How to consume a secure SOAP Web service by adding WS-SECURITY SOAP header in Spring Boot Application


Consuming a SOAP based web service is one of the common use cases a developer will come across. There are different implementations like JAX-WS, Axis1/2 and CXF which helps us in calling the web services easily.
While the JAX-WS is the basic implementation built into JDK library for any complex stuff like WS-Security etc we can use Axis or CXF. Apache CXF is JAX-Ws compliant and supports exposing REST as well as SOAP.
For below tutorial, I am going to use CXF implementation

To consume a secure web service we need to follow things in nutshell

  • Generate Java Classes from WSDL using Maven plugin
  • Add UserName Password to WS-Header
  • Calling the Web Service

Adding Maven dependency

To make a call to a secure web service we need to download the associated CXF jars which will be used later.

Generate Java Classes

Apache CXF has CXF-code gen-plugin which can be used to generate Java Classes from WSDL.It can be configured in different ways I have configured it below to generate all the classes in src/main/generated folder under the package com.example.generated

    We need to do following

  • Provide the WSDL file location
  • CXF will generate classes in the specified directory, In our case I have specified it to src/main/generated
  • The generated artifacts can be put in a package by using the <extraargs> parameter.

Here is how the plugin looks like

Adding Source folder

Since in previous step the artifacts were generated under src/main/generated folder we need to make the generated folder as a source folder so all classes will be available and code can be compiled.

    In eclipse, click on your project -> Properties -> Java Build Path and add the src/main/generated as a source folder
    Also, we need to make sure that maven also picks this folder while assembling the code and creating executable file, we can use build-helper-maven-plugin as shown below

The complete POM

POM should have this plugin to be an executable spring boot jar.


Here is how the complete POM looks like, By running mvn generate-sources, CXF will generate artifacts in the defined folder in our case (src/main/generated)

Identifying the Service Interface and Port Class

From our generated classes we need to find the Service Class and right operation which we need to call. The code will generate classes like ObjectFactory which contains various namespaces along with a ServiceInterface which contains the service operations
Open the interface and look for methods which have annotation @WebMethod(action = "serviceOperation") these are the various service operations which have been exposed by WSDL

Another class is also known as Port which implements the service endpoint interface defined by Service will also be in generated folder. We Will use these classes to make a call to web service.

Calling the web service

Create a new instance of Service class

The method  getPort returns a proxy. The parameter in below method specifies the service endpoint interface that is supported by the returned proxy.

Use the BindingProvider interface and type cast port to be of type BindingProvider

Adding UserName Password

Use the properties ws-security.username and ws-security.password to define the UserName and Password

Override the defaultWSDL URL

Adding TimeStamp

If the security policy is defined in the WSDL requires a timestamp to avoid replay attacks CXF will automatically add the timestamp to the request.

Call the Web Service

Invoke the port’s method(service operation)

That’s all, You can add below Logging In and Logging Out interceptor to print request response in code

Related Posts

5 thoughts to “How to consume a secure SOAP Web service in Spring Boot Application”

Would you please provide the code regarding to the final step for “Call the Web Service”?
I got confused with how to create it, and how to setup the “request”?

Thanks for this. I’ve tried to follow a few guides to this – yours explains what’s going on which meant I was able to address the differences I found with the particular WSDL I was using.

I know this is a couple of years old now – but my IDE is telling me LoggingInInterceptor etc are now deprecated.

Leave a Reply

Your email address will not be published. Required fields are marked *