WS-Security Basic Policy Definition And Client Testing In Java With JAX-WS

If you’ve defined a wsdl and need to introduce the most basic security policy, generate the client side code and then run some integration tests then this post may help you.

The focus here is on getting it all working, not the most efficient solution, and neither the most secure. We choose a UsernameToken with plain text password and work that into the wsdl, then generate code with the Maven cxf-codegen-plugin, then find a way to add the missing security headers and finally write an integration test.

In terms of context, the steps below where followed in a project where a web service was implemented, and already thoroughly tested using the help of jetty and the maven-soapui-plugin with the latter executing tests during the integration-test phase.

Step 1: Modify The WSDL

The pretinent parts of the this wsdl are shown below. Note the wsp:PolicyReference below the wsdl:service element.

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:types xmlns:wsdl="">
<wsdl:service name="VoucherServiceService" xmlns:wsdl="">
  <wsp:PolicyReference xmlns:wsp="" URI="#VouchUsernameToken"/>
  <wsdl:port binding="tns:VoucherServiceSoap11" name="VoucherServiceSoap11" xmlns:wsdl="">
    <soap:address location="" xmlns:soap=""/>

<wsp:Policy wsu:Id="VouchUsernameToken">

Step2: Code Generation In Our Maven Pom Using cxf-codegen-plugin


Step 3: Add A HeaderHandler and HeaderHandlerResolver

This post shows how to add the security headers. It works, try it. You’ll need some solution since the code generated by cxf will not provide any means of adding the headers, which is naturally suboptimal.

Step 4: Test It All Using An Integration Test

public class VoucherServiceIT {

public void test() {
  URL url = null;
  try {
    url = new URL("http://localhost:8080/vouchserv/vouchserv.wsdl");
  } catch (MalformedURLException e) {
   throw new RuntimeException(e);

  VoucherServiceService voucherServiceService = new VoucherServiceService(url);
  HeaderHandlerResolver handlerResolver = new HeaderHandlerResolver();
  VoucherService voucherService = voucherServiceService.getVoucherServiceSoap11();
  RegisterRequest registerRequest = new RegisterRequest();
  RegisterResponse registerResponse = voucherService.register(registerRequest);