On 03/16/2012 05:24 AM, Colm O hEigeartaigh wrote:
Should I use 0x01 (i.e. USERNAME_TOKEN) or am I supposed to register my own.
Looking at the source code it doesn't really look possible to use a custom
value here (take a look at WSSecurityUtil.decodeAction). If I have to
replace something, it might as well be "UsernameToken"/0x01, I guess.
You can use a custom value. WSSecurityUtil.decodeAction contains the
following code:
int parsedAction = Integer.parseInt(single[i]);
if (wssConfig.getAction(parsedAction) == null) {
throw new WSSecurityException(
"Unknown action defined: " + single[i]
);
}
actions.add(new Integer(parsedAction));
You're right, but there cannot be a separate "readable" name, so someone
looking at the spring xml won't see "action" => "SessionToken" they'll
see "action" => "32768" or similar which I need to comment
extensively. The point of "registering" a custom action integer with a
string name mapping would be so that in so doing the configuration would
be self-documenting.
But please don't take this as an ungrateful complaint! You have been
extremely helpful, and the code extension points are hopefully right on
target. Thanks again!
Colm.
On Thu, Mar 15, 2012 at 5:53 PM, David Mansfield<[email protected]> wrote:
On 03/15/2012 11:07 AM, Colm O hEigeartaigh wrote:
Hi David,
I have also looked at the "custom actions" but I don't understand what
the
statement "integer representing the WSS4J action identifier" means, nor
what
indeed a WSS4J action is, or how to make one.
You could take a look at the following unit test "testCustomAction":
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java?view=markup
You need to implement your own Action implementation to insert the
token in the security header:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/Action.java?view=markup
Then you need to tell WSS4J to use this Action implementation
corresponding to a given integer. From the test:
CountingUsernameTokenAction action = new CountingUsernameTokenAction();
Map<Object, Object> customActions = new HashMap<Object, Object>(1);
customActions.put(WSConstants.UT, action);
...
msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
msg.put(WSS4JOutInterceptor.WSS4J_ACTION_MAP, customActions);
Ok. Getting there. Still a few questions:
So these two lines set the "action" equal to "UsernameToken" (which
translates elsewhere to 0x01), then supply a custom action map using a
custom Action implementation for 0x01.
Should I use 0x01 (i.e. USERNAME_TOKEN) or am I supposed to register my own.
Looking at the source code it doesn't really look possible to use a custom
value here (take a look at WSSecurityUtil.decodeAction). If I have to
replace something, it might as well be "UsernameToken"/0x01, I guess.
The other big problem is that all of these manipulations occur (in the test
case you linked) on the "SoapMessage". It seems like the docs example
works by configuring some "properties" map of the WSS4JOutInterceptor. So
if I can translate what you said, I get:
<bean id="sessionTokenAction"
class="com.example.subclass.of.action.MySessionTokenAction" />
<bean id="sessionTokenInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<!-- Redefines the action for UsernameToken to use a custom impl. and
turns on the action -->
<entry key="action" value="UsernameToken" /> <!-- turn on the
UsernameToken i.e. 0x01 -->
<entry key="wss4j.action.map">
<map key-type="java.lang.Integer" value-type="java.lang.Object">
<entry key="0x01" value-ref="sessionTokenAction"/>
</map>
</entry>
</map>
</constructor-arg>
</bean>
<bean id="greeterServiceFactory"
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
...
<property name="outInterceptors">
<list>
<ref bean="securityTokenInterceptor" />
</list>
</property>
</bean>
And than services retrieved from spring will have the custom mapping
applied.
The integer you associate with the action needs to be added via
WSHandlerConstants.ACTION. The example above is a tad confusing, as it
overrides the UsernameTokenAction rather than specifying a new action.
Colm.
On Thu, Mar 15, 2012 at 2:43 PM, David Mansfield<[email protected]>
wrote:
Hi. This is my first post!
I am working with a web service that has employed a "custom" security
solution roughly based on STS. After I receive a "token" from their STS
(using their custom library) I have to embed the opaque token in a custom
header inside the wsse:Security soap header. Roughly like:
<wsse:Security>
<SecurityToken>
<TokenValue>4321fade4321fade</TokenValue>
</SecurityToken>
</wsse:Security>
(along with timestamping).
The SecurityToken element is associated with their namespace.
The session token will be common for _all_ requests using the service,
but
it will change over time as a session has a TTL (i.e. once a day the
session
token will need to be updated).
I have looked at the WSS4JOutInterceptor but it seems to only be able to
handle "standard" things like UsernameToken.
I have also looked at the "custom actions" but I don't understand what
the
statement "integer representing the WSS4J action identifier" means, nor
what
indeed a WSS4J action is, or how to make one.
Can someone point me in the right direction?
Thanks,
David Mansfield
Cobite, INC.
