You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@servicemix.apache.org by André Szdzuy <as...@axway.com> on 2007/08/30 13:19:36 UTC

Dynamic username when using WSS signature in a HTTP provider endpoint

Hi,
I have configured a provider endpoint for servicemix-http using an xbean.xml
like in the Outbound Signature example in the docs.
Now I don't want to give the username for the signature hard-coded in the
xbean.xml as in the example but dynamically at runtime.
How can I do that?

I have seen that method onSend() in class
org.apache.servicemix.soap.handlers.security.WSSecurityHandler tries to get
the username from the properties map and the message context before it takes
the value from the xbean.xml.
How can I achieve that there is a "user" value in the properties or message
context? I already tried to set a "user" property in the Exchange object and
a securitySubject in the NormalizedMessage which I send to servicemix-http -
no difference... 

Any ideas?

Thanks for your help...

André

-- 
View this message in context: http://www.nabble.com/Dynamic-username-when-using-WSS-signature-in-a-HTTP-provider-endpoint-tf4353514s12049.html#a12405017
Sent from the ServiceMix - User mailing list archive at Nabble.com.

Re: Dynamic username when using WSS signature in a HTTP provider endpoint

Posted by André Szdzuy <as...@axway.com>.

Thanks for your reply! 
If I understand your posting with the transform method correctly I would
have to create the whole signature node of the security header manually
which is not really an option. For more simple nodes like UsernameToken this
might be ok, but the signature I want to be created by Servicemix.

Regards
André

Michal wrote:
> 
> As a last resort you can simply create the security header manually.
> See this post:
> http://www.nabble.com/forum/ViewPost.jtp?post=11983013&framed=y&skin=12049
> 
> Michal
> 

-- 
View this message in context: http://www.nabble.com/Dynamic-username-when-using-WSS-signature-in-a-HTTP-provider-endpoint-tf4353514s12049.html#a12408169
Sent from the ServiceMix - User mailing list archive at Nabble.com.

Re: Dynamic username when using WSS signature in a HTTP provider endpoint

Posted by Michal <ca...@yahoo.com>.

As a last resort you can simply create the security header manually.
See this post:
http://www.nabble.com/forum/ViewPost.jtp?post=11983013&framed=y&skin=12049

Michal
-- 
View this message in context: http://www.nabble.com/Dynamic-username-when-using-WSS-signature-in-a-HTTP-provider-endpoint-tf4353514s12049.html#a12407855
Sent from the ServiceMix - User mailing list archive at Nabble.com.

Re: Dynamic username when using WSS signature in a HTTP provider endpoint

Posted by Bruce Snyder <br...@gmail.com>.

On 9/4/07, André Szdzuy <as...@axway.com> wrote:
>
> Hm, I think we also have a problem with system properties here because we can
> have several users at the same time. So one request could change the user
> property while another one is still in process, right?
>
> The perfect solution for me would be if the username is handled like the
> locationURI: the value set in the xbean.xml can be overwritten by setting a
> property in the NormalizedMessage. For locationURI this was implemented for
> JIRA SM-695.
>
> If I add the following lines in the process() method in class
> org.apache.servicemix.http.processors.ProviderProcessor, line 132,
> everything is fine:
>
>         Object username = nm.getProperty("user");
>         if (username != null) {
>                 context.setProperty("user", username);
>             log.debug("Use username from NormalizedMessage: " + username);
>         }
>
> nm is the NormalizedMessage and context the
> org.apache.servicemix.soap.Context object that is passed to the onSend()
> method of WSSecurityHandler class.
>
> Should I raise a JIRA for that?

You could also consider writing your own marshaler that you plug in
via the xbean.xml. This would allow you to do anything you want to the
normalized message.

Bruce
-- 
perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'

Apache ActiveMQ - http://activemq.org/
Apache ServiceMix - http://servicemix.org/
Apache Geronimo - http://geronimo.apache.org/
Castor - http://castor.org/

Re: Dynamic username when using WSS signature in a HTTP provider endpoint

Posted by André Szdzuy <as...@axway.com>.

Hm, I think we also have a problem with system properties here because we can
have several users at the same time. So one request could change the user
property while another one is still in process, right?

