I've exposed several web services in our product using java and WS-Security. One of our customers wants to consume the web service using Coldfusion. Does coldfusion support ws-security? Can I get around it by writing a java client and using that in coldfusion?
(I don't know much about coldfusion).
I've never done any ws-security, and don't know if ColdFusion can consume it or not, but to answer your secondary question:
Can I get around it by writing a java client and using that in coldfusion?
Yes, absolutely. ColdFusion can easily use Java objects and methods.
I'm assuming you mean you need to pass the security in as part of the SOAP header. Here's a sample on how to connect to a .Net service. Same approach should apply w/ Java, just the url's would be different.
<cfset local.soapHeader = xmlNew()>
<cfset local.soapHeader.TheSoapHeader = xmlElemNew(local.soapHeader, "http://someurl.com/", "TheSoapHeader")>
<cfset local.soapHeader.TheSoapHeader.UserName.XmlText = "foo">
<cfset local.soapHeader.TheSoapHeader.UserName.XmlAttributes["xsi:type"] = "xsd:string">
<cfset local.soapHeader.TheSoapHeader = xmlElemNew(local.soapHeader, "http://webserviceUrl.com/", "TheSoapHeader")>
<cfset local.soapHeader.TheSoapHeader.Password.XmlText = "bar">
<cfset local.soapHeader.TheSoapHeader.Password.XmlAttributes["xsi:type"] = "xsd:string">
<cfset theWebService = createObject("webservice","http://webserviceUrl.com/Webservice.asmx?WSDL")>
<cfset addSOAPRequestHeader(theWebService, "ignoredNameSpace", "ignoredName", local.soapHeader, false)>
<cfset aResponse = theWebService.SomeMethod(arg1)>
Hope this is what you needed.
I'm doing some research on WS-Secuirty and ColdFusion myself for some time and can definitely say that the above example is not an implementation of WS-Security. Even though a username and password are sent in the header, they are sent in plaintext. Utilizing SSL will help, but WS-Security is a lot more work that just applying this code. ColdFusion natively doesn't support WS-Security, but it can easily use Java objects and methods. There's a package from Apache called WSS4J which does provides means of implementing WS-Security in Java. You can write a wrapper and then utilize it in ColdFusion. I persoanlly was able to do so, however, there needs to be a small configuration change on ColdFusion side which I'm having some problems with.
If anyone can help me out on the configuration part, I'd really appreciate it.
Dmitriy