Spring WS: How to configure WS-Security auth for a SOAP 1.1 client

I had to create a Java client that calls a “secured” (WS-Security standards) SOAP 1.1 webservice. I chose to use the latest version of Spring-WS to do so.


POM Parent : org.springframework.boot:spring-boot-starter-parent:1.3.8.RELEASE

Important dependencies:

  • org.springframework.boot:spring-boot-starter-ws (implied version 2.2.3.RELEASE)
  • org.springframework.ws:spring-ws-security (implied version 2.2.3.RELEASE)
  • org.apache.ws.security:wss4j:1.6.19

SOAP Request

The security part of the SOAP request I need to generate looks like this:

		<wsse:UsernameToken wsu:Id="UsernameToken-99B1FD1F061EA5C25314914201395332">
			<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">WS-PASSWORD-CLEARTEXT</wsse:Password>
		<wsu:Timestamp wsu:Id="TS-99B1FD1F061EA5C25314914201395241">

Java client

Below is the way to generate a SOAP request like the one above. It uses Wss4jSecurityInterceptor Spring interceptor

public Wss4jSecurityInterceptor securityInterceptor() {
	Wss4jSecurityInterceptor security = new Wss4jSecurityInterceptor();
	// Adds "Timestamp" and "UsernameToken" sections in SOAP header
	security.setSecurementActions(WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.USERNAME_TOKEN);
	// Set values for "UsernameToken" sections in SOAP header
	return security;

Then you have to add this interceptor to your webservice template configuration:

WebServiceTemplate wsTemplate = new WebServiceTemplate();

// WebServiceTemplate init: URI, msg factory, etc.

wsTemplate.setInterceptors(new ClientInterceptor[]{ securityInterceptor() });

If you have any issue, feel free to contact me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.