The perfect solution for me would be if the username is handled like the
locationURI: the value set in the xbean.xml can be overwritten by setting a
property in the NormalizedMessage. For locationURI this was implemented for
JIRA SM-695.

If I add the following lines in the process() method in class
org.apache.servicemix.http.processors.ProviderProcessor, line 132,
everything is fine:

        Object username = nm.getProperty("user");
        if (username != null) {
        	context.setProperty("user", username);
            log.debug("Use username from NormalizedMessage: " + username);
        }

nm is the NormalizedMessage and context the
org.apache.servicemix.soap.Context object that is passed to the onSend()
method of WSSecurityHandler class.

Should I raise a JIRA for that?

Regards
Andre



bsnyder wrote:
> 
> On 8/31/07, André Szdzuy <as...@axway.com> wrote:
>>
>> Hi Bruce,
>> a properties file is not a solution in my case because I need the
>> username
>> really dynamically at runtime, i.e. for every call to the web service I
>> want
>> to be able to use a different signature certificate (my locationURI is
>> also
>> dynamic and can point to any service).
>>
>> You also mentioned system properties. Do you mean I can put the user name
>> in
>> the system properties and then it is evaluated by servicemix? What's the
>> key
>> name then?
> 
> Yes, it will work with system properties and you can override the
> default behavior via some fields in the class. See the Javadoc for
> more info:
> 
> http://www.springframework.org/docs/api/org/springframework/beans/factory/config/PropertyPlaceholderConfigurer.html
> 
> Bruce
> -- 
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
> );'
> 
> Apache ActiveMQ - http://activemq.org/
> Apache ServiceMix - http://servicemix.org/
> Apache Geronimo - http://geronimo.apache.org/
> Castor - http://castor.org/
> 
> 

-- 
View this message in context: http://www.nabble.com/Dynamic-username-when-using-WSS-signature-in-a-HTTP-provider-endpoint-tf4353514s12049.html#a12476599
Sent from the ServiceMix - User mailing list archive at Nabble.com.

Re: Dynamic username when using WSS signature in a HTTP provider endpoint

Posted by Bruce Snyder <br...@gmail.com>.

On 8/31/07, André Szdzuy <as...@axway.com> wrote:
>
> Hi Bruce,
> a properties file is not a solution in my case because I need the username
> really dynamically at runtime, i.e. for every call to the web service I want
> to be able to use a different signature certificate (my locationURI is also
> dynamic and can point to any service).
>
> You also mentioned system properties. Do you mean I can put the user name in
> the system properties and then it is evaluated by servicemix? What's the key
> name then?

Yes, it will work with system properties and you can override the
default behavior via some fields in the class. See the Javadoc for
more info:

http://www.springframework.org/docs/api/org/springframework/beans/factory/config/PropertyPlaceholderConfigurer.html

Bruce
-- 
perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'

Apache ActiveMQ - http://activemq.org/
Apache ServiceMix - http://servicemix.org/
Apache Geronimo - http://geronimo.apache.org/
Castor - http://castor.org/

Re: Dynamic username when using WSS signature in a HTTP provider endpoint

Posted by André Szdzuy <as...@axway.com>.

Hi Bruce,
a properties file is not a solution in my case because I need the username
really dynamically at runtime, i.e. for every call to the web service I want
to be able to use a different signature certificate (my locationURI is also
dynamic and can point to any service). 

You also mentioned system properties. Do you mean I can put the user name in
the system properties and then it is evaluated by servicemix? What's the key
name then?

Any other ideas?

