You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by kang tang <ka...@oerc.ox.ac.uk> on 2009/02/06 17:58:14 UTC
question about pwcallback
hi,
I am using a WSS4J with Axis 1.x to sign SOAP message on my web service
client.
The client works fine when I use PWcallback in client-config.wsdd and
hardcoded the password for
my private key in the PWcallback class.
But I would like to actually put the password of my private key in
crypto.properties as plain text. yes, I
understand this is not a good practice, but lets presume this is not an
issue in my case.
So I removed the 'user' and 'PWcallback' parameters in client-config.wsdd :
----------------------------------------
<handler
type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="action"
value="Signature" />
<!--
<parameter name="user" value="test" />
<parameter name="passwordCallbackClass"
value="test.sample.SamplePWCallback" />
-->
<parameter name="signatureKeyIdentifier"
value="IssuerSerial" />
<parameter name="signaturePropFile"
value="crypto.properties" />
</handler>
--------------------------------------------
and set them in my crypto.properties:
-----------------------------------------------------
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=xxxxx
org.apache.ws.security.crypto.merlin.keystore.alias=test
org.apache.ws.security.crypto.merlin.alias.password=xxxxx
org.apache.ws.security.crypto.merlin.file=xxx.p12
But the application complains it can't find the 'user' and 'password'
for the private key required for signing.
It appears the 'org.apache.ws.security.crypto.merlin.alias.password' and
'org.apache.ws.security.crypto.merlin.keystore.alias'
in crypto.properties simply won't work?
Many thanks,
Kang
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: question about pwcallback
Posted by kang tang <ka...@oerc.ox.ac.uk>.
Thanks for the confirmation on this.
Cheers,
Kang
Werner Dittmann wrote:
> Right - this property file is not used to store
> the password to unlock the private key.
>
> A good idea could be that the PWCallback class opens
> a file (could be a property-style file) where you store
> the password.
>
> The idea behind PWcallback is to enable various ways to
> store/retrieve the password of a user's private key and
> to use it to unlock it. For example some people store
> the paasword in a directoy or database or implement
> a GUI to ask the user. Depends on the use case at hand.
>
> Regards,
> Werner
>
> kang tang schrieb:
>
>> hi,
>>
>> I am using a WSS4J with Axis 1.x to sign SOAP message on my web service
>> client.
>>
>> The client works fine when I use PWcallback in client-config.wsdd and
>> hardcoded the password for
>> my private key in the PWcallback class.
>>
>> But I would like to actually put the password of my private key in
>> crypto.properties as plain text. yes, I
>> understand this is not a good practice, but lets presume this is not an
>> issue in my case.
>>
>> So I removed the 'user' and 'PWcallback' parameters in client-config.wsdd :
>>
>> ----------------------------------------
>> <handler
>>
>> type="java:org.apache.ws.axis.security.WSDoAllSender">
>> <parameter name="action"
>> value="Signature" />
>> <!--
>> <parameter name="user" value="test" />
>> <parameter name="passwordCallbackClass"
>>
>> value="test.sample.SamplePWCallback" />
>> -->
>>
>> <parameter name="signatureKeyIdentifier"
>> value="IssuerSerial" />
>>
>> <parameter name="signaturePropFile"
>> value="crypto.properties" />
>>
>> </handler>
>> --------------------------------------------
>>
>>
>> and set them in my crypto.properties:
>>
>> -----------------------------------------------------
>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>>
>> org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
>> org.apache.ws.security.crypto.merlin.keystore.password=xxxxx
>> org.apache.ws.security.crypto.merlin.keystore.alias=test
>> org.apache.ws.security.crypto.merlin.alias.password=xxxxx
>> org.apache.ws.security.crypto.merlin.file=xxx.p12
>>
>>
>>
>> But the application complains it can't find the 'user' and 'password'
>> for the private key required for signing.
>> It appears the 'org.apache.ws.security.crypto.merlin.alias.password' and
>> 'org.apache.ws.security.crypto.merlin.keystore.alias'
>> in crypto.properties simply won't work?
>>
>> Many thanks,
>> Kang
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: question about pwcallback
Posted by Werner Dittmann <We...@t-online.de>.
Right - this property file is not used to store
the password to unlock the private key.
A good idea could be that the PWCallback class opens
a file (could be a property-style file) where you store
the password.
The idea behind PWcallback is to enable various ways to
store/retrieve the password of a user's private key and
to use it to unlock it. For example some people store
the paasword in a directoy or database or implement
a GUI to ask the user. Depends on the use case at hand.
Regards,
Werner
kang tang schrieb:
> hi,
>
> I am using a WSS4J with Axis 1.x to sign SOAP message on my web service
> client.
>
> The client works fine when I use PWcallback in client-config.wsdd and
> hardcoded the password for
> my private key in the PWcallback class.
>
> But I would like to actually put the password of my private key in
> crypto.properties as plain text. yes, I
> understand this is not a good practice, but lets presume this is not an
> issue in my case.
>
> So I removed the 'user' and 'PWcallback' parameters in client-config.wsdd :
>
> ----------------------------------------
> <handler
>
> type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="action"
> value="Signature" />
> <!--
> <parameter name="user" value="test" />
> <parameter name="passwordCallbackClass"
>
> value="test.sample.SamplePWCallback" />
> -->
>
> <parameter name="signatureKeyIdentifier"
> value="IssuerSerial" />
>
> <parameter name="signaturePropFile"
> value="crypto.properties" />
>
> </handler>
> --------------------------------------------
>
>
> and set them in my crypto.properties:
>
> -----------------------------------------------------
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>
> org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
> org.apache.ws.security.crypto.merlin.keystore.password=xxxxx
> org.apache.ws.security.crypto.merlin.keystore.alias=test
> org.apache.ws.security.crypto.merlin.alias.password=xxxxx
> org.apache.ws.security.crypto.merlin.file=xxx.p12
>
>
>
> But the application complains it can't find the 'user' and 'password'
> for the private key required for signing.
> It appears the 'org.apache.ws.security.crypto.merlin.alias.password' and
> 'org.apache.ws.security.crypto.merlin.keystore.alias'
> in crypto.properties simply won't work?
>
> Many thanks,
> Kang
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org