You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Anna Krajewska <a....@wasko.pl> on 2006/02/16 08:24:51 UTC

WSS4j with "passwordText" doesn't work (library bug?)

Hi

I've noticed that when I try to connect to my web service with proper login but bad password - no errors appears and I get all the information I wanted in response. I downloaded source of wss4j and traced the whole road that the password and login make to be verified. Unfortunatelly there are many things that are not very clear for me, I got lost in one place but how I see it - in case password is send not ecrypted (passwordDigest) but in simple text (passwordText) - class that is supposed to verify it does completely nothing. I'm not sure if I understand it right, couse it seems quite impossible that apache programmers left such a big bug in the library. So I'm asking what did I wrong:

client wsdd file:
(...)
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
  <parameter name="action" value="UsernameToken"/>
  <parameter name="passwordCallbackClass" value="TestCallback"/>
  <parameter name="user" value="test"/>
  <parameter name="passwordType" value="PasswordText" />
</handler>
</requestFlow>
(...)

server wsdd file:
(...)
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
  <parameter name="action" value="UsernameToken"/>
  <parameter name="passwordCallbackClass" value="PWCallback"/>
  <parameter name="passwordType" value="PasswordText" />
 </handler>
</requestFlow>
(...)

sample PWCallback class:

public class WSSCallback implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

        for (int i = 0; i < callbacks.length; i++) 
        {
            if (callbacks[i] instanceof WSPasswordCallback) 
            {
                WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];

                if ("test".equals(pc.getIdentifer()))
                    pc.setPassword("test");
            } else {
                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
            }
        }
    }
}

TestCallback class returns completely differenet password for the user "test" that PWCallback does and everything goes right.
My question is - is it my mistake or this is really bug in the library that should be removed. Has anyone had such a problem?

Regards

Ania

Re: WSS4j with "passwordText" doesn't work

Posted by Ulf Dittmer <ul...@ulfdittmer.com>.

Hi-

It's a little counter-intuitive, because it works in different ways
depending on whether you use cleartext or digested passwords. I'm
attaching a handler that does both, and which works fine for me.

Ulf


// the username and password we expect incoming WS calls to use
private String user = "wsuser";
private String pwd = "wspwd";

public void handle (Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
  for (int i = 0; i < callbacks.length; i++) {
    if (callbacks[i] instanceof WSPasswordCallback) {
      WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];

      if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
        // digested password
        if (user.equals(pc.getIdentifer()))
          pc.setPassword(pwd);
      } else if (pc.getUsage() ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
        // cleartext password
        if (! user.equals(pc.getIdentifer()))
          throw new IOException("unknown user: "+pc.getIdentifer());

        if (! pwd.equals(pc.getPassword()))
          throw new IOException("password incorrect for user:
"+pc.getIdentifer());
      }
    } else {
      throw new UnsupportedCallbackException(callbacks[i], "Unrecognized
Callback");
    }
  }
}