You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Oliver Doepner <od...@gmail.com> on 2007/03/25 03:52:14 UTC
PasswordHandler has no access to passwords
Hello,
I am having the following problem:
- We use XFire on the server side to expose a Webservice that calls EJB
methods.
- the XFire webservice is deployed as a webapp in the J2EE server (JBoss
or Weblogic).
- We want to use WS-Security with User Tokens (plain passwords).
- We want to authenticate username/password against the J2EE server.
I need username and password to authenticate against the J2EE server (by
creating an InitialContect with the username as SECURITY_PRINCIPAL and
password as SECURITY_CREDENTIAL). I can't do that in the PasswordHandler
since - as far as I understand - it has no access to the password that
the client sent.
But If I don't implement the PasswordHandler (i.e. don't provide an
"expected" password) then the WSHandler throws an exception.
I thought I could do the authentication in the ValidateUserTokenHandler
using the principal that is extracted from the WS-Results Vectors. But
since I always get an exception in the WSHandler the
ValidateUserTokenHandler is never called.
How can I solve this problem?
Oliver Doepner
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: PasswordHandler has no access to passwords
Posted by Dimuthu <mu...@apache.org>.
Hi Oliver,
When it comes to plain passwords, it is sent in the WSPasswordCallback
object.
So you can overcome the problem by implementing the handle method as
follows.
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
if(pwcb.getUsage() ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN){
String username = pwcb.getIdentifer();
String passwd = pwcb.getPassword();
// Your authentication code goes here.
}
}
}
USERNAME_TOKEN_UNKNOWN means plain password type. For more details you
can refer
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/WSPasswordCallback.html
Cheers,
Dimuthu
http://wso2.org
On Sat, 2007-03-24 at 22:52 -0300, Oliver Doepner wrote:
> Hello,
>
> I am having the following problem:
>
> - We use XFire on the server side to expose a Webservice that calls EJB
> methods.
> - the XFire webservice is deployed as a webapp in the J2EE server (JBoss
> or Weblogic).
> - We want to use WS-Security with User Tokens (plain passwords).
> - We want to authenticate username/password against the J2EE server.
>
> I need username and password to authenticate against the J2EE server (by
> creating an InitialContect with the username as SECURITY_PRINCIPAL and
> password as SECURITY_CREDENTIAL). I can't do that in the PasswordHandler
> since - as far as I understand - it has no access to the password that
> the client sent.
>
> But If I don't implement the PasswordHandler (i.e. don't provide an
> "expected" password) then the WSHandler throws an exception.
>
> I thought I could do the authentication in the ValidateUserTokenHandler
> using the principal that is extracted from the WS-Results Vectors. But
> since I always get an exception in the WSHandler the
> ValidateUserTokenHandler is never called.
>
> How can I solve this problem?
>
> Oliver Doepner
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: PasswordHandler has no access to passwords
Posted by Dimuthu <mu...@apache.org>.
Hi Oliver,
When it comes to plain passwords, it is sent in the WSPasswordCallback
object.
So you can overcome the problem by implementing the handle method as
follows.
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
if(pwcb.getUsage() ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN){
String username = pwcb.getIdentifer();
String passwd = pwcb.getPassword();
// Your authentication code goes here.
}
}
}
USERNAME_TOKEN_UNKNOWN means plain password type. For more details you
can refer
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/WSPasswordCallback.html
Cheers,
Dimuthu
http://wso2.org
On Sat, 2007-03-24 at 22:52 -0300, Oliver Doepner wrote:
> Hello,
>
> I am having the following problem:
>
> - We use XFire on the server side to expose a Webservice that calls EJB
> methods.
> - the XFire webservice is deployed as a webapp in the J2EE server (JBoss
> or Weblogic).
> - We want to use WS-Security with User Tokens (plain passwords).
> - We want to authenticate username/password against the J2EE server.
>
> I need username and password to authenticate against the J2EE server (by
> creating an InitialContect with the username as SECURITY_PRINCIPAL and
> password as SECURITY_CREDENTIAL). I can't do that in the PasswordHandler
> since - as far as I understand - it has no access to the password that
> the client sent.
>
> But If I don't implement the PasswordHandler (i.e. don't provide an
> "expected" password) then the WSHandler throws an exception.
>
> I thought I could do the authentication in the ValidateUserTokenHandler
> using the principal that is extracted from the WS-Results Vectors. But
> since I always get an exception in the WSHandler the
> ValidateUserTokenHandler is never called.
>
> How can I solve this problem?
>
> Oliver Doepner
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org