Thanks
André



bsnyder wrote:
> 
> On 8/30/07, André Szdzuy <as...@axway.com> wrote:
>>
>> Hi,
>> I have configured a provider endpoint for servicemix-http using an
>> xbean.xml
>> like in the Outbound Signature example in the docs.
>> Now I don't want to give the username for the signature hard-coded in the
>> xbean.xml as in the example but dynamically at runtime.
>> How can I do that?
>>
>> I have seen that method onSend() in class
>> org.apache.servicemix.soap.handlers.security.WSSecurityHandler tries to
>> get
>> the username from the properties map and the message context before it
>> takes
>> the value from the xbean.xml.
>> How can I achieve that there is a "user" value in the properties or
>> message
>> context? I already tried to set a "user" property in the Exchange object
>> and
>> a securitySubject in the NormalizedMessage which I send to
>> servicemix-http -
>> no difference...
>>
>> Any ideas?
> 
> I always recommend that people use the Spring
> PropertyPlaceHolderConfigurer to read in a properties file or some
> system properties where the password is located. Then use property
> dereferencing to set the password in the xbean.xml configuration file.
> Below is an example of this:
> 
> <!-- Read in the properties file containing properties with the passwords
> -->
> <bean id="propertyConfigurer"
>  
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
>   <property name="location" value="classpath:foo.properties" />
> </bean>
> 
> <!-- Use property dreferencing to apply the passwords. See the
> $myKeyStorePasword and $myKeyPasword below. -->
> <http:endpoint service="my:inputSender"
>                endpoint="endpoint"
>                role="provider"
>                soap="true"
>                locationURI="http://localhost:8192/service/">
>       <http:policies>
>        <soap:ws-security sendAction="Signature" username="smx">
>         <soap:crypto>
>          <bean
> class="org.apache.servicemix.soap.handlers.security.StandaloneCrypto">
>           <property name="keyStoreUrl" value="classpath:keystore.jks" />
>           <property name="keyStorePassword" value="${myKeyStorePasword}"
> />
>           <property name="keyPassword" value="${myKeyPassword}"/>
>         </bean>
>       </soap:crypto>
>     </soap:ws-security>
>   </http:policies>
> </http:endpoint>
> 
> HTH
> 
> Bruce
> -- 
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
> );'
> 
> Apache ActiveMQ - http://activemq.org/
> Apache ServiceMix - http://servicemix.org/
> Apache Geronimo - http://geronimo.apache.org/
> Castor - http://castor.org/
> 
> 

-- 
View this message in context: http://www.nabble.com/Dynamic-username-when-using-WSS-signature-in-a-HTTP-provider-endpoint-tf4353514s12049.html#a12424113
Sent from the ServiceMix - User mailing list archive at Nabble.com.

Re: Dynamic username when using WSS signature in a HTTP provider endpoint

Posted by Bruce Snyder <br...@gmail.com>.

On 8/30/07, André Szdzuy <as...@axway.com> wrote:
>
> Hi,
> I have configured a provider endpoint for servicemix-http using an xbean.xml
> like in the Outbound Signature example in the docs.
> Now I don't want to give the username for the signature hard-coded in the
> xbean.xml as in the example but dynamically at runtime.
> How can I do that?
>
> I have seen that method onSend() in class
> org.apache.servicemix.soap.handlers.security.WSSecurityHandler tries to get
> the username from the properties map and the message context before it takes
> the value from the xbean.xml.
> How can I achieve that there is a "user" value in the properties or message
> context? I already tried to set a "user" property in the Exchange object and
> a securitySubject in the NormalizedMessage which I send to servicemix-http -
> no difference...
>
> Any ideas?

I always recommend that people use the Spring
PropertyPlaceHolderConfigurer to read in a properties file or some
system properties where the password is located. Then use property
dereferencing to set the password in the xbean.xml configuration file.
Below is an example of this:

<!-- Read in the properties file containing properties with the passwords -->
<bean id="propertyConfigurer"
  class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
  <property name="location" value="classpath:foo.properties" />
</bean>

<!-- Use property dreferencing to apply the passwords. See the
$myKeyStorePasword and $myKeyPasword below. -->
<http:endpoint service="my:inputSender"
               endpoint="endpoint"
               role="provider"
               soap="true"
               locationURI="http://localhost:8192/service/">
      <http:policies>
       <soap:ws-security sendAction="Signature" username="smx">
        <soap:crypto>
         <bean class="org.apache.servicemix.soap.handlers.security.StandaloneCrypto">
          <property name="keyStoreUrl" value="classpath:keystore.jks" />
          <property name="keyStorePassword" value="${myKeyStorePasword}" />
          <property name="keyPassword" value="${myKeyPassword}"/>
        </bean>
      </soap:crypto>
    </soap:ws-security>
  </http:policies>
</http:endpoint>

HTH

Bruce
-- 
perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'

Apache ActiveMQ - http://activemq.org/
Apache ServiceMix - http://servicemix.org/
Apache Geronimo - http://geronimo.apache.org/
Castor - http://castor.org/