You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by George Stanchev <Gs...@serena.com> on 2007/08/02 15:37:55 UTC
RE: username token with different signature user using deprecated configuration structures
Well,
To answer my own question for the sake of getting into the archives.
I still haven't found a way to do "UsernameToken Signature" in the same
action line - only a single user is allowed to be specified.
However I got around the problem by "decorating" the properties that
go in the second set of actions with the string "1" at the end:
options.put("cyrpto_props", cryptoProvider);
options.put("cyrpto_props1", cryptoProvider);
options.put(WSHandlerConstants.PW_CALLBACK_REF, myCallback);
options.put(WSHandlerConstants.PW_CALLBACK_REF + "1", myCallback);
Why? Because WSS4J uses recursion to handle multiple outflow securities
and because all the security parameters are communicated via the
properties of the message context (which is only plain <name, value>
pairs).
And so to support it, all "recursed" outflow security structures are
"flattened" by adding a digit to the name of the parameter.
However when "global" parameters are requested (ones that are not
specific for the currently processed outflow security) they still
use the helper getters that decorate the param names. And so both
the crypto_props and the callback handler names needs to be hacked
in order for WSS4J to find them.
Now the question to WSS4J developers is:
Do you need a JIRA for this and would that affect the Policy-based
configuration?
Best Regards,
George
-----Original Message-----
From: George Stanchev [mailto:Gstanchev@serena.com]
Sent: Friday, June 29, 2007 10:21 AM
To: wss4j-dev@ws.apache.org; rampart-dev@ws.apache.org
Subject: username token with different signature user using deprecated
configuration structures
Hi,
I am trying to create a message with "Timestamp UsernameToken Signature"
actions using
the old deprecated InflowConfiguration() and OutflowConfiguration()
settings (please no "switch to policy-based config" suggestions) and I
am having a little trouble making it work when the subject in the
wsse:UsernameToken needs to be different than the one signing the
message.
Here is what I do:
OutflowConfiguration ofc = new OutflowConfiguration(2);
ofc.setActionItems("Timestamp UsernameToken"); ofc.setUser("joeshmoe");
ofc.setPasswordType(WSConstants.PW_TEXT);
myCallback.setUTUsername("joeschmoe");
myCallback.setUTPassword("joeschmoe's secret"); ofc.nextAction();
ofc.setUser("signature-joeshmoe");
ofc.setSignaturePropRefId("cyrpto_props");
ofc.setSignatureKeyIdentifier("DirectReference");
ofc.setOptimizeParts(...blah-blah...);
myCallback.setKeystorePassword("secret");
myCallback.setSignatureKeyAlias("joeshmoes-key-alias");
ofc.previousAction(); // to reset to the action list [0]
Properties cryptoProvider = new Properties();
cryptoProvider.setProperty("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
cryptoProvider.setProperty("org.apache.ws.security.crypto.merlin.file",
"c:/keystore.jks");
cryptoProvider.setProperty("org.apache.ws.security.crypto.merlin.keystor
e.type", "JKS");
cryptoProvider.setProperty("org.apache.ws.security.crypto.merlin.keystor
e.password", "secret");
options.put("cyrpto_props", cryptoProvider);
options.put(WSHandlerConstants.PW_CALLBACK_REF, myCallback);
// invoke
However, when I have two actions entries, the signature handler from
within wss4j is complaining that it cannot find the crypto_props.
That works fine if I have 1 action entry (say "Timestamp UsernameToken
Signature").
Any ideas what do I need to do to pass the the crypto provider to the
signature handler?
I am using Rampart 1.2 btw...
Thanks in advance!
George
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: username token with different signature user using deprecated
configuration structures
Posted by at4david <at...@gmail.com>.
Hi, I think that I have the same problem than you, I want to sign the Soap
body with an user (owner its certificate,this username will be the alias of
keystore where the certificate to sign is stored) and I want to use too an
UsernameToken with a username and password differents than user and secret
key from certificate, is this possible or the client only can specify one
username and password and they must be the same to the certificate than to
the UsernameToken???
Thanks in advance
--
View this message in context: http://www.nabble.com/Fwd%3A-%22action-mismatch%22-and-WSConstants.SC-meaning---tf3998767.html#a12013826
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org