axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Rudolf <michael_rud...@t-online.de>
Subject Re: Authenticating users
Date Mon, 21 Nov 2005 23:11:25 GMT
Ok...im getting a bit confused here...

>i had wondered that one myself.  you can configure WSS4J to send the password
>in your UsernameToken as plaintext instead of SHA-1 digest.  so i guess your
>client can send the encrypted password as plaintext and then your server would
>compare that encrypted value with what's stored in LDAP.
>
How do i do that? The callback class sets the pw. I cant even access it 
in there. How does the pw sent from the client get to the server into 
the callback class?

>  doesn't seem
>terribly secure in that case, tho, but otherwise the client would need access
>to the plaintext password, as would the server because the callback handler
>never gets the password that was sent by the client - all that work happens in
>
>org.apache.ws.security.WSSecurityEngine.handleUsernameToken(Element token,
>CallbackHandler cb).
>
>NOTE, i remember seeing a post about a bug in the password comparison code and
>i think it's in this method.  it appears from the code that the passwords are
>only compared if it's a digest password (with nonce != null && createdTime !=
>null).  otherwise the lines (856-858 in my src)
>  
>
did you send your src? i didnt see it...sorry...

>if (!passDigest.equals(password)) {
>  throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
>}
>
>are skipped entirely!  um, WSS4J folks - this has been fixed, right?
>
>
>
>  
>
>>And another question on this one...my passwords in the LDAP dir are
>>encrypted as they are migrated from a UNIX passwd file. The Callback
>>Class actually expects me to set the password. How did you do the actual
>>authentication then? Can i read the pass in cleartext? I need a
>>cleartext pass later in the process for an ssh connection. Any ideas on
>>how to do this?
>>
>>    
>>
>>>the handler for exracting the login name?  that's basically the code i
>>>included below to extract from the incoming message, then create the user
>>>object, hit the LDAP server (through JNDI api) and then store (actually in a
>>>thread-local so even non-Axis code can get the current user).  the rest is to
>>>include it thus in your server-config.wsdd:
>>>
>>> <service name="FreezerWS" provider="java:RPC" style="document"
>>>use="literal">
>>>   <!-- WS-Security handlers -->
>>>   <requestFlow>
>>>     <!-- the header that carries the user's login-name -->
>>>     <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
>>>       <parameter name="action"                value="UsernameToken"/>
>>>       <parameter name="actor"                 value="loginName"/>
>>>       <parameter name="passwordCallbackClass"
>>>value="ServerSidePWCallback"/>
>>>     </handler>
>>>
>>>     <!-- add a handler that populates the session given the user's
>>>login-name -->
>>>     <handler
>>>type="java:com.amgen.seattle.appdev.freezer.webservice.server.WSLoginNameHandler">
>>>       <!-- the actor of the UsernameToken header with the login-name -->
>>>       <parameter name="headerActor" value="loginName"/>
>>>     </handler>
>>>   </requestFlow>
>>>
>>>that's about it.
>>>
>>>the best documentation on WSS4J (or at least links to it) SHOULD be in the
>>>Wiki ( http://wiki.apache.org/ws/FrontPage/WsFx ) but i'm not certain one
>>>could say that yet...  i keep a short list of good resources i've found here
>>>http://wiki.apache.org/ws/RonReynolds/Wss4jLinks but it's only a handful of
>>>links but it might give you a starting point. :)  search around in the Wiki
>>>and then your next best bet are the 2 wss4j docs and then Google...
>>>
>>>..................ron.
>>>
>>>
>>>
>>>      
>>>
>>>>Thx for your help. I figured it out now. Didnt see one section of the
>>>>WSS4J documentation. You can set the EngineConfiguration to use a wsdd
>>>>file inside the program code. As long as this is readable from the
>>>>servlet everythings fine.
>>>>Is there any good tutorial or documentation on developing these Handlers
>>>>like you explained below? I dunno if you mind sharing your Handler
>>>>implementation. It would be interesting to see how you did this.
