You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Abid K." <ab...@gmail.com> on 2011/03/04 15:19:22 UTC
CallbackHandler Understanding
Hi all, I have successfully setup a CXF client, but I am a little
confused regarding the CallbackHandler.
It seems I just need to specify location of the callback class in the
WSS4J properties, but I can leave out the implementation and the
client still works. e.g.
public class PWCBHandler implements CallbackHandler {
public void handle( Callback[ ] callbacks ) throws IOException,
UnsupportedCallbackException {
}
}
I've seen examples where a user and password are set, but for some
reason I don't need to specify any of this. I'm hoping someone could
clarify why I don't need it.
Thanks
Re: CallbackHandler Understanding
Posted by "Abid K." <ab...@gmail.com>.
I have integrated the client code into the web app and it appears the
callback is required. This seems odd, as running the client code in a
standalone app seems to work correctly. :S
Re: CallbackHandler Understanding
Posted by "Abid K." <ab...@gmail.com>.
Note: The WSS4J lib was adjusted to move Timestamp above BinarySecurityToken.
Hope this helps...
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
<wsu:Created>2011-03-07T12:49:53.965Z</wsu:Created>
<wsu:Expires>2011-03-07T12:54:53.965Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-9A6BCB178DEFBA537112995021939751">[RANDOM
DATA]</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>[RANDOM DATA]</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>[RANDOM DATA]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[RANDOM DATA]</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-9A6BCB178DEFBA537112995021940102">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-9A6BCB178DEFBA537112995021940123">
<wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
URI="#CertId-9A6BCB178DEFBA537112995021939751"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
Re: CallbackHandler Understanding
Posted by Colm O hEigeartaigh <co...@apache.org>.
Maybe your keystore doesn't require a password to access keys? Could
you post the security header of the SOAP request that is generated?
Colm.
On Fri, Mar 4, 2011 at 5:08 PM, Abid K. <ab...@gmail.com> wrote:
> The callbackhandler class location needs to be specified in the
> properties file. My class looks like this without user/pass...
>
> public class PWCBHandler implements CallbackHandler {
> public void handle( Callback[ ] callbacks ) throws IOException,
> UnsupportedCallbackException {
> }
> }
>
> Yes, it does seem to be signing it, and by that I mean the signature
> element is added and I get a response back from the service. Very
> strange.
>
> To give you a little insight my client config is...
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
> org.apache.ws.security.crypto.merlin.file=something.pfx
> org.apache.ws.security.crypto.merlin.keystore.password=something
>
> and
>
> Map<String, Object> outProps = new HashMap<String, Object>( );
> outProps.put( "action", "Timestamp Signature" );
> outProps.put( "user", [ALIAS FOR PRIVATE KEY] );
> outProps.put( "passwordCallbackClass", "com.example.PWCBHandler" );
> outProps.put( "signaturePropFile", "client.properties" );
> outProps.put( "signatureKeyIdentifier", "DirectReference" );
> outProps.put( "signatureParts",
> "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"
> + "{Element}{http://www.w3.org/2005/08/addressing}To" );
> bus.getOutInterceptors( ).add( new WSS4JOutInterceptor( outProps ) );
>
> Map<String, Object> inProps = new HashMap<String, Object>( );
> inProps.put( "action", "Timestamp" );
> bus.getInInterceptors().add(new WSS4JInInterceptor(inProps));
>
> Thanks
>
> On 4 March 2011 16:12, Colm O hEigeartaigh <co...@apache.org> wrote:
>> If you're signing something then you definately need a password. Are
>> you saying that it's producing a signature with no callbackhandler
>> implementation?
>>
>> Colm.
>>
>> On Fri, Mar 4, 2011 at 4:01 PM, Abid K. <ab...@gmail.com> wrote:
>>> Hi Colm, thanks for the explanation. I am signing the request using a
>>> pfx file which contains the key.
