try to add the rampart security to my made
what I have made
1. I have stored in a database the hashed value of "bobPW" password and
the salt
In my PWCBHandler
* I get the stored password and hash
* I hash pwcb.getPassword() with the stord password
* check if this hashed password is equal to the stored password
Here is the code
public class PWCB implements CallbackHandler {
public static String strStoredPassword; public static String strStoredSalt;
public static String passwordforchecking; public static String[] newArray; /**
* @param args */ `public void handle(Callback[] callbacks) throws
IOException,` `UnsupportedCallbackException` { for (int i = 0; i <
callbacks.length; i++) { WSPasswordCallback pwcb =
(WSPasswordCallback)callbacks[i]; try { newArray = getdataforChecking(); }
catch (ClassNotFoundException e1) { // TODO Auto-generated catch block
e1.printStackTrace(); } try { passwordforchecking =
hash(pwcb.getPassword(),Base64.decodeBase64(newArray[1]));
System.out.println(passwordforchecking); } catch (Exception e) { // TODO
Auto-generated catch block e.printStackTrace(); }
if(pwcb.getIdentifier().equals("bob")||passwordforchecking.equals(newArray[0])
) { return; } }
}
private static String hash(String password, byte[] salt) throws Exception {
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 65536, 256); return
Base64.encodeBase64String(f.generateSecret(spec).getEncoded()); } public
String[] getdataforChecking() throws ClassNotFoundException { String arr[] =
new String[2]; Connection conn = null; Class.forName("org.postgresql.Driver");
try { conn = DriverManager.getConnection(
"jdbc:postgresql://localhost:5432/plovdivbizloca", "postgres", "tan"); } catch
(SQLException ex) { ex.printStackTrace(); } Statement mystmt = null; String
selectQuery = "SELECT password, salt from passwordforservice"; try { mystmt =
conn.createStatement(); ResultSet mysr = mystmt.executeQuery(selectQuery);
while (mysr.next()) { arr[0] = mysr.getString(1);//password
arr[1]=mysr.getString(2); //salt } } catch (Exception ex) {
ex.printStackTrace(); }
return arr;
}
}
but when I make this soap request with the correct pasword I get this
NullPointer exception which I can't explain why
NFO: Server startup in 9608 ms
java.lang.NullPointerException at kim.PWCB.hash(PWCB.java:68) at
kim.PWCB.handle(PWCB.java:44) at
org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:98) at
org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:168)
at
org.apache.ws.security.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:142)
at
org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:100)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:131)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:65)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:149) at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) at
org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at
org.apache.axis2.engine.Phase.invoke(Phase.java:313) at
org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) at
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947) at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at
java.lang.Thread.run(Unknown Source)
[ERROR] The security token could not be authenticated or authorized
org.apache.axis2.AxisFault: The security token could not be authenticated or
authorized at
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at
org.apache.axis2.engine.Phase.invoke(Phase.java:313) at
org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) at
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947) at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at
java.lang.Thread.run(Unknown Source)
Caused by: org.apache.ws.security.WSSecurityException: The security token could
not be authenticated or authorized at
org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:189)
at
org.apache.ws.security.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:142)
at
org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:100)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:131)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:65)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at
org.apache.rampart.RampartEngine.process(RampartEngine.java:149) at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) ...
24 more
[WARN] Deprecated usage of OMElement#declareNamespace(String,String) with empty
prefix
add comment
question eligible for bounty in 2 days
