Creating CXF SOAP Web Services with WSSE in a Spring Boot Microservice

I decided to write this blog entry to share my experience creating a WSSE secured SOAP web service in a Spring Boot app. I had a few minor challenges along the way so I’m hoping this will be useful to someone out there. This post assumes you already have a working knowledge of Spring Boot as well as how to create web services in a regular Spring (non – boot) Web App (NB: This tutorial uses Spring Boot 1.1.8.RELEASE).

Before we get into the code, let’s make sure we have all the necessary dependencies included. I use Apache Maven for dependency management so I have the following dependencies in my pom.xml:

Ok, now to the code! First, create your web service interface with the required annotations:

Notice how the operation name and SOAP action were set in the @WwbMethod annotation. If these attributes are not set, the operation name defaults to the method name and the action defaults to an empty string.

Next up is the implementation class:

Make sure the implementation class is also annotated with @Component or @Service and provide a name for the bean as we’ll be referencing it in our Spring config file later. Also notice the service name and endpoint interface are specified here.

Then we configure the web service servlet. The following should be placed in an application configuration file (eg. Application.java):

Now that the web service classes have been created and exposed to Spring, we create an XML configuration file (eg. soap-config.xml) and add the following CXF configurations:

Now you should have a functional, albeit unsecured SOAP web service. To add WSSE support to the, include the following import statements and modify the JAXWS endpoint bean as shown below:

Add the security interceptor, specifying what type of securement you requuire:

And finally, add the following CXF bus properties:

Optionally, you can enable the logging feature in CXF by add the following interceptor definitions to the bus. This will write the request and response payloads to the logs:

The more keen – eyed among you may have noticed a custom validator was specified in my CXF bus properties. This can be used if you wish to validate the user’s credentials against some store such as a database. A simple validator stub follows:

And there you have it! A fully configured SOAP web service secured with WSSE and full request / response logging.

Leave a Comment

Your email address will not be published. Required fields are marked *

captcha * Time limit is exhausted. Please reload the CAPTCHA.