CXF with WS-Security using JAAS

[garethahealy <ga...@gmail.com>]

I am trying to secure a CXF endpoint with JAAS. But am hitting an issue/not
fully understanding how to get the PasswordDigest working. I have the
solution working when the password type is PasswordText.So I've created a
new realm, which points to a file as per below:
<jaas:config name="webservices" rank="-1">	   
<jaas:module
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required">	       users =
$[karaf.base]/etc/com.garethahealy.webservices.cfg	       encryption.enabled
= true	    encryption.name = jasypt	    encryption.prefix = ENC(	   
encryption.suffix = )	    	       detailed.login.exception = true	      
debug = true	    </jaas:module>	</jaas:config>
The contents of the file on first run is 'user.gareth=healy', which is then
re-written after the first call, to be ENC(hashed value), which seems
correct.Below is the WSS4J / JAAS / CXF setup:
<bean id="authenticationInterceptor"
class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
<property name="contextName" value="webservices"/> 
<property name="reportFault"
value="true"/></bean><bean
id="wss4jInInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<argument>		<map>			<entry key="action"
value="UsernameToken Timestamp" />			<entry
key="passwordType" value="PasswordDigest" /> <!--
PasswordText / PasswordDigest -->		</map>
</argument></bean>   <cxf:cxfEndpoint
id="helloWorldCxf"    
address="${cxf.helloworld.transport}://0.0.0.0:${cxf.helloworld.port}/cxf/helloWorldService"    
serviceClass="com.garethahealy.helloworld.HelloWorldEndpoint">   
<cxf:inInterceptors>   		<ref
component-id="wss4jInInterceptor" />		<ref
component-id="authenticationInterceptor" />
</cxf:inInterceptors>	<cxf:properties>		<entry
key="schema-validation-enabled"
value="${schema.validation.enabled}" />		<entry
key="loggingFeatureEnabled"
value="${logging.isCxfDebug}" />		<entry
key="ws-security.validate.token" value="false"/>
</cxf:properties></cxf:cxfEndpoint>
Below is the request when sending PasswordDigest:
Address: http://0.0.0.0:9001/cxf/helloWorldServiceEncoding:
UTF-8Http-Method: POSTContent-Type: text/xml;charset=UTF-8Headers:
{accept-encoding=[gzip,deflate], connection=[keep-alive],
Content-Length=[1242], content-type=[text/xml;charset=UTF-8],
Host=[0.0.0.0:9001],
SOAPAction=["http://helloworld.garethahealy.com/SayHello"],
User-Agent=[Apache-HttpClient/4.1.1 (java 1.5)]}Payload:<soapenv:Envelope
xmlns:hel="http://helloworld.garethahealy.com"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header>   
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soapenv:mustUnderstand="1">    <wsu:Timestamp
wsu:Id="TS-85795D5F327115C93A141467959615289">       
<wsu:Created>2014-10-30T14:33:16Z</wsu:Created>       
<wsu:Expires>2014-10-30T14:33:17Z</wsu:Expires>   
</wsu:Timestamp>    <wsse:UsernameToken
wsu:Id="UsernameToken-85795D5F327115C93A141467959615188">       
<wsse:Username>user.gareth</wsse:Username>       
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">y2rUhVaSPSYGGJxx5vz/gAe8Kxo=</wsse:Password>       
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AsgNPh2VykCuQ0CN4EvRPw==</wsse:Nonce>       
<wsu:Created>2014-10-30T14:33:16.151Z</wsu:Created>   
</wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body>   
<hel:helloWorldRequest>        <hello>gareth</hello>   
</hel:helloWorldRequest></soapenv:Body></soapenv:Envelope>
Which fails on the password match with: Unauthorized : Password for
user.gareth does not match.Any pointers to what i am doing wrong would be
helpful. This is running on JBoss Fuse 6.1 - redhat379 and i am sending the
request from SoapUI 5



--
View this message in context: http://camel.465427.n5.nabble.com/CXF-with-WS-Security-using-JAAS-tp5758345.html
Sent from the Camel - Users mailing list archive at Nabble.com.

Re: CXF with WS-Security using JAAS

[Colm O hEigeartaigh <co...@apache.org>]

The assumption with JAAS login modules is that the password is to be
compared "as is". For the digest case you could simply store the passwords
in a digest form in the properties file.

Colm.

On Mon, Nov 3, 2014 at 10:52 AM, garethahealy <ga...@gmail.com>
wrote:

> I've also added the code my to github account @
> https://github.com/garethahealy/jboss-fuse-examples - ws-security-*
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/CXF-with-WS-Security-using-JAAS-tp5758345p5758447.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: CXF with WS-Security using JAAS

[garethahealy <ga...@gmail.com>]

I've also added the code my to github account @
https://github.com/garethahealy/jboss-fuse-examples - ws-security-*



--
View this message in context: http://camel.465427.n5.nabble.com/CXF-with-WS-Security-using-JAAS-tp5758345p5758447.html
Sent from the Camel - Users mailing list archive at Nabble.com.