>>>
>>>
>>> On 4 March 2011 14:36, Colm O hEigeartaigh <co...@apache.org> wrote:
>>>> It depends on what your client is doing, you only need a
>>>> CallbackHandler implementation for certain actions, i.e. when you need
>>>> a password.
>>>>
>>>> Colm.
>>>>
>>>> On Fri, Mar 4, 2011 at 2:19 PM, Abid K. <ab...@gmail.com> wrote:
>>>>> Hi all, I have successfully setup a CXF client, but I am a little
>>>>> confused regarding the CallbackHandler.
>>>>>
>>>>> It seems I just need to specify location of the callback class in the
>>>>> WSS4J properties, but I can leave out the implementation and the
>>>>> client still works. e.g.
>>>>>
>>>>> public class PWCBHandler implements CallbackHandler {
>>>>> public void handle( Callback[ ] callbacks ) throws IOException,
>>>>> UnsupportedCallbackException {
>>>>> }
>>>>> }
>>>>>
>>>>> I've seen examples where a user and password are set, but for some
>>>>> reason I don't need to specify any of this. I'm hoping someone could
>>>>> clarify why I don't need it.
>>>>>
>>>>> Thanks
>>>>>
>>>>
>>>
>>
>
Re: CallbackHandler Understanding
Posted by "Abid K." <ab...@gmail.com>.
The callbackhandler class location needs to be specified in the
properties file. My class looks like this without user/pass...
public class PWCBHandler implements CallbackHandler {
public void handle( Callback[ ] callbacks ) throws IOException,
UnsupportedCallbackException {
}
}
Yes, it does seem to be signing it, and by that I mean the signature
element is added and I get a response back from the service. Very
strange.
To give you a little insight my client config is...
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.file=something.pfx
org.apache.ws.security.crypto.merlin.keystore.password=something
and
Map<String, Object> outProps = new HashMap<String, Object>( );
outProps.put( "action", "Timestamp Signature" );
outProps.put( "user", [ALIAS FOR PRIVATE KEY] );
outProps.put( "passwordCallbackClass", "com.example.PWCBHandler" );
outProps.put( "signaturePropFile", "client.properties" );
outProps.put( "signatureKeyIdentifier", "DirectReference" );
outProps.put( "signatureParts",
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"
+ "{Element}{http://www.w3.org/2005/08/addressing}To" );
bus.getOutInterceptors( ).add( new WSS4JOutInterceptor( outProps ) );
Map<String, Object> inProps = new HashMap<String, Object>( );
inProps.put( "action", "Timestamp" );
bus.getInInterceptors().add(new WSS4JInInterceptor(inProps));
Thanks
On 4 March 2011 16:12, Colm O hEigeartaigh <co...@apache.org> wrote:
> If you're signing something then you definately need a password. Are
> you saying that it's producing a signature with no callbackhandler
> implementation?
>
> Colm.
>
> On Fri, Mar 4, 2011 at 4:01 PM, Abid K. <ab...@gmail.com> wrote:
>> Hi Colm, thanks for the explanation. I am signing the request using a
>> pfx file which contains the key.
>>
>>
>> On 4 March 2011 14:36, Colm O hEigeartaigh <co...@apache.org> wrote:
>>> It depends on what your client is doing, you only need a
>>> CallbackHandler implementation for certain actions, i.e. when you need
>>> a password.
>>>
>>> Colm.
>>>
>>> On Fri, Mar 4, 2011 at 2:19 PM, Abid K. <ab...@gmail.com> wrote:
>>>> Hi all, I have successfully setup a CXF client, but I am a little
>>>> confused regarding the CallbackHandler.
>>>>
>>>> It seems I just need to specify location of the callback class in the
>>>> WSS4J properties, but I can leave out the implementation and the
>>>> client still works. e.g.
