axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aahamlin <>
Subject Rampart 1.2 use of pwdCallbackHandler for MutualCertificate security
Date Mon, 27 Aug 2007 16:48:14 GMT

I have been trying to switch over from an old jwsdp 2.0 ws-security
implementation to axis2 1.2 w/ rampart 1.2 (or 1.3, when rampart 1.3 is

The confusion(s) I am running into is with the use of the Password Callback
Handler and the configuration of the following elements:
First, the callback class (in the certificate scenarios) seems to just
provide the password to the keystore holding the certificates, but the
examples include the extra configuration data in the <ramp:config/> element
configuring the Merlin class with the keystore file and password. So, why
the extra step of providing the password to the keystore a second time via
the Callback class? Conversely, is it possible to skip the configuration of
the Merlin class properties and only implement the Callback handler? In
which case, is there any documentation about implementing a more robust
Callback handler that provides all the necessary steps, such as the handler
for passwords, the handler for signatures, the handler for XXX? For
instance, the jwsdp 2.0 examples included a Callback handler that pretty
much handled everything out of the box, except for requiring a little
tweaking to read a configuration differently or attach to a password store
in a custom way to valid a user's password.

Second, the desire is that our mutual certificate security will allow any
valid certificate (one that is issued/verified by our CA) to call our soap
service, however the rampart module threw null pointer errors when I left
out the <ramp:user/> and <ramp:encryptionUser/> elements. From debugging the
code I found that these represent the java keystore aliases of the desired
certificates... Is there anyway to configure rampart to not require the
alias of the client of the service? I suppose configuring an alias for my
service is fine (oh, and from the configuration it appears I have to only
use a single keystore file rather than a keystore & truststore combination?)
but for the client(s) am I really restricted to this configuration detail?
Shouldn't it be able to look through the keystore for all the certificates
and locate the proper one sent/referenced by the client?

Thanks for the help,
View this message in context:
Sent from the Axis - Dev mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message