Forgot to this. Additions to the wsdl:
<!-- ========================================= -->
<!-- ==== add UsernameToken policy to wsdl === -->
<!-- ========================================= -->
<wsp:Policy wsu:Id="UP_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-security-utility-1.0.xsd";
xmlns:sc="http://schemas.sun.com/2006/03/wss/server";>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securityPolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken />
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolilcy";>
<wsp:Policy>
<sp:UsernameToken
xmlns:sp="http://schemas.xmlsoap.org/2005/07/securitypolicy";
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeTokenAlways";>
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
-----Original Message-----
From: Goss, Frank [mailto:[email protected]]
Sent: Monday, November 21, 2011 9:06 AM
To: [email protected]
Subject: RE: Using WS-Security to authenticate when I don't know the password
I got this type of security working using CXF 2.4.2
Additions to cxf-servlet.xml:
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText"
/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<!-- ===================================================== -->
<!-- ==== hookup the custom validator to assess eAuth ==== -->
<!-- ===================================================== -->
<jaxws:properties>
<entry key="ws-security.ut.validator"
value="gov.usda.biopreferred.astm.ws.server.AstmUserTokenValidator" />
</jaxws:properties>
securityPolicy.xml (not sure this is needed):
<?xml version="1.0" encoding="UTF-8"?>
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/xwss/config";>
<xwss:RequireUsernameToken
passwordDigestRequired="false" nonceRequired="false" />
</xwss:SecurityConfiguration>
Validator code:
public class AstmUserTokenValidator implements Validator {
private boolean authenticationStatus;
public Credential validate(Credential credential, RequestData
requestData)
throws WSSecurityException {
UsernameToken userToken = (UsernameToken)
credential.getUsernametoken();
String password = userToken.getPassword();
String username = userToken.getName();
UserAuthentication userAuthentication = UserAuthentication
.getInstance();
authenticationStatus =
userAuthentication.authenticateUser(username,
password);
if (authenticationStatus){
return credential;
}else {
throw new WSSecurityException("invalid user
credentials");
}
}
You can create your own UserAuthentication class to access your database and
verify the
Username and password passed in are valid.
It took awhile to learn that this is not that difficult (once you know how!)
Hope this helps,
Frank
-----Original Message-----
From: Glen Mazza [mailto:[email protected]]
Sent: Saturday, November 19, 2011 6:11 AM
To: [email protected]
Subject: Re: Using WS-Security to authenticate when I don't know the password
I haven't done this before, but I believe this article will help you:
http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html.
This will work
in more recent versions of CXF (perhaps 2.4.x onwards).
You'll need to configure a new validator that accesses the DB and
returns pass/fail based on the
supplied UsernameToken information.
HTH,
Glen
On 11/19/2011 07:12 AM, Andres Olarte wrote:
> I'm using WSS4JInInterceptor to try to authenticate my client. I have been
> able to create a trivial example. However, I have a problem. In my
> application, I use the supplied user name and password to try to open a
> connection to the database. If the connection attempt is successful, the
> user has authenticated, otherwise, the login attempt gets rejected. Using
> WSS4JInInterceptor I need to implement a callback that returns the user's
> password. In my security scheme, I have no access to this password. How can
> I implement something like this?
>
> Should I subclass WSS4JInInterceptor and hack it to provide the password?
>
> Thanks
>
>
> Andres
>
--
Glen Mazza
Talend Community Coders
http://coders.talend.com
blog: http://www.jroller.com/gmazza