>>>>
>>>> public class PWCBHandler implements CallbackHandler {
>>>> public void handle( Callback[ ] callbacks ) throws IOException,
>>>> UnsupportedCallbackException {
>>>> }
>>>> }
>>>>
>>>> I've seen examples where a user and password are set, but for some
>>>> reason I don't need to specify any of this. I'm hoping someone could
>>>> clarify why I don't need it.
>>>>
>>>> Thanks
>>>>
>>>
>>
>
Re: CallbackHandler Understanding
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you're signing something then you definately need a password. Are
you saying that it's producing a signature with no callbackhandler
implementation?
Colm.
On Fri, Mar 4, 2011 at 4:01 PM, Abid K. <ab...@gmail.com> wrote:
> Hi Colm, thanks for the explanation. I am signing the request using a
> pfx file which contains the key.
>
>
> On 4 March 2011 14:36, Colm O hEigeartaigh <co...@apache.org> wrote:
>> It depends on what your client is doing, you only need a
>> CallbackHandler implementation for certain actions, i.e. when you need
>> a password.
>>
>> Colm.
>>
>> On Fri, Mar 4, 2011 at 2:19 PM, Abid K. <ab...@gmail.com> wrote:
>>> Hi all, I have successfully setup a CXF client, but I am a little
>>> confused regarding the CallbackHandler.
>>>
>>> It seems I just need to specify location of the callback class in the
>>> WSS4J properties, but I can leave out the implementation and the
>>> client still works. e.g.
>>>
>>> public class PWCBHandler implements CallbackHandler {
>>> public void handle( Callback[ ] callbacks ) throws IOException,
>>> UnsupportedCallbackException {
>>> }
>>> }
>>>
>>> I've seen examples where a user and password are set, but for some
>>> reason I don't need to specify any of this. I'm hoping someone could
>>> clarify why I don't need it.
>>>
>>> Thanks
>>>
>>
>
Re: CallbackHandler Understanding
Posted by "Abid K." <ab...@gmail.com>.
Hi Colm, thanks for the explanation. I am signing the request using a
pfx file which contains the key.
On 4 March 2011 14:36, Colm O hEigeartaigh <co...@apache.org> wrote:
> It depends on what your client is doing, you only need a
> CallbackHandler implementation for certain actions, i.e. when you need
> a password.
>
> Colm.
>
> On Fri, Mar 4, 2011 at 2:19 PM, Abid K. <ab...@gmail.com> wrote:
>> Hi all, I have successfully setup a CXF client, but I am a little
>> confused regarding the CallbackHandler.
>>
>> It seems I just need to specify location of the callback class in the
>> WSS4J properties, but I can leave out the implementation and the
>> client still works. e.g.
>>
>> public class PWCBHandler implements CallbackHandler {
>> public void handle( Callback[ ] callbacks ) throws IOException,
>> UnsupportedCallbackException {
>> }
>> }
>>
>> I've seen examples where a user and password are set, but for some
>> reason I don't need to specify any of this. I'm hoping someone could
>> clarify why I don't need it.
>>
>> Thanks
>>
>
Re: CallbackHandler Understanding
Posted by Colm O hEigeartaigh <co...@apache.org>.
It depends on what your client is doing, you only need a
CallbackHandler implementation for certain actions, i.e. when you need
a password.
Colm.
On Fri, Mar 4, 2011 at 2:19 PM, Abid K. <ab...@gmail.com> wrote:
> Hi all, I have successfully setup a CXF client, but I am a little
> confused regarding the CallbackHandler.
>
> It seems I just need to specify location of the callback class in the
> WSS4J properties, but I can leave out the implementation and the
> client still works. e.g.
>
> public class PWCBHandler implements CallbackHandler {
> public void handle( Callback[ ] callbacks ) throws IOException,
> UnsupportedCallbackException {
> }
> }
>
> I've seen examples where a user and password are set, but for some
> reason I don't need to specify any of this. I'm hoping someone could
> clarify why I don't need it.
>
> Thanks
>