>>>>Thanks alot!
>>>>Michael
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>>>i haven't tried this.  it certainly must be possible, but right now i
>>>>>haven't
>>>>>the time to figure it out.
>>>>>
>>>>>i would start at MessageContext.getAxisEngine().getGlobalRequest() and
>>>>>search
>>>>>in that area.  the file itself is loaded by
>>>>>org.apache.axis.configuration.EngineConfigurationFactoryDefault.  also
i
>>>>>seem
>>>>>to remember someone mentioning that you could access the global request
>>>>>flow
>>>>>and insert a handler into that flow at runtime.  also if you have
>>>>>permissions
>>>>>you can call System.setProperty() from a startup servlet (if you want
a
>>>>>possibly much simpler solution that opens up a bunch of possible bugs
if
>>>>>another servlet in the same servlet engine tries to connect to a different
>>>>>web
>>>>>service...)
>>>>>
>>>>>sorry i couldn't be of more help. :-/
>>>>>...............ron.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>>>Ok...i dont use the client_deploy.wsdd....is there any way to avoid
>>>>>>using it? I have the client inside a servlet so i cant specify it
with
>>>>>>the java -D.... command line.
>>>>>>Thx!
>>>>>>Michael
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>do you have this in your client-config.wsdd?
>>>>>>><deployment ...>
>>>>>>><transport .../>
>>>>>>><globalConfiguration>
>>>>>>> <requestFlow>
>>>>>>>   <!-- add the header that carries the user's login-name -->
>>>>>>>   <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
>>>>>>>     <parameter name="action" value="UsernameToken"/>
>>>>>>>     <parameter name="actor"  value="loginName"/>
>>>>>>>     <parameter name="passwordCallbackClass" value="PWCallback"/>
>>>>>>>   </handler>
>>>>>>>?
>>>>>>>
>>>>>>>otherwise there won't be any handler in the request flow that
knows what
>>>>>>>to
>>>>>>>do
>>>>>>>with those properties.
>>>>>>>
>>>>>>>hth.
>>>>>>>.............ron.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>>>Ok, so i got the server working basically (i think) but when
calling it
>>>>>>>>i get the following exception at the client:
>>>>>>>>
>>>>>>>>AxisFault
>>>>>>>>faultCode:
>>>>>>>>{http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
>>>>>>>>faultSubcode:
>>>>>>>>faultString: WSDoAllReceiver: Request does not contain required
>>>>>>>>Security header
>>>>>>>>
>>>>>>>>
>>>>>>>>Thats the client code so far:
>>>>>>>>
>>>>>>>>try {
>>>>>>>>       binding = new
>>>>>>>>al.JCT.service.JCTServiceLocator().getJCTSession();
>>>>>>>>       Stub axisPort = (Stub)binding;
>>>>>>>>       axisPort._setProperty(UsernameToken.PASSWORD_TYPE,
>>>>>>>>WSConstants.PASSWORD_DIGEST);
>>>>>>>>       axisPort._setProperty(WSHandlerConstants.USER, "wss4j");
>>>>>>>>       axisPort._setProperty(WSHandlerConstants.PW_CALLBACK_REF,
new
>>>>>>>>PWCallback());
>>>>>>>>   }
>>>>>>>>   catch (javax.xml.rpc.ServiceException jre) {
>>>>>>>>       jre.printStackTrace();
>>>>>>>>       return;
>>>>>>>>   }
>>>>>>>>
>>>>>>>>   try {
>>>>>>>>       al.JCT.service.Job[] value = null;
>>>>>>>>       String ids[] = {"1218"};
>>>>>>>>       value = binding.getJobStatus("rudi", "qw", null, ids);
>>>>>>>>       if (value != null) {
>>>>>>>>         for (int i=0; i < value.length; i++) {
>>>>>>>>           System.out.println(value[i].getId() + " - " +
>>>>>>>>value[i].getName() + " - " + value[i].getPe());
>>>>>>>>           System.out.println(value[i].getReservations());
>>>>>>>>           System.out.println(value[i].getOutputPaths()[0].getPath());
>>>>>>>>         }
>>>>>>>>       }
>>>>>>>>       binding.submitJob(null, null, null);
>>>>>>>>   }
>>>>>>>>   catch (java.rmi.RemoteException re) {
>>>>>>>>     re.printStackTrace();
>>>>>>>>     return;
>>>>>>>>   }
>>>>>>>>
>>>>>>>>
>>>>>>>>Any ideas on this one?
