You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Andres Olarte <ol...@gmail.com> on 2011/11/19 13:12:04 UTC
Using WS-Security to authenticate when I don't know the password
I'm using WSS4JInInterceptor to try to authenticate my client. I have been
able to create a trivial example. However, I have a problem. In my
application, I use the supplied user name and password to try to open a
connection to the database. If the connection attempt is successful, the
user has authenticated, otherwise, the login attempt gets rejected. Using
WSS4JInInterceptor I need to implement a callback that returns the user's
password. In my security scheme, I have no access to this password. How can
I implement something like this?
Should I subclass WSS4JInInterceptor and hack it to provide the password?
Thanks
Andres
RE: Using WS-Security to authenticate when I don't know the password
Posted by "Goss, Frank" <Fr...@ocio.usda.gov>.
Forgot to this. Additions to the wsdl:
<!-- ========================================= -->
<!-- ==== add UsernameToken policy to wsdl === -->
<!-- ========================================= -->
<wsp:Policy wsu:Id="UP_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-security-utility-1.0.xsd"
xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securityPolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken />
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolilcy">
<wsp:Policy>
<sp:UsernameToken
xmlns:sp="http://schemas.xmlsoap.org/2005/07/securitypolicy"
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeTokenAlways">
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
-----Original Message-----
From: Goss, Frank [mailto:Frank.Goss@ocio.usda.gov]
Sent: Monday, November 21, 2011 9:06 AM
To: users@cxf.apache.org
Subject: RE: Using WS-Security to authenticate when I don't know the password
I got this type of security working using CXF 2.4.2
Additions to cxf-servlet.xml:
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<!-- ===================================================== -->
<!-- ==== hookup the custom validator to assess eAuth ==== -->
<!-- ===================================================== -->
<jaxws:properties>
<entry key="ws-security.ut.validator"
value="gov.usda.biopreferred.astm.ws.server.AstmUserTokenValidator" />
</jaxws:properties>
securityPolicy.xml (not sure this is needed):
<?xml version="1.0" encoding="UTF-8"?>
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/xwss/config">
<xwss:RequireUsernameToken
passwordDigestRequired="false" nonceRequired="false" />
</xwss:SecurityConfiguration>
Validator code:
public class AstmUserTokenValidator implements Validator {
private boolean authenticationStatus;
public Credential validate(Credential credential, RequestData requestData)
throws WSSecurityException {
UsernameToken userToken = (UsernameToken) credential.getUsernametoken();
String password = userToken.getPassword();
String username = userToken.getName();
UserAuthentication userAuthentication = UserAuthentication
.getInstance();
authenticationStatus = userAuthentication.authenticateUser(username,
password);
if (authenticationStatus){
return credential;
}else {
throw new WSSecurityException("invalid user credentials");
}
}
You can create your own UserAuthentication class to access your database and verify the
Username and password passed in are valid.
It took awhile to learn that this is not that difficult (once you know how!)
Hope this helps,
Frank
-----Original Message-----
From: Glen Mazza [mailto:gmazza@talend.com]
Sent: Saturday, November 19, 2011 6:11 AM
To: users@cxf.apache.org
Subject: Re: Using WS-Security to authenticate when I don't know the password
I haven't done this before, but I believe this article will help you:
http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html.
This will work
in more recent versions of CXF (perhaps 2.4.x onwards).
You'll need to configure a new validator that accesses the DB and
returns pass/fail based on the
supplied UsernameToken information.
HTH,
Glen
On 11/19/2011 07:12 AM, Andres Olarte wrote:
> I'm using WSS4JInInterceptor to try to authenticate my client. I have been
> able to create a trivial example. However, I have a problem. In my
> application, I use the supplied user name and password to try to open a
> connection to the database. If the connection attempt is successful, the
> user has authenticated, otherwise, the login attempt gets rejected. Using
> WSS4JInInterceptor I need to implement a callback that returns the user's
> password. In my security scheme, I have no access to this password. How can
> I implement something like this?
>
> Should I subclass WSS4JInInterceptor and hack it to provide the password?
