I know that Apache Rampart configuration allows providing a password callback
handler class, that can be used to provide passwords needed for Rampart engine
to build username tokens and create signatures when sending messages.
It's written that Whenever Rampart Engine needs a password to create a
username token, it will create a WSPasswordCallback instance setting the
appropriate identifier which it extracts from the parameter of the Rampart
configuration and pass it to the password callback class via the handle method.
But as you see I've used policy based configuration!
SO I've got a few questions to see if I have understand all all that:
1. Is i from here where rampart engine extracts the appropriate
username - wsse:Username>bob</wsse:Username>'+
2. After it extracts it it passes it to our PWCBHandler class via
handle method.
3. Our handle method sets the appropriate password if the username is
correct.
4. And the most important - as I have to consume my web service from
javascript at the end I have provided my soap request. But as you see I provide
both the username and the password and I can't see where is security as
everyone can see my username and password. Is this right. How can I make it
more secure.
wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne>
<wsp:All> <sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
/> </wsp:Policy> </sp:SignedSupportingTokens> <ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:passwordCallbackClass>axis2wstest.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne>
</wsp:Policy>
Here is my code for PassWOprdCallback class
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
if(pwcb.getIdentifier().equals("test") &&pwcb.getPassword().equals("pass")) {
return; } else { throw new
UnsupportedCallbackException(callbacks[i],"Incorrect login/password"); } } }
here is my soaprequerst from javascript
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" + "<soapenv:Envelope " +
"xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"; " +
"xmlns:tan=\"http://tan\";>"+ "<soapenv:Header>"+ '<wsse:Security
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
soapenv:mustUnderstand="1">'+
'<wsse:UsernameToken
xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="123">'+
'<wsse:Username>bob</wsse:Username>'+
'<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password>'+
'</wsse:UsernameToken>'+
'</wsse:Security>'+
"</soapenv:Header>"+ "<soapenv:Body>" + "<tan:testws>" + '<tan:x>ECHOO</tan:x>'
+ ' </tan:testws>'+ '</soapenv:Body>' + '</soapenv:Envelope>';
