I am facing a problem with the password comparison using WSS4J interceptors.
I see the username and password are passed from the client to the server
correctly and invoking PasswordCallbackHandler from SOAP message logs. As
per my understanding the actual password comparison is done by WSS4J. The
problem I am facing is that the service is getting invoked even if the
passwords are not matching while I am expecting the SOAP fault to be thrown.
The client is sending the password "test" while the server is expecting
"test123" for the user "admin". Here are my logs and configuration. Please
let me know if I am missing anything.
Server side applicationContext-cxf.xml:
<jaxws:endpoint id="helloWorld"
implementor="com.mydomain.cxfauth.HelloWorldImpl"
address="/HelloWorld">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<ref bean="wss4jInConfiguration" />
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="wss4jInConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<property name="properties">
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText"
/>
<entry>
<key>
<value>passwordCallbackRef</value>
</key>
<ref bean="passwordCallback" />
</entry>
</map>
</property>
</bean>
<bean id="passwordCallback"
class="com.mydomain.cxfauth.interceptors.PasswordCallbackHandler"/>
Server side Password callback handler:
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
logger.debug("identifier on server: " + pc.getIdentifer());
if (pc.getIdentifer().equals("admin")) {
logger.debug("Inside if: " + pc.getIdentifer());
//set the password on the callback. This will later be
compared to the
password which was sent from the client.
pc.setPassword("test123");
}
}
Client side client-cxf.xml:
<bean id="client" class="com.mydomain.cxfauth.HelloWorld"
factory-bean="clientFactory" factory-method="create" />
<bean id="clientFactory"
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
<property name="serviceClass"
value="com.mydomain.cxfauth.HelloWorld" />
<property name="address"
value="http://localhost:8080/cxfauth/services/HelloWorld"; />
<property name="outInterceptors">
<list>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
<ref bean="wss4jOutConfiguration" />
</list>
</property>
</bean>
<bean id="wss4jOutConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<property name="properties">
<map>
<entry key="action" value="UsernameToken" />
<entry key="user" value="admin" />
<entry key="passwordType" value="PasswordText"
/>
<entry>
<key>
<value>passwordCallbackRef</value>
</key>
<ref bean="passwordCallback" />
</entry>
</map>
</property>
</bean>
<bean id="passwordCallback"
class="com.mydomain.cxfauthclient.interceptors.PasswordCallbackHandler" />
Client side PasswordCallbackHandler:
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
logger.debug("identifier on client: " + pc.getIdentifer());
if (pc.getIdentifer().equals("admin")) {
//set the password on the callback on client side
pc.setPassword("test");
}
}
Server Log:
Sep 12, 2007 10:25:21 AM org.apache.cxf.transport.servlet.CXFServlet
replaceDestionFactory
INFO: servlet transport factory already registered
Sep 12, 2007 10:26:10 AM org.apache.cxf.interceptor.LoggingInInterceptor
handleMessage
INFO: Inbound Message
--------------------------------------
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="1"><wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken-12741398"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Username
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>admin</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>test</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sayHi
xmlns:ns1="http://cxfauthmydomaincom/";><arg0>Durgaprasad</arg0></ns1:sayHi></soap:Body></soap:Envelope>
--------------------------------------
2007-09-12 10:26:10,728 - DEBUG
(com.mydomain.cxfauth.interceptors.PasswordCallbackHandler:handle:20) -
identifier on server: admin
2007-09-12 10:26:10,744 - DEBUG
(com.mydomain.cxfauth.interceptors.PasswordCallbackHandler:handle:22) -
Inside if: admin
Sep 12, 2007 10:26:11 AM
org.apache.cxf.interceptor.LoggingOutInterceptor$LoggingCallback onClose
INFO: Outbound Message
--------------------------------------
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><ns1:sayHiResponse
xmlns:ns1="http://cxfauth.mydomain.com/";><return>Welcome, Durgaprasad to the
CXF web services</return></ns1:sayHiResponse></soap:Body></soap:Envelope>
--------------------------------------
Client response Log:
Sep 12, 2007 10:26:09 AM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromClass
INFO: Creating Service {http://cxfauth.mydomain.com/}HelloWorldService from
class com.mydomain.cxfauth.HelloWorld
2007-09-12 10:26:10,135 - DEBUG
(com.mydomain.cxfauthclient.interceptors.PasswordCallbackHandler:handle:20)
- identifier on client: admin
2007-09-12 10:26:11,119 - DEBUG
(com.mydomain.cxfauthclient.CXFAuthClient:main:21) - Response: Welcome,
Durgaprasad to the CXF web services
--
View this message in context:
http://www.nabble.com/UsernameToken-Authentication-with-WSS4J-tf4431064.html#a12640886
Sent from the cxf-user mailing list archive at Nabble.com.