>>>>>>>>
>>>>>>>>Thx!
>>>>>>>>Michael
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>you can extract all the security info by looking at the
Vector stored
>>>>>>>>>as a property in the MessageContext:
>>>>>>>>>Vector resultHandlers =
>>>>>>>>>(Vector)MessageContext.getCurrentContext().getProperty(WSHandlerConstants.RECV_RESULTS);
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>this vector contains, as far as i can tell, everything
you could want
>>>>>>>>>to know.
>>>>>>>>>or you can extract the username from the message itself
-
>>>>>>>>>ArrayList actorList = new ArrayList();
>>>>>>>>>actorList.add("actor value for my UsernameToken entry");
>>>>>>>>>Message request =
>>>>>>>>>MessageContext.getCurrentContext().getRequestMessage();
>>>>>>>>>SOAPEnvelope envelope = (SOAPEnvelope)request.getSOAPEnvelope();
>>>>>>>>>Vector headers = envelope.getHeadersByActor(actorList);
>>>>>>>>>SOAPHeaderElement header = (SOAPHeaderElement)headers.get(0);
>>>>>>>>>
>>>>>>>>>you can then extract the actual username by walking the
DOM tree to
>>>>>>>>>the node which contains the username
>>>>>>>>>MessageElement usernameTokenElement =
>>>>>>>>>header.getChildElement(USERNAME_TOKEN_QNAME);
>>>>>>>>>MessageElement usernameElement =
>>>>>>>>>usernameTokenElement.getChildElement(USERNAME_QNAME);
>>>>>>>>>String username = usernameElement.getValue();
>>>>>>>>>
>>>>>>>>>(you'll also need these)
>>>>>>>>>static final QName USERNAME_TOKEN_QNAME = new
>>>>>>>>>QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN);
>>>>>>>>>static final QName USERNAME_QNAME = new QName(WSConstants.WSSE_NS,
>>>>>>>>>WSConstants.USERNAME_LN);
>>>>>>>>>
>>>>>>>>>in my app i have a handler which i put in the request
chain right
>>>>>>>>>after the WSDoAllReceiver which extracts the username
using the above
>>>>>>>>>code, does an LDAP lookup of the user to gather roles,
and then
>>>>>>>>>creates an app-specific user object which it stores it
as a properly
>>>>>>>>>in the MessageContext where anyone in the handling chain
can then
>>>>>>>>>extract it via getProperty().
>>>>>>>>>
>>>>>>>>>hth.
>>>>>>>>>......................ron.
>>>>>>>>>
>>>>>>>>>Michael Rudolf wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>>>Thanks a lot for the detailed description! I think
this will work
>>>>>>>>>>fine for me. One more question about this though:
Can i read the
>>>>>>>>>>username inside the web service? Or is there any way
of getting
>>>>>>>>>>information like the group a user belongs to inside
the web service
>>>>>>>>>>to read it there? It sounds like the Service does
get any of this
>>>>>>>>>>info since the authentication is completely transparent
to the
>>>>>>>>>>service itself.
>>>>>>>>>>Thanks.
>>>>>>>>>>Michael
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>>>>by "Web Services are made out of Session EJBs"
you mean you have
>>>>>>>>>>>Session EJBs that expose a SOAP-over-HTTP interface?
