Hi Colm,
For custom PasswordEncryptor, yes I did try to set it up in
applicationContext.xml to apply to whole messages, but yet it indeed cast
the class name string to a PasswordEncryptor instance instead of
constructing one, that's why I said a feature request maybe.
I am now doing this by an SoapMessage handler to insert the instance to
all my incoming and outgoing messages, and thus its not really a good idea
but for current version.
For http:conduit yes I do it programmatically at this moment but I do
think there still some people like me need or want to encrypt their every
password at the plain text file, that's why I think maybe we should put all
such processes into one kind of callback handler just like the
signature/encrypt/decrypt that current version does.
Regards,
Victor Chen
coheigea wrote
> Hi Victor,
>
> On Sat, Jul 23, 2016 at 8:51 AM, Emulator <
> emulator.chen@
> > wrote:
>
>>
>> 2. For custom PasswordEncryptor, there should be have an
>> construct
>> args for WSS4jInterceptor that construct a instance from class just like
>> callback hander does.
>>
>
> You can specify a custom PasswordEncryptor using the WSS4J property
> "passwordEncryptorInstance".
>
>
>> Now I am stuck at http:conduit, is there any way that I can hide all
>> keystore password/key password or even entire TLS parameters from
>> applicationContext.xml? Things like callback or passwordEncryptor are ok
>> for
>> me, just cannot find anything from source.
>>
>
> No I'm afraid not. You have the option of specifying them programatically
> however.
>
> Colm.
>
>
>>
>> Regards,
>> Victor Chen
>>
>>
>>
>> coheigea wrote
>> > Ok, I understand the problem now (I think). You can specify the private
>> > key
>> > password either in the Crypto properties file or else via a
>> > CallbackHandler. However, you can only specify the keystore password in
>> > the
>> > Crypto properties file. You have two options here:
>> >
>> > a) If you're worried about putting a plaintext password in a file, you
>> can
>> > encrypt the password and use a CallbackHandler to retrieve a master key
>> > for
>> > decryption.
>> > b) You can write your own Crypto instance. Simply override Merlin and
>> > change the logic in terms of where it retrieves a password from.
>> >
>> > Colm.
>> >
>> > On Fri, Jul 22, 2016 at 2:44 PM, Emulator <
>>
>> > emulator.chen@
>>
>> > > wrote:
>> >
>> >> Hi Colm:
>> >> Please take a look my second post, now the private key has no
>> problem
>> >> with PasswordCallback(though I don't know why it needs "UsernameToken"
>> to
>> >> be
>> >> added to Action), but I also need keystone password encrypted or set
>> by
>> >> PasswordCallback(or any other way out from properties).
>> >>
>> >> So I need to remove
>> >> org.apache.wss4j.crypto.merlin.keystore.password=password or decrypt
>> this
>> >> value.
>> >>
>> >> If you are looking the reason for adding UsernameToken, can you
>> >> provide
>> >> a example wsdl for me to make a quick example? I am not that familiar
>> >> with
>> >> wsdl definition.
>> >>
>> >> Regards,
>> >> Victor Chen
>> >>
>> >>
>> >> coheigea wrote
>> >> > Hi,
>> >> >
>> >> > I can't reproduce this problem. For example, see the following CXF
>> test
>> >> > configuration (search for "*DoubleItSignedTimestampPort")*:
>> >> >
>> >> >
>> >>
>> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml;h=ad76afe61c83b576059acd9791394910de2f691f;hb=HEAD
>> >> >
>> >> > A passwordCallbackClass is specified. "alice.properties" does not
>> have
>> >> the
>> >> > private key specified in it:
>> >> >
>> >> >
>> >>
>> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/alice.properties;h=f2dbb4b60bdd6adba0ab3f07ba82850c9f58fd9b;hb=HEAD
>> >> >
>> >> > Could you create a quick test-case to reproduce the problem and I'll
>> >> take
>> >> > a
>> >> > look? Failing that, you could try debugging the WSS4J code. The
>> >> > CallbackHandler is queried in WSHandler.getPasswordCB, called in
>> turn
>> >> from
>> >> > the SignatureAction class.
>> >> >
>> >> > Colm.
>> >> >
>> >> >
>> >> > On Fri, Jul 22, 2016 at 9:33 AM, Emulator <
>> >>
>> >> > emulator.chen@
>> >>
>> >> > > wrote:
>> >> >
>> >> >> A quick update, I found that I add UsernameToken into Action, now
>> the
>> >> >> private
>> >> >> key password works.
>> >> >> But when I try to remove the keystone password or modify wrong one,
>> >> >> PasswordCallback is constructed but never call handle method and
>> throw
>> >> >> such
>> >> >> exception:
>> >> >>
>> >> >> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Failed
>> to
>> >> >> load
>> >> >> credentials.
>> >> >> Original Exception was java.io.IOException: Keystore was tampered
>> >> with,
>> >> >> or
>> >> >> password was incorrect
>> >> >> at
>> org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:397)
>> >> >> at
>> >> >>
>> org.apache.wss4j.common.crypto.Merlin.loadProperties(Merlin.java:218)
>> >> >> at org.apache.wss4j.common.crypto.Merlin.
>> >> >
>> >
> <init>
>> >> > (Merlin.java:151)
>> >> >> at
>> >> >>
>> >> >>
>> >>
>> org.apache.wss4j.common.crypto.CryptoFactory.getInstance(CryptoFactory.java:127)
>> >> >> ... 46 more
>> >> >> Caused by: java.io.IOException: Keystore was tampered with, or
>> >> password
>> >> >> was
>> >> >> incorrect
>> >> >> at
>> >> >>
>> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
>> >> >> at
>> >> >>
>> >>
>> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
>> >> >> at
>> >> >>
>> >> >>
>> >>
>> sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
>> >> >> at
>> >> >>
>> >> >>
>> >>
>> sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
>> >> >> at java.security.KeyStore.load(KeyStore.java:1445)
>> >> >> at
>> org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:391)
>> >> >> ... 49 more
>> >> >> Caused by: java.security.UnrecoverableKeyException: Password
>> >> verification
>> >> >> failed
>> >> >> at
>> >> >>
>> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
>> >> >> ... 54 more
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> View this message in context:
>> >> >>
>> >>
>> http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770580.html
>> >> >> Sent from the cxf-user mailing list archive at Nabble.com.
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Colm O hEigeartaigh
>> >> >
>> >> > Talend Community Coder
>> >> > http://coders.talend.com
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770592.html
>> >> Sent from the cxf-user mailing list archive at Nabble.com.
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770644.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
--
View this message in context:
http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770850.html
Sent from the cxf-user mailing list archive at Nabble.com.
