpPort("http://localhost:8080/services/xxxxService");

2. 加WS-Security
最好不要改XFire 生成的文件, 而是在自己的调用程序里增加.这样将来WSDL改变, 可以在用XFire 生成Code 而不影响自己的程序

xxxxServiceClient service = new xxxServiceClient();

xxxxService client = service.getxxxxServiceHttpPort("http://localhost:8080/services/xxxxService");

addWSSecurity(stallInfoClient);

public void addWSSecurity(StallInfoService stallInfoService)
 {
     Client client = org.codehaus.xfire.client.Client.getInstance(stallInfoService);
     client.addOutHandler(new DOMOutHandler());
     Properties properties = new Properties();
        configureOutProperties(properties);
        WSS4JOutHandler wss4jOutHandler = new WSS4JOutHandler(properties);
        Map props = wss4jOutHandler.getProperties();
        PasswordHandler pwdHandler = new PasswordHandler();
        pwdHandler.setPassword(password);
        props.put(WSHandlerConstants.PW_CALLBACK_REF, pwdHandler);
        wss4jOutHandler.setProperties(props);
        client.addOutHandler(wss4jOutHandler);
 }
protected void configureOutProperties(Properties config)
    {
        // Action to perform : user token
        config.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
        // Password type : plain text
        config.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
        // for hashed password use:
        //properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
        // User name to send
        config.setProperty(WSHandlerConstants.USER, username);

    }
public class PasswordHandler implements CallbackHandler {
       private String password = " ";
       public PasswordHandler() {       }
      
       public void setPassword(String password) {
         this.password = password;
       }
       public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
           WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
           String uid = pc.getIdentifer();
           pc.setPassword(password);
       }
}
 
当使用WSHandlerConstants.PW_CALLBACK_REF Xfire 有缺陷, 如果不手动把 passwordhandler 加入wss4jOutHandler的properties里, 将来是XFire无法调用自己的passwordhandler变量,  WSHandlerConstants.PW_CALLBACK_CLASS 没有这个问题.

通过这种方法,Client 就会在SOAP request 加入 security head.

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <wsse:UsernameToken wsu:Id="UsernameToken-26235040" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">username
   </wsse:Username>
   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">password
   </wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<GetRequest xmlns="....">11</GetRequest>
</soap:Body>
</soap:Envelope>