RE: Rampart STS Username service not returning password in callback

Fri, 18 Jan 2013 20:24:26 -0800 

Hi Brian assume your CallbackHandler looks something like like public class 
PWCBHandler implements javax.security.auth.callback.CallbackHandler {    public 
void handle(javax.security.auth.callback.Callback[] callbacks) throws 
IOException,
            javax.security.auth.callback.UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
             org.apache.ws.security.WSPasswordCallback pwcb = 
(org.apache.ws.security.WSPasswordCallback)callbacks[i]; put the 
CallbackHandler into the Options class for the serviceClient to pickup e.g. 
Options options = client.getOptions();
options.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler()); 
 serviceClient.setOptions(options);                try {
                    //Blocking invocation
                    serviceClient.sendReceive(getOMElement());
                    fail("Service Should throw an error..");                } 
catch (AxisFault axisFault) {
                    assertEquals("Testing negative scenarios with Apache 
Rampart. Intentional Exception", axisFault.getMessage());
                }
http://wso2.org/library/3733 HTH,
Martin 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

 From: [email protected]
To: [email protected]
Subject: RE: Rampart STS Username service not returning password in callback
Date: Fri, 18 Jan 2013 12:01:19 -0500

Martin, Can you tell me where the password callback in my service gets called 
from? It’s the password callback configured by the following line in the STS 
service.xml                   
<ramp:passwordCallbackClass>com.lni.exchange.wan.receive.binding.axis2.PasswordCallback</ramp:passwordCallbackClass>
  Brian From: Martin Gainty [mailto:[email protected]] 
Sent: Wednesday, January 16, 2013 5:14 PM
To: [email protected]
Subject: RE: Rampart STS Username service not returning password in callback 
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
 
i think I found an element we can use  

(where both noonce and Password would be child elements of wsc:DerivedKeyToken) 
so here is the TestCase
 
 org.apache.rampart.handler.config.OutflowConfiguration ofc = new 
org.apache.rampart.handler.config.OutflowConfiguration();
  
  ofc.setActionItems("UsernameToken Encrypt");
  ofc.setUser("Mohammed");
  ofc.setAddUTElements("Nonce Created");  //Noonce
  ofc.setEncryptionParts("{Element}{" + WSSE_NS + "}UsernameToken");
  ofc.setEncryptionUser("osama");
  ofc.setEncryptionPropFile("interop.properties");
  ofc.setPasswordCallbackClass("org.apache.axis2.security.PWCallback");
  ofc.setEncryptionSymAlgorithm(WSConstants.TRIPLE_DES);  //change this to MD5 
or SHA-1
  ofc.setPasswordType(WSConstants.PW_TEXT);
  ofc.setEncryptionKeyIdentifier(WSSHandlerConstants.SKI_KEY_IDENTIFIER);
  
//so here is the new OutFlowConfiguration Element
   ofc.setPassword("YadaYadaYada");

  return ofc;

//org.apache.rampart.handler.config.OutflowConfiguration change
 public void setPassword(String passwordType) {
  this.actionList[this.currentAction].put(
    WSHandlerConstants.PASSWORD, password);
 }
//org.apache.ws.security.dom.handler.WSHandlerConstants add this element
public static final String PASSWORD = "password"

//correct ...why touch WSS4J for one minor update to a constant ..(maybe using 
constant "password" is better)

//org.apache.rampart.handler.config.OutflowConfiguration change with constant
public void setPassword(String passwordType) {
this.actionList[this.currentAction].put(
    "password", password);
}

reference
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

WDYT?
Martin
></xsd:No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13No 
virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13

Reply via email to