You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Alexander Woude <al...@hotmail.com> on 2010/12/02 15:04:02 UTC
problems with ws-security and WSS4JInInterceptor
Guys,
I am working with ws-security and I see strange things happening.
The soap header is signed and has a time stamp.
In my SecurityCallbackHandler I log a message when entering the handle() method.
This handler is used both for checking the request message signature/timestamp and the signing and timestamping the response.
Now the strange thing is that I do see my logging for when working the response.
But when the request comes I see no logging fro mmy SecurityCallbackHandler.
Looks like that code is never touched.
What do I do wrong?
My config is :
<bean id="afleverServiceImpl" class="nl.vrom.afleverservice.service.impl.AfleverServiceImpl">
<property name="businessService" ref="afleverBusinessService" />
</bean>
<jaxws:endpoint id="afleverService" implementor="#afleverServiceImpl"
address="/afleverservice" wsdlLocation="wsdl/AfleverService.wsdl">
<jaxws:properties>
<entry key="schema-validation-enabled" value="true" />
</jaxws:properties>
<jaxws:inInterceptors>
<ref bean="TimestampSign_Request"/>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="TimestampSign_Response"/>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="TimestampSign_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="signaturePropFile" value="serviceKeystore.properties"/>
<entry key="passwordCallbackClass" value="nl.vrom.afleverservice.security.SecurityCallbackHandler"/>
</map>
</constructor-arg>
</bean>
<!--
WSS4JOutInterceptor for encoding and signing the SOAP response.
-->
<bean id="TimestampSign_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="user" value="afleverservicetstkey"/>
<!--entry key="user" value="myservicekey"/-->
<entry key="signaturePropFile" value="serviceKeystore.properties"/>
<entry key="passwordCallbackClass" value="nl.vrom.afleverservice.security.SecurityCallbackHandler"/>
<entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
</map>
</constructor-arg>
</bean>
My SecurityCallbackHandler code is :
public class SecurityCallbackHandler implements CallbackHandler {
static Logger logger = Logger.getLogger("SecurityCallbackHandler");
private Map<String, String> passwords = new HashMap<String, String>();
public SecurityCallbackHandler() {
}
/**
* Verwerk de callbacks voor het signen van het bericht. Als in een later
* stadium ook gedecrypt moet worden, dan kan deze zelfde callback gebruikt
* worden.
*
* @param callbacks
* De callbacks die afgehandeld moeten worden.
*/
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
logger.info("Callback START");
for (int i = 0; i < callbacks.length; i++) {
logger.info("callback array contents [" + i + "] = " + callbacks[i].toString());
WSPasswordCallback pwcb = (WSPasswordCallback) callbacks[i];
String id = pwcb.getIdentifier();
logger.info("Callback HIT [id=" + id + "]");
switch (pwcb.getUsage()) {
case WSPasswordCallback.DECRYPT:
case WSPasswordCallback.SIGNATURE:
// used to retrieve password for private key
// TODO
// if ("myservicekey".equals(id)) {
if ("digipoorttstkey".equals(id)) {
pwcb.setPassword(Config.getServerKeystorePasswd());
}
logger.info("ID: " + id + " en pw: " + pwcb.getPassword());
break;
default:
throw new IOException("Illegal Usage specified in callback.");
}
}
logger.info("Callback END");
}
}
Regards
Alex
Re: problems with ws-security and WSS4JInInterceptor
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
A callback handler is used to resolved passwords during encryption or
for UsernameToken action.
For the server side of your service, the request message not use
UsernameToken action and also there's no encryption get involved.
Freeman
On 2010-12-2, at 下午10:04, Alexander Woude wrote:
>
> Guys,
>
> I am working with ws-security and I see strange things happening.
> The soap header is signed and has a time stamp.
>
> In my SecurityCallbackHandler I log a message when entering the
> handle() method.
> This handler is used both for checking the request message signature/
> timestamp and the signing and timestamping the response.
