OK, so here's my callback. I was originally expecting that if I returned a
password from this callback that was different from the incoming password,
that an exception would be thrown. It sounds like an exception should be
thrown, but it's not. I'll write a test case with WSS4J to see if that's
the case.
Hmm, so probably exception is thrown only if password is in hashed form.
I'll try to check this.
In the meantime, can you take a look at my callbackhandler?
I'm not sure if putting ThreadLocal inside callback object is a good idea :/
Maybe its better to create external object which will contain
ThreadLocal object and have same usefull data accessing methods. You
have to also remeber to clear this variable at the end of request.
I was originally planning on getting the user from a login service and then
throwing it on a ThreadLoca, however, I'm tempted to do the user lookup in a
handler that occurs after WSS4J using the WSUsernameTokenPrincipal that is
stored in the message context.
For password in plain form it should work, but for hashed form you can
encounter a few problems. (sending plain password should be avoided
IMHO, so at least ssl should be used)
I usually keep user data during msg processing ( in ThreadLocal or
appContexts , depends on api ) so every service method has easy access
to it .
Brian
public class PasswordCallbackHandler
implements CallbackHandler
{
private static ThreadLocal _user;
private BusinessService myBusinessService;
private String myUserid;
private String myPassword;
public PasswordCallbackHandler()
{
_user = new ThreadLocal();
}
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException
{
for (int i = 0; i < callbacks.length; i++)
{
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
if (pc != null)
{
if (pc.getIdentifer().equals("CUPAREQ")){
pc.setPassword("WrongPassword"); // I was
}
}
//TODO Multiple callbacks might occur if the document has sections
// signed by multiple actors???
// Authenticate the user against with a login service
// Temporarily commented out to show Tomek the issue with wrong
password
// User user = myBusinessService.authenticate(pc.getIdentifer(),
pc.getPassword());
// _user.set(user);
}
}
/**
* @param businessService The businessService to set.
*/
public void setBusinessService(BusinessService businessService)
{
myBusinessService = businessService;
}
/**
* @return Returns the myUser.
*/
public static User getUser()
{
return (User)_user.get();
}
}
--
View this message in context:
http://www.nabble.com/WS-Security-and-UserTokens-t1543793.html#a4248135
Sent from the XFire - User forum at Nabble.com.
--
Your plan looks like it was written by a drunken lemur as a practical
joke on other drunken lemurs.
