How to consume a WebService that uses Ws-Security Authentication (UsernameToken) – OWSM – Oracle Service Bus (OSB)


The Oracle Service Bus (OSB) allows to enable OWSM authentication, there is many policies that can be applied to the Proxy Service to turn on security authentication. The most basic of this policies is:

oracle / wss_username_token_service_policy

Requiring only a username and password. Once enabled this security, following a tip on how to make a request using a Java Client.

File: – This is a main class to make a request

import java.math.BigInteger;
import java.util.ArrayList;
import java.util.GregorianCalendar;
import java.util.List;

import javax.xml.datatype.DatatypeConstants;
import javax.xml.datatype.DatatypeFactory;
import javax.xml.datatype.XMLGregorianCalendar;

public class MainPost {

	public static void main(String[] args) {

		try {

			MyService service = new MyService();
			MyServicePort myServicePort = service.getMySoapPort();

			// This is the block that apply the Ws Security to the request
			BindingProvider bindingProvider = (BindingProvider) myServicePort;
			List<Handler> handlerChain = new ArrayList<Handler>();
			handlerChain.add(new WSSecurityHeaderSOAPHandler("myUsername", "myPassword"));

			RequestType myRequest = new RequestType();

			ResponseType response = myServicePort.searchSomething(myRequest);

		} catch (Exception e) {

File: – This is a handler responsible for creating the header authentication.

import java.util.Set;

import javax.xml.namespace.QName;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPHeader;

public class WSSecurityHeaderSOAPHandler implements SOAPHandler<SOAPMessageContext> {

 private static final String SOAP_ELEMENT_PASSWORD = "Password";
 private static final String SOAP_ELEMENT_USERNAME = "Username";
 private static final String SOAP_ELEMENT_USERNAME_TOKEN = "UsernameToken";
 private static final String SOAP_ELEMENT_SECURITY = "Security";
 private static final String NAMESPACE_SECURITY = "";
 private static final String PREFIX_SECURITY = "wsse";

 private String usernameText;
 private String passwordText;

 public WSSecurityHeaderSOAPHandler(String usernameText, String passwordText) {
 this.usernameText = usernameText;
 this.passwordText = passwordText;

 public boolean handleMessage(SOAPMessageContext soapMessageContext) {

 Boolean outboundProperty = (Boolean) soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

 if (outboundProperty.booleanValue()) {

 try {
 SOAPEnvelope soapEnvelope = soapMessageContext.getMessage().getSOAPPart().getEnvelope();

 SOAPHeader header = soapEnvelope.getHeader();
 if (header == null) {
 header = soapEnvelope.addHeader();

 SOAPElement soapElementSecurityHeader = header.addChildElement(SOAP_ELEMENT_SECURITY, PREFIX_SECURITY,

 SOAPElement soapElementUsernameToken = soapElementSecurityHeader.addChildElement(SOAP_ELEMENT_USERNAME_TOKEN, PREFIX_SECURITY);
 SOAPElement soapElementUsername = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_USERNAME, PREFIX_SECURITY);

 SOAPElement soapElementPassword = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_PASSWORD, PREFIX_SECURITY);

 } catch (Exception e) {
 throw new RuntimeException("Error on wsSecurityHandler: " + e.getMessage());


 return true;

 public void close(MessageContext context) {
 // TODO Auto-generated method stub

 public boolean handleFault(SOAPMessageContext context) {
 // TODO Auto-generated method stub
 return true;

 public Set<QName> getHeaders() {
 // TODO Auto-generated method stub
 return null;

Xml Request: This is the payload request that Java Client request to the server.

<soapenv:Envelope xmlns:soapenv="">
 <wsse:Security xmlns:wsse="">
 <wsse:Password Type="">myPassword</wsse:Password>

25 thoughts on “How to consume a WebService that uses Ws-Security Authentication (UsernameToken) – OWSM – Oracle Service Bus (OSB)

  1. I am not understanding what is MyService class and Request , Response type which jar or which file i have to import for that ? any one has idea please suggest me

    1. Hello Nrup,

      When you generate your Stub (WS Client), using the command wsimport http://yourEndpointHere, you get many and many Java Classes, this is what you are searching for.

