WSS4JInInterceptor is an interceptor that processes the WS-Security components of an inbound SOAP message. So for example, in your case you need to configure it to process UsernameTokens, and pass it a CallbackHandler implementation so that it knows how to handle the password validation.
Whether it is a "preparatory interceptor" or not depends on your requirements. You may, for example, want to use the WSS4JInInterceptor to validate the UsernameToken, and then use the username/password for other purposes in another interceptor. But this use case is outside the scope of WS-Security, and hence WSS4JInInterceptor does not handle it. Your best bet in understanding how WSS4JInInterceptor works is to peruse the code + look at the unit and system tests. I agree the documentation is substandard, I might add improving it to my to-do list ;-) Colm. -----Original Message----- From: dmadunic [mailto:[EMAIL PROTECTED] Sent: 28 August 2007 12:43 To: [email protected] Subject: RE: WS-Security and CXF Thx a lot Colm, actually i think my problem was that I totally do not understand what does WSS4JInInterceptor do or is supposed to do? Javadoc for the method handleMessage says only this: Description copied from interface: Interceptor Intercepts a message. Interceptors need NOT invoke handleMessage or handleFault on the next interceptor - the interceptor chain will take care of this. which is quite useless ;-( After seeing examples in CXF User guide i assumed that it was kind of preparatory interceptor - one that will prepare context for further processing - hence the need to configure it with the PasswordCallbackHandler, but it seems it is not so? It would be nice if someone clarified the functionality of this interceptor and what are all of his configuration options. Informatio on http://cwiki.apache.org/CXF20DOC/ws-security.html is very basic and lacking any explanations.... thx O hEigeartaigh, Colm wrote: > > Hi, > > To answer your first question: To fully understand the semantics of > processing an inbound UsernameToken, you need to examine the > implementation of > org.apache.ws.security.processor.UsernameTokenProcessor in WSS4J. > Basically, the implementation is as follows: > > a) Digested Password: Get the original password from the CallbackHandler > implementation, process it accordingly and compare to the received > digested password. > b) Any other Password Type: Delegate all validation to the > CallbackHandler implementation. > > So how you implement your CallbackHandler implementation depends on your > requirements. At the moment your implementation essentially does no > processing of the password. > > So to summarise, any code you have for comparing the password etc. > should be implemented in AuthenticationCallbackHandler, rather than in > your ValidateUserTokenInterceptor. > > Colm. > > -----Original Message----- > From: dmadunic [mailto:[EMAIL PROTECTED] > Sent: 28 August 2007 11:14 > To: [email protected] > Subject: WS-Security and CXF > > > Hi all, > i have two questions concerning how to implement WS-Security with CXF. > > 1) First question: how on the server side to read CallbackHandler > supplied > password? > > Followoing instructions on CXF homesite and from several articles, I > have > created simple HelloWorldService and attached to it following > interceptors: > > <jaxws:endpoint id="helloWorld" > implementor="demo.spring.HelloWorldImpl" > address="/HelloWorld" > > <jaxws:inInterceptors> > <bean > class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/> > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > <property name="properties"> > <map> > <entry key="action" > value="UsernameToken"/> > <entry > key="passwordType" value="PasswordText"/> > <entry > key="passwordCallbackClass" > value="demo.interceptors.AuthenticationCallbackHandler"/> > </map> > </property> > </bean> > <bean > class="demo.interceptors.ValidateUserTokenInterceptor"/> > </jaxws:inInterceptors> > > </jaxws:endpoint> > > AuthenticationCallbackHandler is very simple it just does the following: > > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > WSPasswordCallback pc = (WSPasswordCallback) > callbacks[0]; > > if (pc.getIdentifer().equals("joe")) { > pc.setPassword("password"); > } > } > > I also wrote my demo.interceptors.ValidateUserTokenInterceptor which > should > Validate received token. > > public void handleMessage(Message message) throws Fault { > boolean userTokenValidated = false; > > logger.debug("Invoked - ValidateUserToken: " + message); > > //logger.debug("messagePwd: " + message.get); > Vector result = (Vector) > message.getContextualProperty(WSHandlerConstants.RECV_RESULTS); > > if (result==null) { > throw new > IllegalArgumentException(WSHandlerConstants.RECV_RESULTS + " > Property not found in MessageContext?!"); > } > > for (int i = 0; i < result.size(); i++) { > WSHandlerResult res = (WSHandlerResult) > result.get(i); > for (int j = 0; j < res.getResults().size(); > j++) { > WSSecurityEngineResult secRes = > (WSSecurityEngineResult) > res.getResults().get(j); > int action = secRes.getAction(); > logger.debug("Checking: " + secRes); > // USER TOKEN > if ((action & WSConstants.UT) > 0) { > WSUsernameTokenPrincipal > principal = (WSUsernameTokenPrincipal) > secRes.getPrincipal(); > logger.debug("name=" + > principal.getName()); > logger.debug("password=" + > principal.getPassword()); > logger.debug("passwordType=" + > principal.getPasswordType()); > logger.debug("createdTime=" + > principal.getCreatedTime()); > > if (principal.getPassword() == > null) { > throw new > RuntimeException("Invalid Security Header"); > } else { > // NOW COMPARE PASSWORDS > - > HOW???? > userTokenValidated = > true; > } > } > } > } > if (!userTokenValidated) { > throw new RuntimeException("Security processing > failed"); > } > } > > So far i was able to read information from WSSE:Security header - ie. > username and pwd supplied by the Client. But i do not know how to > address > the password value supplied by AuthenticationCallbackHandler inside this > interceptor?? > > 2) Second question: how to properly configure interceptors on client > using > spring? > > To test the service i wrote simple HelloClient: > > public static void main(String[] args) { > > ApplicationContext context = new > ClassPathXmlApplicationContext("/clientAppContext.xml"); > HelloWorld client = (HelloWorld) > context.getBean("client"); > System.out.println("Invoking service..."); > String text = client.sayHi("Domagoj"); > System.out.println("Response=: " + text); > } > > This is my clientAppContext.xml: > > <bean id="client" class="demo.spring.HelloWorld" > factory-bean="clientFactory" factory-method="create"/> > > <bean id="clientFactory" > class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean"> > <property name="serviceClass" value="demo.spring.HelloWorld"/> > <property name="address" > value="http://localhost:8080/SoaLab/HelloWorld"/> > <property name="outInterceptors"> > <list> > <bean > class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/> > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> > <property name="properties"> > <map> > <entry > key="action" value="UsernameToken"/> > <entry > key="user" value="joe"/> > <entry > key="passwordType" value="PasswordText"/> > <entry > key="passwordCallbackClass" > value="demo.interceptors.ClientPasswordCallback"/> > </map> > </property> > </bean> > </list> > </property> > </bean> > > The problem i have is that Response i receive from HelloWorld service is > null?? > If i comment interceptors on both client and server side it all works > fine. > > Any suggestions? > > Thx in advance.... > > > -- > View this message in context: > http://www.nabble.com/WS-Security-and-CXF-tf4340880.html#a12365374 > Sent from the cxf-user mailing list archive at Nabble.com. > > ---------------------------- > IONA Technologies PLC (registered in Ireland) > Registered Number: 171387 > Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland > > -- View this message in context: http://www.nabble.com/WS-Security-and-CXF-tf4340880.html#a12366436 Sent from the cxf-user mailing list archive at Nabble.com. ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
