Comments on: CXF WS-Security using JSR 181 + Interceptor Annotations (XFire Migration) http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/ Because programming is depressing Thu, 05 Nov 2009 23:29:15 +0000 http://wordpress.com/ hourly 1 By: morg r http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-810 morg r Fri, 21 Nov 2008 22:11:01 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-810 Thanks for the fast response. That's what I thought. So, by calling setPassword() it looks like I'm essentially telling WS-Security "this user is authenticated", even though it's not. That's not a problem for me since I'm using Spring Security. So I don't need to look up a password in the database in the interceptor - Spring will do that for me once the request goes through. I've implemented everything you show above, plus I added this to ValidateUserTokenInterceptor, which I found at http://www.jroller.com/wookets/entry/cxf_acegi_ws_security_acegi if (userTokenValidated) { HttpServletRequest request = (HttpServletRequest) message.get("HTTP.REQUEST"); request.getSession(true).getId(); // necessary hack // authenticate with acegi final UsernamePasswordAuthenticationToken authReq = new UsernamePasswordAuthenticationToken(principal.getName(), principal .getPassword()); // message.HTTP_REQUEST_METHOD authReq.setDetails(new WebAuthenticationDetails(request)); SecurityContextHolder.getContext().setAuthentication(authReq); } It looks like I'm just using WS-Security to pass through a username and password then, since I don't see any more graceful way of telling WS-Security or CXF to use our Spring's security configuration. Do you see any limitations or concerns with my approach? Thanks Thanks for the fast response. That’s what I thought. So, by calling setPassword() it looks like I’m essentially telling WS-Security “this user is authenticated”, even though it’s not. That’s not a problem for me since I’m using Spring Security. So I don’t need to look up a password in the database in the interceptor – Spring will do that for me once the request goes through.

I’ve implemented everything you show above, plus I added this to ValidateUserTokenInterceptor, which I found at http://www.jroller.com/wookets/entry/cxf_acegi_ws_security_acegi

if (userTokenValidated) {
HttpServletRequest request = (HttpServletRequest) message.get(“HTTP.REQUEST”);
request.getSession(true).getId(); // necessary hack

// authenticate with acegi
final UsernamePasswordAuthenticationToken authReq =
new UsernamePasswordAuthenticationToken(principal.getName(), principal
.getPassword());

// message.HTTP_REQUEST_METHOD
authReq.setDetails(new WebAuthenticationDetails(request));

SecurityContextHolder.getContext().setAuthentication(authReq);
}

It looks like I’m just using WS-Security to pass through a username and password then, since I don’t see any more graceful way of telling WS-Security or CXF to use our Spring’s security configuration. Do you see any limitations or concerns with my approach?

Thanks

]]> By: Arsenalist http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-809 Arsenalist Fri, 21 Nov 2008 21:37:47 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-809 The PasswordHandler is where you verify whether the password passed in through WS-Security is in fact the correct one. Only if its correct do you make a call to pc.setPassword(...)... Here's an example which checks against a datbase: <code> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; String id = pc.getIdentifer(); username.set(id); User user = userManager.getUserByUsername(id); if (user != null) {     pc.setPassword(user.getPassword());     userData.set(user); } else {     throw new RuntimeException("Invalid Credentials"); } </code> The PasswordHandler is where you verify whether the password passed in through WS-Security is in fact the correct one. Only if its correct do you make a call to pc.setPassword(…)… Here’s an example which checks against a datbase:


WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String id = pc.getIdentifer();
username.set(id);
User user = userManager.getUserByUsername(id);
if (user != null) {
    pc.setPassword(user.getPassword());
    userData.set(user);
} else {
    throw new RuntimeException("Invalid Credentials");
}

]]> By: morg r http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-808 morg r Fri, 21 Nov 2008 21:30:17 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-808 This is an excellent example. Thank you! But in trying this out, I'm wondering what the point of the PasswordHandler is. I integrated this example with Spring Security, and got it work but only while passing PasswordHandler to WSS4JInInterceptor. Even stranger, I couldn't create an empty handle() method. So my PasswordHandler now looks like this: public class PasswordHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; pc.setPassword(pc.getPassword()); } } Do you know why this is even needed? It's not doing anything useful. And all calls fail when I leave out this line from WSSecurityInterceptor: props.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordHandler()); It works for me. But I'd prefer not to have useless code in place. Thanks! This is an excellent example. Thank you! But in trying this out, I’m wondering what the point of the PasswordHandler is. I integrated this example with Spring Security, and got it work but only while passing PasswordHandler to WSS4JInInterceptor. Even stranger, I couldn’t create an empty handle() method. So my PasswordHandler now looks like this:

public class PasswordHandler implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword(pc.getPassword());
}
}

Do you know why this is even needed? It’s not doing anything useful. And all calls fail when I leave out this line from WSSecurityInterceptor:
props.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordHandler());

It works for me. But I’d prefer not to have useless code in place.

Thanks!

]]> By: Bhoga Pappu http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-738 Bhoga Pappu Tue, 27 May 2008 19:13:49 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-738 I have implmented ClientPasswordCallback, ServerPasswordCallback and accordingly attached them with client side code and server side code. However, when I run the client, it fails with the error 'Request does not contain Security Header' I don't know what I am doing wrong. I have implmented ClientPasswordCallback, ServerPasswordCallback and accordingly attached them with client side code and server side code.
However, when I run the client, it fails with the error ‘Request does not contain Security Header’
I don’t know what I am doing wrong.