 WSS4J uses 2
>>>>>>>>>>>handlers, one client-side and one server-side
(WSDoAllSender
>>>>>>>>>>>(client) and WSDoAllReceiver (server)) which plug
into the handler
>>>>>>>>>>>chain supported by Axis to "intercept" the request
on its way to the
>>>>>>>>>>>server.  WSDoAllSender adds a WSSecurity header
to the SOAP message
>>>>>>>>>>>on send (configured using a properties file).
 WSDoAllReceiver then
>>>>>>>>>>>processes the incoming message, validates whatever
it's configured
>>>>>>>>>>>to validate and then passes the request on to
your handlers/service
>>>>>>>>>>>(or rejects the message if it does not validate
properly).  to add
>>>>>>>>>>>UsernameTokens to a request and process them on
the server requires
>>>>>>>>>>>a CallbackHandler on the client side which can
provide the password
>>>>>>>>>>>for a user.  this is then processed into a UsernameToken,
included
>>>>>>>>>>>in the SOAP header, and on the server side you'll
need another
>>>>>>>>>>>CallbackHandler which can provide the password
for the user (pulled
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                      
>>>>>>>>>>>
>>>>>>>>>>>from LDAP) which WSS4J will compare to what's
provided in the
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>>>>UsernameToken and thus authenicate the message
before your service
>>>>>>>>>>>(however it's implemented) ever gets called. 
it's quite transparent
>>>>>>>>>>>for the most part.  it also inserts a few entries
in the
>>>>>>>>>>>MessageContext so you can later determine what
kind of authenication
>>>>>>>>>>>has been done.
>>>>>>>>>>>
>>>>>>>>>>>hth.
>>>>>>>>>>>.......................ron.
>>>>>>>>>>>Michael Rudolf wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                      
>>>>>>>>>>>
>>>>>>>>>>>>Is there any difference in case the Web Services
are made out of
>>>>>>>>>>>>Session EJBs? Or does WSS4J work the same
way in that case?
>>>>>>>>>>>>Thanks!
>>>>>>>>>>>>Michael
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>                        
>>>>>>>>>>>>
>>>>>>>>>>>>>you may want to look at WSS4J and UsernameTokens.
 they're pretty
>>>>>>>>>>>>>straight-forward as long as your client
can support them.  they
>>>>>>>>>>>>>are part of
>>>>>>>>>>>>>the WS-Security standard if you want to
stick with "endorsed"
>>>>>>>>>>>>>authentication
>>>>>>>>>>>>>mechanisms.  then on the server-side you'll
typically need a JNDI
>>>>>>>>>>>>>interface to
>>>>>>>>>>>>>your LDAP server to authenticate the user
on that side.
>>>>>>>>>>>>>
>>>>>>>>>>>>>hth.
>>>>>>>>>>>>>................ron.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>                          
>>>>>>>>>>>>>
>>>>>>>>>>>>>>Hi,
>>>>>>>>>>>>>>is there any tutorial or example for
authenticating users of we
>>>>>>>>>>>>>>services
>>>>>>>>>>>>>>by username and pass over HTTPS? Can
anybody explain in more
>>>>>>>>>>>>>>detail how
>>>>>>>>>>>>>>this works? Is there any alternative
to it? I want to query axis
>>>>>>>>>>>>>>web
>>>>>>>>>>>>>>sercvices from a portal. That uses
LDAP for authetication. I
>>>>>>>>>>>>>>would like
>>>>>>>>>>>>>>to use the same directory for authenticating
the users at the web
>>>>>>>>>>>>>>services that are being queried.
>>>>>>>>>>>>>>Thanks for any help!
>>>>>>>>>>>>>>Michael
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>                            
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>                          
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                      
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>            
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>        
>>>>
>>>
>>>
>>>
>>>
>>>      
>>>
>>    
>>
>
>
>
>
>  
>


Mime
View raw message