>
> Thanks
>
>
> Andres
>
--
Glen Mazza
Talend Community Coders
http://coders.talend.com
blog: http://www.jroller.com/gmazza
RE: Using WS-Security to authenticate when I don't know the password
Posted by "Goss, Frank" <Fr...@ocio.usda.gov>.
I got this type of security working using CXF 2.4.2
Additions to cxf-servlet.xml:
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<!-- ===================================================== -->
<!-- ==== hookup the custom validator to assess eAuth ==== -->
<!-- ===================================================== -->
<jaxws:properties>
<entry key="ws-security.ut.validator"
value="gov.usda.biopreferred.astm.ws.server.AstmUserTokenValidator" />
</jaxws:properties>
securityPolicy.xml (not sure this is needed):
<?xml version="1.0" encoding="UTF-8"?>
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/xwss/config">
<xwss:RequireUsernameToken
passwordDigestRequired="false" nonceRequired="false" />
</xwss:SecurityConfiguration>
Validator code:
public class AstmUserTokenValidator implements Validator {
private boolean authenticationStatus;
public Credential validate(Credential credential, RequestData requestData)
throws WSSecurityException {
UsernameToken userToken = (UsernameToken) credential.getUsernametoken();
String password = userToken.getPassword();
String username = userToken.getName();
UserAuthentication userAuthentication = UserAuthentication
.getInstance();
authenticationStatus = userAuthentication.authenticateUser(username,
password);
if (authenticationStatus){
return credential;
}else {
throw new WSSecurityException("invalid user credentials");
}
}
You can create your own UserAuthentication class to access your database and verify the
Username and password passed in are valid.
It took awhile to learn that this is not that difficult (once you know how!)
Hope this helps,
Frank
-----Original Message-----
From: Glen Mazza [mailto:gmazza@talend.com]
Sent: Saturday, November 19, 2011 6:11 AM
To: users@cxf.apache.org
Subject: Re: Using WS-Security to authenticate when I don't know the password
I haven't done this before, but I believe this article will help you:
http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html.
This will work
in more recent versions of CXF (perhaps 2.4.x onwards).
You'll need to configure a new validator that accesses the DB and
returns pass/fail based on the
supplied UsernameToken information.
HTH,
Glen
On 11/19/2011 07:12 AM, Andres Olarte wrote:
> I'm using WSS4JInInterceptor to try to authenticate my client. I have been
> able to create a trivial example. However, I have a problem. In my
> application, I use the supplied user name and password to try to open a
> connection to the database. If the connection attempt is successful, the
> user has authenticated, otherwise, the login attempt gets rejected. Using
> WSS4JInInterceptor I need to implement a callback that returns the user's
> password. In my security scheme, I have no access to this password. How can
> I implement something like this?
>
> Should I subclass WSS4JInInterceptor and hack it to provide the password?
>
> Thanks
>
>
> Andres
>
--
Glen Mazza
Talend Community Coders
http://coders.talend.com
blog: http://www.jroller.com/gmazza
Re: Using WS-Security to authenticate when I don't know the password
Posted by Glen Mazza <gm...@talend.com>.
I haven't done this before, but I believe this article will help you:
http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html.
This will work
in more recent versions of CXF (perhaps 2.4.x onwards).
You'll need to configure a new validator that accesses the DB and
returns pass/fail based on the
supplied UsernameToken information.
HTH,
Glen
On 11/19/2011 07:12 AM, Andres Olarte wrote:
> I'm using WSS4JInInterceptor to try to authenticate my client. I have been
> able to create a trivial example. However, I have a problem. In my
> application, I use the supplied user name and password to try to open a
> connection to the database. If the connection attempt is successful, the
> user has authenticated, otherwise, the login attempt gets rejected. Using
> WSS4JInInterceptor I need to implement a callback that returns the user's
> password. In my security scheme, I have no access to this password. How can
> I implement something like this?
>
> Should I subclass WSS4JInInterceptor and hack it to provide the password?
>
> Thanks
>
>
> Andres
>
--
Glen Mazza
Talend Community Coders
http://coders.talend.com
blog: http://www.jroller.com/gmazza