Hi all, I am trying to get working a simple example to secure web services (using wss4j) that uses UsernameToken. I am following the steps which are on http://ws.apache.org/wss4j/apidocs/org/apache/ws/axis/security/package-summary.html.
The server I use Websphere App Server 6.0.2. Axis deployment descriptor to insert a UsernameToken on the client (application) side looks like: <?xml version="1.0"?> <deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllSender"> <parameter name="action" value="UsernameToken"/> <parameter name="user" value="werner"/> <parameter name="passwordType" value="PasswordText"/> <parameter name="passwordCallbackClass" value="webservice.PWCallback"/> </handler> </requestFlow> </globalConfiguration> </deployment> Then SOAP request's header after invoking client looks like: ======================= <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="UsernameToken-9706934"> <wsse:Username>werner</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>security</wsse:Password> </wsse:UsernameToken> </wsse:Security> <ns1:inHeader xmlns:ns1="http://remote.testmodel.util.curam"; href="#id0"></ns1:inHeader> </soapenv:Header> ======================== The provided example in http://ws.apache.org/wss4j/apidocs/org/apache/ws/axis/security/package-summary.html mentions password callback class PWCallback1 which specified for the client. But there's no implementation example of it. I used the same callback class PWCallback for client and server side. My password callback class: ======================== package webservice; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class PWCallback implements CallbackHandler { private static final byte[] key = { (byte)0x31, (byte)0xfd, (byte)0xcb, (byte)0xda, (byte)0xfb, (byte)0xcd, (byte)0x6b, (byte)0xa8, (byte)0xe6, (byte)0x19, (byte)0xa7, (byte)0xbf, (byte)0x51, (byte)0xf7, (byte)0xc7, (byte)0x3e, (byte)0x80, (byte)0xae, (byte)0x98, (byte)0x51, (byte)0xc8, (byte)0x51, (byte)0x34, (byte)0x04, }; public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; /* * here call a function/method to lookup the password for * the given identifier (e.g. a user name or keystore alias) * e.g.: pc.setPassword(passStore.getPassword(pc.getIdentfifier)) * for testing we supply a fixed name/fixed key here. */ if (pc.getUsage() == WSPasswordCallback.KEY_NAME) { pc.setKey(key); } else { pc.setPassword("security"); } } else { throw new UnsupportedCallbackException( callbacks[i], "Unrecognized Callback"); } } } } ======================== A deployment descriptor for the receiving handler look like (snippet from my server-config.wsdd) ============================ <service name="WebServicesTestBPO2" provider="java:TestmodelProvider"> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="webservice.PWCallback"/> <parameter name="action" value="UsernameToken"/> </handler> </requestFlow> <parameter name="className" value="curam.util.testmodel.wsintf.WebServicesTestBPO2"/> <parameter name="allowedMethods" value="*"/> <parameter name="jndiURL" value="iiop://localhost:2809"/> <parameter name="jndiContextClass" value="com.ibm.websphere.naming.WsnInitialContextFactory"/> </service> ====================== Before adding the security part my web service test is working OK. Also I put some print outs and on the server side I see that password callback class is being invoked (I see it in the server logs). The error I get finally is: AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException faultSubcode: faultString: Bad username/password in SOAP header 'null'/'null' faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}hostname:Kaya What I've done wrong? Thanks in advance Paulius -- View this message in context: http://www.nabble.com/Bad-username-password-in-SOAP-header-%27null%27-%27null%27-tf2157591.html#a5960510 Sent from the WSS4J forum at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
