You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by garethahealy <ga...@gmail.com> on 2014/10/30 15:58:14 UTC
CXF with WS-Security using JAAS
I am trying to secure a CXF endpoint with JAAS. But am hitting an issue/not
fully understanding how to get the PasswordDigest working. I have the
solution working when the password type is PasswordText.So I've created a
new realm, which points to a file as per below:
<jaas:config name="webservices" rank="-1">
<jaas:module
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required"> users =
$[karaf.base]/etc/com.garethahealy.webservices.cfg encryption.enabled
= true encryption.name = jasypt encryption.prefix = ENC(
encryption.suffix = ) detailed.login.exception = true
debug = true </jaas:module> </jaas:config>
The contents of the file on first run is 'user.gareth=healy', which is then
re-written after the first call, to be ENC(hashed value), which seems
correct.Below is the WSS4J / JAAS / CXF setup:
<bean id="authenticationInterceptor"
class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
<property name="contextName" value="webservices"/>
<property name="reportFault"
value="true"/></bean><bean
id="wss4jInInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<argument> <map> <entry key="action"
value="UsernameToken Timestamp" /> <entry
key="passwordType" value="PasswordDigest" /> <!--
PasswordText / PasswordDigest --> </map>
</argument></bean> <cxf:cxfEndpoint
id="helloWorldCxf"
address="${cxf.helloworld.transport}://0.0.0.0:${cxf.helloworld.port}/cxf/helloWorldService"
serviceClass="com.garethahealy.helloworld.HelloWorldEndpoint">
<cxf:inInterceptors> <ref
component-id="wss4jInInterceptor" /> <ref
component-id="authenticationInterceptor" />
</cxf:inInterceptors> <cxf:properties> <entry
key="schema-validation-enabled"
value="${schema.validation.enabled}" /> <entry
key="loggingFeatureEnabled"
value="${logging.isCxfDebug}" /> <entry
key="ws-security.validate.token" value="false"/>
</cxf:properties></cxf:cxfEndpoint>
Below is the request when sending PasswordDigest:
Address: http://0.0.0.0:9001/cxf/helloWorldServiceEncoding:
UTF-8Http-Method: POSTContent-Type: text/xml;charset=UTF-8Headers:
{accept-encoding=[gzip,deflate], connection=[keep-alive],
Content-Length=[1242], content-type=[text/xml;charset=UTF-8],
Host=[0.0.0.0:9001],
SOAPAction=["http://helloworld.garethahealy.com/SayHello"],
User-Agent=[Apache-HttpClient/4.1.1 (java 1.5)]}Payload:<soapenv:Envelope
xmlns:hel="http://helloworld.garethahealy.com"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soapenv:mustUnderstand="1"> <wsu:Timestamp
wsu:Id="TS-85795D5F327115C93A141467959615289">
<wsu:Created>2014-10-30T14:33:16Z</wsu:Created>
<wsu:Expires>2014-10-30T14:33:17Z</wsu:Expires>
</wsu:Timestamp> <wsse:UsernameToken
wsu:Id="UsernameToken-85795D5F327115C93A141467959615188">
<wsse:Username>user.gareth</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">y2rUhVaSPSYGGJxx5vz/gAe8Kxo=</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AsgNPh2VykCuQ0CN4EvRPw==</wsse:Nonce>
<wsu:Created>2014-10-30T14:33:16.151Z</wsu:Created>
</wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body>
<hel:helloWorldRequest> <hello>gareth</hello>
</hel:helloWorldRequest></soapenv:Body></soapenv:Envelope>
Which fails on the password match with: Unauthorized : Password for
user.gareth does not match.Any pointers to what i am doing wrong would be
helpful. This is running on JBoss Fuse 6.1 - redhat379 and i am sending the
request from SoapUI 5
--
View this message in context: http://camel.465427.n5.nabble.com/CXF-with-WS-Security-using-JAAS-tp5758345.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: CXF with WS-Security using JAAS
Posted by Colm O hEigeartaigh <co...@apache.org>.
The assumption with JAAS login modules is that the password is to be
compared "as is". For the digest case you could simply store the passwords
in a digest form in the properties file.
Colm.
On Mon, Nov 3, 2014 at 10:52 AM, garethahealy <ga...@gmail.com>
wrote:
> I've also added the code my to github account @
> https://github.com/garethahealy/jboss-fuse-examples - ws-security-*
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/CXF-with-WS-Security-using-JAAS-tp5758345p5758447.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF with WS-Security using JAAS
Posted by garethahealy <ga...@gmail.com>.
I've also added the code my to github account @
https://github.com/garethahealy/jboss-fuse-examples - ws-security-*
--
View this message in context: http://camel.465427.n5.nabble.com/CXF-with-WS-Security-using-JAAS-tp5758345p5758447.html
Sent from the Camel - Users mailing list archive at Nabble.com.