Why not just create your PasswordEncryptor instance in applicationContext.xml + pass the reference through via the property?
Colm.i On Wed, Jul 27, 2016 at 6:40 PM, Emulator <[email protected]> wrote: > Hi Colm, > For custom PasswordEncryptor, yes I did try to set it up in > applicationContext.xml to apply to whole messages, but yet it indeed cast > the class name string to a PasswordEncryptor instance instead of > constructing one, that's why I said a feature request maybe. > > I am now doing this by an SoapMessage handler to insert the instance to > all my incoming and outgoing messages, and thus its not really a good idea > but for current version. > > For http:conduit yes I do it programmatically at this moment but I do > think there still some people like me need or want to encrypt their every > password at the plain text file, that's why I think maybe we should put all > such processes into one kind of callback handler just like the > signature/encrypt/decrypt that current version does. > > Regards, > Victor Chen > > > coheigea wrote > > Hi Victor, > > > > On Sat, Jul 23, 2016 at 8:51 AM, Emulator < > > > emulator.chen@ > > > > wrote: > > > >> > >> 2. For custom PasswordEncryptor, there should be have an > >> construct > >> args for WSS4jInterceptor that construct a instance from class just like > >> callback hander does. > >> > > > > You can specify a custom PasswordEncryptor using the WSS4J property > > "passwordEncryptorInstance". > > > > > >> Now I am stuck at http:conduit, is there any way that I can hide all > >> keystore password/key password or even entire TLS parameters from > >> applicationContext.xml? Things like callback or passwordEncryptor are ok > >> for > >> me, just cannot find anything from source. > >> > > > > No I'm afraid not. You have the option of specifying them programatically > > however. > > > > Colm. > > > > > >> > >> Regards, > >> Victor Chen > >> > >> > >> > >> coheigea wrote > >> > Ok, I understand the problem now (I think). You can specify the > private > >> > key > >> > password either in the Crypto properties file or else via a > >> > CallbackHandler. However, you can only specify the keystore password > in > >> > the > >> > Crypto properties file. You have two options here: > >> > > >> > a) If you're worried about putting a plaintext password in a file, you > >> can > >> > encrypt the password and use a CallbackHandler to retrieve a master > key > >> > for > >> > decryption. > >> > b) You can write your own Crypto instance. Simply override Merlin and > >> > change the logic in terms of where it retrieves a password from. > >> > > >> > Colm. > >> > > >> > On Fri, Jul 22, 2016 at 2:44 PM, Emulator < > >> > >> > emulator.chen@ > >> > >> > > wrote: > >> > > >> >> Hi Colm: > >> >> Please take a look my second post, now the private key has no > >> problem > >> >> with PasswordCallback(though I don't know why it needs > "UsernameToken" > >> to > >> >> be > >> >> added to Action), but I also need keystone password encrypted or set > >> by > >> >> PasswordCallback(or any other way out from properties). > >> >> > >> >> So I need to remove > >> >> org.apache.wss4j.crypto.merlin.keystore.password=password or decrypt > >> this > >> >> value. > >> >> > >> >> If you are looking the reason for adding UsernameToken, can you > >> >> provide > >> >> a example wsdl for me to make a quick example? I am not that familiar > >> >> with > >> >> wsdl definition. > >> >> > >> >> Regards, > >> >> Victor Chen > >> >> > >> >> > >> >> coheigea wrote > >> >> > Hi, > >> >> > > >> >> > I can't reproduce this problem. For example, see the following CXF > >> test > >> >> > configuration (search for "*DoubleItSignedTimestampPort")*: > >> >> > > >> >> > > >> >> > >> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml;h=ad76afe61c83b576059acd9791394910de2f691f;hb=HEAD > >> >> > > >> >> > A passwordCallbackClass is specified. "alice.properties" does not > >> have > >> >> the > >> >> > private key specified in it: > >> >> > > >> >> > > >> >> > >> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/alice.properties;h=f2dbb4b60bdd6adba0ab3f07ba82850c9f58fd9b;hb=HEAD > >> >> > > >> >> > Could you create a quick test-case to reproduce the problem and > I'll > >> >> take > >> >> > a > >> >> > look? Failing that, you could try debugging the WSS4J code. The > >> >> > CallbackHandler is queried in WSHandler.getPasswordCB, called in > >> turn > >> >> from > >> >> > the SignatureAction class. > >> >> > > >> >> > Colm. > >> >> > > >> >> > > >> >> > On Fri, Jul 22, 2016 at 9:33 AM, Emulator < > >> >> > >> >> > emulator.chen@ > >> >> > >> >> > > wrote: > >> >> > > >> >> >> A quick update, I found that I add UsernameToken into Action, now > >> the > >> >> >> private > >> >> >> key password works. > >> >> >> But when I try to remove the keystone password or modify wrong > one, > >> >> >> PasswordCallback is constructed but never call handle method and > >> throw > >> >> >> such > >> >> >> exception: > >> >> >> > >> >> >> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Failed > >> to > >> >> >> load > >> >> >> credentials. > >> >> >> Original Exception was java.io.IOException: Keystore was tampered > >> >> with, > >> >> >> or > >> >> >> password was incorrect > >> >> >> at > >> org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:397) > >> >> >> at > >> >> >> > >> org.apache.wss4j.common.crypto.Merlin.loadProperties(Merlin.java:218) > >> >> >> at org.apache.wss4j.common.crypto.Merlin. > >> >> > > >> > > > <init> > >> >> > (Merlin.java:151) > >> >> >> at > >> >> >> > >> >> >> > >> >> > >> > org.apache.wss4j.common.crypto.CryptoFactory.getInstance(CryptoFactory.java:127) > >> >> >> ... 46 more > >> >> >> Caused by: java.io.IOException: Keystore was tampered with, or > >> >> password > >> >> >> was > >> >> >> incorrect > >> >> >> at > >> >> >> > >> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) > >> >> >> at > >> >> >> > >> >> > >> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) > >> >> >> at > >> >> >> > >> >> >> > >> >> > >> > sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) > >> >> >> at > >> >> >> > >> >> >> > >> >> > >> > sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) > >> >> >> at java.security.KeyStore.load(KeyStore.java:1445) > >> >> >> at > >> org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:391) > >> >> >> ... 49 more > >> >> >> Caused by: java.security.UnrecoverableKeyException: Password > >> >> verification > >> >> >> failed > >> >> >> at > >> >> >> > >> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) > >> >> >> ... 54 more > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> View this message in context: > >> >> >> > >> >> > >> > http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770580.html > >> >> >> Sent from the cxf-user mailing list archive at Nabble.com. > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Colm O hEigeartaigh > >> >> > > >> >> > Talend Community Coder > >> >> > http://coders.talend.com > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> View this message in context: > >> >> > >> > http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770592.html > >> >> Sent from the cxf-user mailing list archive at Nabble.com. > >> >> > >> > > >> > > >> > > >> > -- > >> > Colm O hEigeartaigh > >> > > >> > Talend Community Coder > >> > http://coders.talend.com > >> > >> > >> > >> > >> > >> -- > >> View this message in context: > >> > http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770644.html > >> Sent from the cxf-user mailing list archive at Nabble.com. > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770850.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