]]> By: Nilantha http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-330 Nilantha Wed, 12 Mar 2008 15:14:01 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-330 Thanks for posting this, I would like to add following... for those who need to access Spring context in any part of the application including CallbackHanders, this would be helpful http://www.mail-archive.com/axis-user@ws.apache.org/msg22148.html please update if you come across any better way of doing that. Thanks, Nilantha Thanks for posting this,

I would like to add following…

for those who need to access Spring context in any part of the application including CallbackHanders, this would be helpful

http://www.mail-archive.com/axis-user@ws.apache.org/msg22148.html

please update if you come across any better way of doing that.

Thanks,
Nilantha

]]> By: Sai C http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-329 Sai C Tue, 11 Mar 2008 16:23:45 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-329 I am calling a .Net web service in Java (client)and used the JAXWsProxyFactoryBean by enabling the WSAddressFeature, however, my soap header does not contain a though it prints an element. Could somebody let me know how do I get wsa:action in soap header using CXF API. Appreciate your help. Regards, Sai I am calling a .Net web service in Java (client)and used the JAXWsProxyFactoryBean by enabling the WSAddressFeature, however, my soap header does not contain a though it prints an element. Could somebody let me know how do I get wsa:action in soap header using CXF API.

Appreciate your help.

Regards,
Sai

]]> By: yulinxp http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-310 yulinxp Thu, 10 Jan 2008 15:45:37 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-310 It will handle PasswordDigest automatically. For PasswordText, I have to do the comparison and throw exception. public class ServerPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; String strClientPwd = pc.getPassword(); int usage = pc.getUsage(); if(pc.getIdentifer().equals("joe")) { String strServerPwd = "password"; if(usage == WSPasswordCallback.USERNAME_TOKEN) { //PasswordDigest pc.setPassword(strServerPwd); }else if(usage == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) { //PasswordText pc.setPassword(strServerPwd); if(!strClientPwd.equalsIgnoreCase(strServerPwd)){ //DIY compare throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION); } } } } } It will handle PasswordDigest automatically.
For PasswordText, I have to do the comparison and throw exception.

public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

String strClientPwd = pc.getPassword();
int usage = pc.getUsage();

if(pc.getIdentifer().equals(“joe”)) {

String strServerPwd = “password”;

if(usage == WSPasswordCallback.USERNAME_TOKEN) { //PasswordDigest
pc.setPassword(strServerPwd);

}else if(usage == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) { //PasswordText
pc.setPassword(strServerPwd);

if(!strClientPwd.equalsIgnoreCase(strServerPwd)){ //DIY compare
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
}
}
}
}

]]> By: Arsenalist http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-327 Arsenalist Mon, 07 Jan 2008 17:45:45 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-327 I see what you're saying and maybe they've changed the implementation on the server side however ValidateUserTokenInterceptor was present in the XFire samples and its use was recommended by the committers. I think you also need to look at the source code for the WSS4J class UsernameTokenProcessor to learn more. Have you tried the case where you specify an invalid username/password or a valid username but an invalid password? Do you still receive the SoapFault? I see what you’re saying and maybe they’ve changed the implementation on the server side however ValidateUserTokenInterceptor was present in the XFire samples and its use was recommended by the committers. I think you also need to look at the source code for the WSS4J class UsernameTokenProcessor to learn more.

Have you tried the case where you specify an invalid username/password or a valid username but an invalid password? Do you still receive the SoapFault?

]]> By: yulinxp http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-328 yulinxp Mon, 07 Jan 2008 17:22:40 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-328 You mention: Since WSS4J validates a UsernameToken only if it finds a security header we need to cover the case where no security header is specified. In the following snippet from WSS4JInInterceptor.java public void handleMessage(SoapMessage msg) throws Fault if (wsResult == null) { // no security header found if (doAction == WSConstants.NO_SECURITY) { return; } else { LOG.warning("Request does not contain required Security header"); throw new SoapFault(new Message("NO_SECURITY", LOG), version.getSender()); } } If no security header found, a SoapFault is thrown. In my test, I set WS Security in server but not in client. And my client side does receive that SoapFault. So do we still need ValidateUserTokenInterceptor? You mention:
Since WSS4J validates a UsernameToken only if it finds a security header we need to cover the case where no security header is specified.

In the following snippet from WSS4JInInterceptor.java
public void handleMessage(SoapMessage msg) throws Fault

if (wsResult == null) { // no security header found
if (doAction == WSConstants.NO_SECURITY) {
return;
} else {
LOG.warning(“Request does not contain required Security header”);
throw new SoapFault(new Message(“NO_SECURITY”, LOG), version.getSender());
}
}

If no security header found, a SoapFault is thrown. In my test, I set WS Security in server but not in client. And my client side does receive that SoapFault. So do we still need ValidateUserTokenInterceptor?

]]> By: Nigel http://depressedprogrammer.wordpress.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-319 Nigel Sat, 10 Nov 2007 09:06:21 +0000 http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/#comment-319 <a href="http://www.hpc.jcu.edu.au/projects/archer-data-activities/svn/MCATExtClientDemo/trunk/src/main/webapp/WEB-INF/clientBeans.xml" title="clientBean.xml" rel="nofollow">Client Bean</a> Thanks Client Bean

Thanks

]]>