You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Anna Krajewska <a....@wasko.pl> on 2006/02/16 08:24:51 UTC
WSS4j with "passwordText" doesn't work (library bug?)
Hi
I've noticed that when I try to connect to my web service with proper login but bad password - no errors appears and I get all the information I wanted in response. I downloaded source of wss4j and traced the whole road that the password and login make to be verified. Unfortunatelly there are many things that are not very clear for me, I got lost in one place but how I see it - in case password is send not ecrypted (passwordDigest) but in simple text (passwordText) - class that is supposed to verify it does completely nothing. I'm not sure if I understand it right, couse it seems quite impossible that apache programmers left such a big bug in the library. So I'm asking what did I wrong:
client wsdd file:
(...)
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="action" value="UsernameToken"/>
<parameter name="passwordCallbackClass" value="TestCallback"/>
<parameter name="user" value="test"/>
<parameter name="passwordType" value="PasswordText" />
</handler>
</requestFlow>
(...)
server wsdd file:
(...)
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="action" value="UsernameToken"/>
<parameter name="passwordCallbackClass" value="PWCallback"/>
<parameter name="passwordType" value="PasswordText" />
</handler>
</requestFlow>
(...)
sample PWCallback class:
public class WSSCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++)
{
if (callbacks[i] instanceof WSPasswordCallback)
{
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
if ("test".equals(pc.getIdentifer()))
pc.setPassword("test");
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
}
TestCallback class returns completely differenet password for the user "test" that PWCallback does and everything goes right.
My question is - is it my mistake or this is really bug in the library that should be removed. Has anyone had such a problem?
Regards
Ania
Re: WSS4j with "passwordText" doesn't work
Posted by Ulf Dittmer <ul...@ulfdittmer.com>.
Hi-
It's a little counter-intuitive, because it works in different ways
depending on whether you use cleartext or digested passwords. I'm
attaching a handler that does both, and which works fine for me.
Ulf
// the username and password we expect incoming WS calls to use
private String user = "wsuser";
private String pwd = "wspwd";
public void handle (Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
// digested password
if (user.equals(pc.getIdentifer()))
pc.setPassword(pwd);
} else if (pc.getUsage() ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
// cleartext password
if (! user.equals(pc.getIdentifer()))
throw new IOException("unknown user: "+pc.getIdentifer());
if (! pwd.equals(pc.getPassword()))
throw new IOException("password incorrect for user:
"+pc.getIdentifer());
}
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized
Callback");
}
}
}