RE: Issue extending the WSS4JOutInterceptor.

[Hart, Andrew B.]

If I understand what your goal is, it is to avoid having the passwords for the 
keystore in plain text in a properties file?  

The way that I handled that was to create a class that extends properties, put 
your code to decrypt the property values in that class. 
Then, configure an instance of your new Properties subclass in the CXF spring 
config and refer to that in the configuration for the WSS4JOutInterceptor.

For example, the config for our custom properties object, ConfigLoader,  is: 

  
  <bean id="ConfigLoader" class="com.mycompany.ws.common.ConfigLoader">
    <constructor-arg>
      <beans:value>config/security.properties</beans:value>
    </constructor-arg>
  </bean>

Then, we refer to it in the configuration for the WSS4JOutInterceptor: 
  <bean id="Sign_Response" 
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
    <constructor-arg>
      <map>
        <entry key="action" value="Timestamp Signature Encrypt"/>
        <entry key="user" value="tmds.akimeka.com"/>
        <entry key="SignaturePropRefId"  value="propertiesRef"/> <!-- bug prior 
to 1.6: the starting 'S' is capitalized -->
        <entry key="encryptionPropRefId"  value="propertiesRef"/>
        <entry key="propertiesRef"  value-ref="ConfigLoader"/>
        <entry key="encryptionUser" value="useReqSigCert"/>
        <entry key="signatureKeyIdentifier" value="DirectReference"/>
        <entry key="encryptionKeyIdentifier" value="DirectReference" />
        <entry key="passwordCallbackRef">
                <beans:ref bean="ConfigLoader"/>
        </entry>
[...]

As you can see, this same object is doing double duty as the 
PasswordCallBackHandler.

So, the ConfigLoader is defined like this: 

public class ConfigLoader extends Properties implements CallbackHandler
{
    private static final long serialVersionUID = 1076939217141719149L;
    private static final Log log = LogFactory.getLog(ConfigLoader.class);
    private static final String KEYSTORE_PASSWORD = 
"org.apache.ws.security.crypto.merlin.keystore.password";
    private static final String TRUSTSTORE_PASSWORD = 
"org.apache.ws.security.crypto.merlin.truststore.password";
    private static final String KEYSTORE_PRIVATE_PASSWORD = 
"org.apache.ws.security.crypto.merlin.keystore.private.password";
    private static final String[] PASSWORD_PROPERTIES = { KEYSTORE_PASSWORD, 
TRUSTSTORE_PASSWORD, KEYSTORE_PRIVATE_PASSWORD };

    public ConfigLoader(String filename)
    {
        load(filename);
        updateProperties();
    }

    private void updateProperties()
    {
        String pwd = null;

        for (String property : PASSWORD_PROPERTIES)
        {
            pwd = getProperty(property);

            if (pwd != null)
            {
                setProperty(property, EncryptionUtilities.decrypt(pwd));
            }
        }
    }
[...]

It loads in the properties from the file that was passed to the constructor in 
the Spring config, and then decrypts the properties listed in 
PASSWORD_PROPERTIES.

Hope this helps.
-- Andy



-----Original Message-----
From: Giriraj Bhojak [mailto:girira...@gmail.com] 
Sent: Thursday, April 24, 2014 1:35 PM
To: users@cxf.apache.org; Colm O hEigeartaigh
Subject: Re: Issue extending the WSS4JOutInterceptor.

Here is the working config:

[...]