CXF WSS - Signature and Username, with passwordType = PasswordNone

Fri, 26 Mar 2010 15:03:15 -0700 

Hi,

I have to invoke a Web Service that support WSS.  I have to supply a
UsernameToken with no password, and a signed Timestamp.

To do this I use WSS4JOutInterceptor with the following settings:

    <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="TimestampSignEncrypt_Request">
        <constructor-arg>
            <map>
                <entry key="action"                     value="Timestamp 
Signature
UsernameToken"/>
                <entry key="user"                       value="TestUser"/>
                <entry key="passwordType"               value="PasswordNone"/>
                <entry key="signaturePropFile"  
value="private.properties"/>
                <entry key="signatureKeyIdentifier" 
value="DirectReference"/>
                <entry key="passwordCallbackClass" 
value="org.mig.adapter.callbacks.ServerPasswordCallback"/>
                <entry key="signatureParts"     
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"/>
            </map>
        </constructor-arg>
    </bean>
    
 This results in an exception:
 
 21:46:54,239 | WARN  | pool-flow.seda.servicemix-cxf-bc-thread-1 |
PhaseInterceptorChain                              |
org.apache.cxf.common.logging.LogUtils              361 | Interceptor for
{http://www.nhs.cfh.org/interoperability.toolkit/DischargeSummary/1.0}SendDischargeSummary
has thrown exception, unwinding now
 java.lang.NullPointerException
        at
org.apache.ws.security.message.token.UsernameToken.getFirstNode(UsernameToken.java:511)
        at
org.apache.ws.security.message.token.UsernameToken.setPassword(UsernameToken.java:443)
        at
org.apache.ws.security.message.WSSecUsernameToken.prepare(WSSecUsernameToken.java:171)
        at
org.apache.ws.security.message.WSSecUsernameToken.build(WSSecUsernameToken.java:226)
        at
org.apache.ws.security.action.UsernameTokenAction.execute(UsernameTokenAction.java:58)
        at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202)
        at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:47)
        at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:236)
        at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:122)
        at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
        at
org.apache.servicemix.cxfbc.CxfBcProvider.process(CxfBcProvider.java:241)
        at
org.apache.servicemix.common.AsyncBaseLifeCycle.doProcess(AsyncBaseLifeCycle.java:627)
        at
org.apache.servicemix.common.AsyncBaseLifeCycle.processExchange(AsyncBaseLifeCycle.java:581)
        at
org.apache.servicemix.common.AsyncBaseLifeCycle.onMessageExchange(AsyncBaseLifeCycle.java:535)
        at
org.apache.servicemix.common.SyncLifeCycleWrapper.onMessageExchange(SyncLifeCycleWrapper.java:60)
        at
org.apache.servicemix.jbi.messaging.DeliveryChannelImpl.processInBound(DeliveryChannelImpl.java:623)
        at
org.apache.servicemix.jbi.nmr.flow.AbstractFlow.doRouting(AbstractFlow.java:172)
        at
org.apache.servicemix.jbi.nmr.flow.seda.SedaFlow.doRouting(SedaFlow.java:168)
        at
org.apache.servicemix.jbi.nmr.flow.seda.SedaQueue$1.run(SedaQueue.java:134)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:619)

I think this is caused because for the signature to work a password must be
returned from ServerPasswordCallback for user TestUser, and the same
password
is sent to WSS4J UsernameToken.setPassword, which fails at getFirstNode
because it's not expecting a password.

The setPassword function performs an initial check:


   public void setPassword(String pwd) {
        if (pwd == null) {
            if (passwordType != null) {
                throw new IllegalArgumentException("pwd == null but a
password is needed");
            } else {
                // Ignore setting the password.
                return;
            }
        }
        
        ...
        

which is skipped because the supplied pwd isn't null.

I'm wondering if this is a bug in WSS4JOutInterceptor, because it passes a
non-null password for PasswordNone, or a bug in WSS4J because the check
should be something like:

        if (passwordType == null)
            return;
                
        if (pwd == null)
            throw new IllegalArgumentException("pwd == null but a password
is needed");

Or neither and I'm using WSS4JOutInterceptor incorrectly?

Thanks for your help,
Steve
-- 
View this message in context: 
http://old.nabble.com/CXF-WSS---Signature-and-Username%2C-with-passwordType-%3D-PasswordNone-tp28048401p28048401.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.

Reply via email to