Hello, i still cannot get the AuthenticationInterceptor to work.
The password callback is needed to retrieve the password for the private key. Otherwise the server cannot decrypt the SOAP Request. However, when the AuthenticationInterceptor is called in the pre-invoke Phase, the security token is null. see AbstractSecurityContextInInterceptor.handleMessage() Any ideas? David From: [email protected] Sent: Friday, April 01, 2011 7:38 AM To: [email protected] Subject: Re: UsernameToken JBoss Integration Hello Sergey, if i remove the password callback, i get another error message: General security error (WSSecurityEngine: Callback supplied no password for: myAlias) The keystore.properties file contains only the password for the keystore, not for the private key inside the keystore. Also i can not find a way to create a private key without password by the java keytool. Is there another way to provide the password besides the password callback? Is there maybe a property in the keystore.properties file? I cannot find a suitable property in this list: http://cxf.apache.org/docs/ws-securitypolicy.html This is the content of the keystore.properties. The ${}-parts are replaced by maven with actual values: org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=${keystore.password} org.apache.ws.security.crypto.merlin.keystore.alias=${certificate.alias} org.apache.ws.security.crypto.merlin.file=${keystore.path} Thank you David -----Ursprüngliche Nachricht----- From: Sergey Beryozkin Sent: Thursday, March 31, 2011 10:21 PM To: [email protected] Subject: Re: UsernameToken JBoss Integration Hi - You don't need a password callback in this case. Cheers, Sergey On Thu, Mar 31, 2011 at 7:42 PM, David Zhang <[email protected]> wrote: > Hi Sergey, > > thank you very much for taking the time to help me. > I have set the property you mentioned. Look, this is my configuration: > > > <jaxws:endpoint id="SecureServiceBean" > > address="/example-ejb/SecureService" > > implementor="com.example.SecureServiceBean"> > > <jaxws:invoker> > > <bean class="org.jboss.wsf.stack.cxf.InvokerEJB3" /> > > </jaxws:invoker> > > <jaxws:inInterceptors> > > > <bean class="com.example.AuthenticationInterceptor1"/> > > </jaxws:inInterceptors> > > <jaxws:properties> > > <entry key="ws-security.ut.no-callbacks" value="true" /> > > <!--<entry key="ws-security.validate.token" value="false" />--> > > <entry key="ws-security.signature.properties" value="keystore.properties" > /> > > <entry key="ws-security.encryption.properties" value="keystore.properties" > /> > > <entry key="ws-security.callback-handler" > value="com.example.PasswordCallback" /> > > </jaxws:properties> > > </jaxws:endpoint> > > Where com.example.AuthenticationInterceptor1 extends > AbstractUsernameTokenInInterceptor. > This results in: > 12:01:12,770 ERROR > [org.apache.cxf.interceptor.security.AbstractSecurityContextInInterceptor] > Security Token is not available on the current message > > Thanks > David > > > -----Ursprüngliche Nachricht----- > From: Sergey Beryozkin > Sent: Thursday, March 31, 2011 11:06 AM > To: [email protected] > Subject: Re: UsernameToken JBoss Integration > > Hi > > Please check this section: > > > http://cxf.apache.org/docs/security.html#Security-WSSecurityUsernameTokenandCustomAuthentication > > In 2.3.x you have to set a "ws-security.ut.no-callbacks" property and this > will ensure AbstractUserNameTokenInterceptor can be used. > > Setting this property results in WSS4JInInterceptor duplicating WSS4J > specific UT into CXF specific UsernameToken which is what > AbstractUserNameTokenInterceptor is checking. > > Cheers, Sergey > > On Thu, Mar 31, 2011 at 8:42 AM, David Zhang <[email protected]> wrote: > > > > > Hello, > > > > > > > > i have a web service with symmetric binding and self-signed server > > certificate. > > > > I implemented a password callbackhandler for the password to the private > > key of the server. > > > > Now i want to add authentication with username token. So i added a > > supporting token to the ws security policy. > > > > > > > > To this point everything works fine. The server gets an encrypted request > > with a username token. > > > > My concern is that i do not want to do the authentication in my > > application. I want to integrate the username token with JBoss Security. > > > > > > > > So i followed these instructions: > > > http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide#Authentication_and_authorization > > > > However, it did not work. I used a debugger to check and i saw the > > authentication interceptor was created when my app was deployed but it > was > > never called on a client request. > > > > > > > > Later i found this: > > > http://svn.apache.org/repos/asf/cxf/tags/cxf-2.3.3/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleSubjectCreatingInterceptor.java > > > > I implemented an interceptor following that example. I put a breakpoint > on > > the createSubject method. It was never called. > > > > > > > > Then i followed this example: > > > http://svn.apache.org/repos/asf/cxf/tags/cxf-2.3.3/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleUsernameTokenInterceptor.java > > > > At least i know this interceptor was called. But it produced an error > > before the createSubject method was called. The error says: Security > Token > > is not available on the current message > > > > > > > > But this can not be true. Because then i removed the interceptor removed > > the property ws-security.ut.no-callbacks and on the next request my > password > > callbackhandler was called with the username i set on the client. > > > > > > > > Please, can anybody explain me what i am doing wrong? > > > > > > > > Thanks > > > > David > > > > > > > -- > Sergey Beryozkin > > Application Integration Division of Talend <http://www.talend.com> > http://sberyozkin.blogspot.com -- Sergey Beryozkin Application Integration Division of Talend <http://www.talend.com> http://sberyozkin.blogspot.com