      See this link:

      package simpleclient;

      import helloservice.endpoint.HelloService;
      import helloservice.endpoint.Hello;

      public class HelloClient {
      static HelloService service;

      public static void main(String[] args) {
      try {
      HelloClient client = new HelloClient();
      } catch(Exception e) {

  2. Thank you very much for the post , a question, I ‘m new to this but I want to ask about the method boolean handleMessage receiving a filter SOAPMessageContext data type . that parameter is that I have to send?…
    Thanks in advance

    1. Hello Alex,

      The method handleMessage is needed by Interface SOAPHandler, in this example this method
      is required to put the security header in the message.
      The parameter myRequest is the information that you have to send to the WS.

      Victor Jabur

  3. I implemented as follows:
    BindingProvider bindingProvider = (BindingProvider) portLoanStatusInterface;
    List handlerChain = new ArrayList();
    handlerChain.add(new WSSecurityHeaderSOAPHandler(“ws.FFE”, “telecel123”));

    LoanStatusResponse loanStatusResponse = portLoanStatusInterface.loanStatus(loanStatusRequest);

    I think it’s the same way you did in the class. but I still reports the error of invalid user.
    then try to implement it as follows….

    I was first doing an instance of the WSSecurityHeaderSOAPHandler class and then invoke the method handleMessage, for example:
    WSSecurityHeaderSOAPHandler example = new WSSecurityHeaderSOAPHandler (“asd”, “asd”);
    example.handleMessage (“?????????”); and that is the method in which not sendin ‘…

    thank you very much for your help 🙂

  4. you must add this code:

    SOAPElement soapElementPassword = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_PASSWORD, PREFIX_SECURITY);
     soapElementPassword.setAttribute(“Type”, “”);

  5. Hi Victor:

    I run the code I get the following error:

    run: –
    at com.sun.proxy.$Proxy20.sendBill(Unknown Source)
    at testwss.TestWSS.main(
    BUILD SUCCESSFUL (total time: 3 seconds)

  6. very interesting, but how about if you have to generate a header like this:


    (UsernameToken and Nonce)

  7. I am using your code for adding wsse header to my soap request but getting this error :

    Caused by: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
    at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault( ~[cxf-rt-bindings-soap-2.4.6.jar:2.4.6]
    at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage( ~[cxf-rt-bindings-soap-2.4.6.jar:2.4.6]
    at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage( ~[cxf-rt-bindings-soap-2.4.6.jar:2.4.6]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( ~[cxf-api-2.4.6.jar:2.4.6]
    at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage( ~[cxf-rt-core-2.4.6.jar:2.4.6]
    at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage( ~[cxf-rt-frontend-jaxws-2.4.6.jar:2.4.6]
    at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage( ~[cxf-rt-frontend-jaxws-2.4.6.jar:2.4.6]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( ~[cxf-api-2.4.6.jar:2.4.6]
    at org.apache.cxf.endpoint.ClientImpl.onMessage( ~[cxf-rt-core-2.4.6.jar:2.4.6]

    It seems SOAPEnvelope is empty in WSSecurityHeaderSoapHandler. What am I missing ?

    1. Hello SHAILENDRA,

      Certainly your SoapHeader is empty or mallformed. It’s complicated to tell something without view the sourcecode.

      I don’t know how can I help you.

  8. Hi Victor, I found and fixed the problem. I needed to set Type to password element ,

    Thanks !

  9. Hello victor , i’m getting classcast exception when i’m using
    BindingProvider bp=(BindingProvider)port;
    Do you know any work around for this??
    Thanks ,

  10. Hi victor after implementing the same am not able to call the service
    am using the clientgen implemention could you please help.
    am not able to pass the security credentials.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s