>
> Now the strange thing is that I do see my logging for when working
> the response.
> But when the request comes I see no logging fro mmy
> SecurityCallbackHandler.
> Looks like that code is never touched.
> What do I do wrong?
>
>
>
> My config is :
>
> <bean id="afleverServiceImpl"
> class="nl.vrom.afleverservice.service.impl.AfleverServiceImpl">
> <property name="businessService"
> ref="afleverBusinessService" />
> </bean>
>
> <jaxws:endpoint id="afleverService"
> implementor="#afleverServiceImpl"
> address="/afleverservice" wsdlLocation="wsdl/
> AfleverService.wsdl">
> <jaxws:properties>
> <entry key="schema-validation-enabled" value="true" />
> </jaxws:properties>
> <jaxws:inInterceptors>
> <ref bean="TimestampSign_Request"/>
> </jaxws:inInterceptors>
> <jaxws:outInterceptors>
> <ref bean="TimestampSign_Response"/>
> </jaxws:outInterceptors>
> </jaxws:endpoint>
>
> <bean id="TimestampSign_Request"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="signaturePropFile"
> value="serviceKeystore.properties"/>
> <entry key="passwordCallbackClass"
> value="nl.vrom.afleverservice.security.SecurityCallbackHandler"/>
> </map>
> </constructor-arg>
> </bean>
>
> <!--
> WSS4JOutInterceptor for encoding and signing the SOAP
> response.
> -->
> <bean id="TimestampSign_Response"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="user" value="afleverservicetstkey"/>
> <!--entry key="user" value="myservicekey"/-->
> <entry key="signaturePropFile"
> value="serviceKeystore.properties"/>
> <entry key="passwordCallbackClass"
> value="nl.vrom.afleverservice.security.SecurityCallbackHandler"/>
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> }Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> </map>
> </constructor-arg>
> </bean>
>
> My SecurityCallbackHandler code is :
> public class SecurityCallbackHandler implements CallbackHandler {
>
> static Logger logger = Logger.getLogger("SecurityCallbackHandler");
>
> private Map<String, String> passwords = new HashMap<String,
> String>();
>
> public SecurityCallbackHandler() {
>
> }
>
>
> /**
> * Verwerk de callbacks voor het signen van het bericht. Als in
> een later
> * stadium ook gedecrypt moet worden, dan kan deze zelfde
> callback gebruikt
> * worden.
> *
> * @param callbacks
> * De callbacks die afgehandeld moeten worden.
> */
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> logger.info("Callback START");
>
> for (int i = 0; i < callbacks.length; i++) {
> logger.info("callback array contents [" + i + "] = " +
> callbacks[i].toString());
> WSPasswordCallback pwcb = (WSPasswordCallback)
> callbacks[i];
> String id = pwcb.getIdentifier();
>
> logger.info("Callback HIT [id=" + id + "]");
>
> switch (pwcb.getUsage()) {
> case WSPasswordCallback.DECRYPT:
> case WSPasswordCallback.SIGNATURE:
> // used to retrieve password for private key
> // TODO
> // if ("myservicekey".equals(id)) {
> if ("digipoorttstkey".equals(id)) {
> pwcb.setPassword(Config.getServerKeystorePasswd());
> }
>
> logger.info("ID: " + id + " en pw: " +
> pwcb.getPassword());
> break;
> default:
> throw new IOException("Illegal Usage specified in
> callback.");
> }
> }
>
> logger.info("Callback END");
> }
>
> }
>
> Regards
> Alex
>
--
Freeman Fang
------------------------
FuseSource: http://fusesource.com
blog: http://freemanfang.blogspot.com
twitter: http://twitter.com/freemanfang
Apache Servicemix:http://servicemix.apache.org
Apache Cxf: http://cxf.apache.org
Apache Karaf: http://karaf.apache.org
Apache Felix: http://felix.apache.org