Return-Path: X-Original-To: apmail-axis-java-user-archive@www.apache.org Delivered-To: apmail-axis-java-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B7781F530 for ; Fri, 12 Dec 2014 15:05:12 +0000 (UTC) Received: (qmail 92079 invoked by uid 500); 12 Dec 2014 15:05:11 -0000 Delivered-To: apmail-axis-java-user-archive@axis.apache.org Received: (qmail 92018 invoked by uid 500); 12 Dec 2014 15:05:11 -0000 Mailing-List: contact java-user-help@axis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-user@axis.apache.org Delivered-To: mailing list java-user@axis.apache.org Received: (qmail 92008 invoked by uid 99); 12 Dec 2014 15:05:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Dec 2014 15:05:11 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of mgainty@hotmail.com designates 65.55.116.81 as permitted sender) Received: from [65.55.116.81] (HELO BLU004-OMC3S6.hotmail.com) (65.55.116.81) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Dec 2014 15:04:45 +0000 Received: from BLU172-W50 ([65.55.116.74]) by BLU004-OMC3S6.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Fri, 12 Dec 2014 07:04:06 -0800 X-TMN: [M86t+VTXnHxvm8du9cisX0t6e3u3ldkl] X-Originating-Email: [mgainty@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="_75af3023-1908-4f86-b214-640608acccd7_" From: Martin Gainty To: "java-user@axis.apache.org" Subject: RE: axis2 rampart Date: Fri, 12 Dec 2014 10:04:06 -0500 Importance: Normal In-Reply-To: <548AD56F.70407@fz-juelich.de> References: <548AD296.3000400@fz-juelich.de>,<548AD56F.70407@fz-juelich.de> MIME-Version: 1.0 X-OriginalArrivalTime: 12 Dec 2014 15:04:06.0561 (UTC) FILETIME=[DFEED110:01D0161C] X-Virus-Checked: Checked by ClamAV on apache.org --_75af3023-1908-4f86-b214-640608acccd7_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > Date: Fri=2C 12 Dec 2014 12:45:51 +0100 > From: j.sorg@fz-juelich.de > To: java-user@axis.apache.org > Subject: axis2 rampart >=20 > hi=2C MG>Guten Tag >=20 > i tried to authenticate soap service users against an microsoft active > directory. > is it possible within the CallbackHandler to get the password provided > by the user within the soap message? >=20 > i read something about getUsage=3D=3DUSERNAME_TOKEN_UNKOWN but i do not k= now > the settings in rampart to get axis call the callback in this way. (in > this case the password sould be provided by WSPasswordCallback.getPasswor= d) >=20 > i also tried to get a MessageContext within the callback routine. but > this is not possible. the result of getCurrentMessageContext is null. MG>public class TestCBHandler implements javax.security.auth.callback.Callb= ackHandler{ MG> public void handle(javax.security.auth.callback.Callback[] callbacks) = throws IOException=2C javax.security.auth.callback.UnsupportedCallbackExcep= tion { for (javax.security.auth.callback.Callback callback : callbacks) { if (callback instanceof org.apache.ws.security.WSPasswordCallba= ck) { org.apache.ws.security.WSPasswordCallback pc =3D (org.apach= e.ws.security.WSPasswordCallback) callback=3B /* * This usage type is used only in case we received a * username token with a password of type PasswordText or * an unknown password type. * * This case the WSPasswordCallback object contains the * identifier (aka username)=2C the password we received=2C = and * the password type string to identify the type. * * Here we perform only a very simple check. */ if (pc.getUsage() =3D=3D WSPasswordCallback.USERNAME_TOKEN_= UNKNOWN) { if (pc.getIdentifier().equals("Username") ) { //default= is Username return=3B } if (pc.getPassword().equals("Password")) { //default is= Password return=3B } throw new javax.security.auth.callback.UnsupportedCallb= ackException(callback=2C"check failed")=3B } MG>then in your rampartConfig = =20 UnencryptedUsername Username org.apache.rampart.TestCBHandler =20 JKS test-resources/keys/interop2.jks Password >=20 > thanks in advance >=20 >=20 > gruss juergen >=20 MG>mit freundlichen gr=FC=DFen MG>Martin >=20 >=20 = --_75af3023-1908-4f86-b214-640608acccd7_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

>=3B Date: Fri=2C 12 = Dec 2014 12:45:51 +0100
>=3B From: j.sorg@fz-juelich.de
>=3B To: = java-user@axis.apache.org
>=3B Subject: axis2 rampart
>=3B
&g= t=3B hi=2C
MG>=3BGuten Tag
>=3B
>=3B i tried to authenticat= e soap service users against an microsoft active
>=3B directory.
&g= t=3B is it possible within the CallbackHandler to get the password provided=
>=3B by the user within the soap message?
>=3B
>=3B i read= something about getUsage=3D=3DUSERNAME_TOKEN_UNKOWN but i do not know
&= gt=3B the settings in rampart to get axis call the callback in this way. (i= n
>=3B this case the password sould be provided by WSPasswordCallback.= getPassword)
>=3B
>=3B i also tried to get a MessageContext with= in the callback routine. but
>=3B this is not possible. the result of = getCurrentMessageContext is null.
MG>=3Bpublic class TestCBHandler imp= lements javax.security.auth.callback.CallbackHandler{
MG>=3B =3B p= ublic void handle(javax.security.auth.callback.Callback[] callbacks) throws= IOException=2C javax.security.auth.callback.UnsupportedCallbackException{
 =3B =3B =3B =3B =3B =3B =3B for (javax.= security.auth.callback.Callback callback : callbacks) {
 =3B =3B=  =3B =3B =3B =3B =3B =3B =3B =3B =3B if= (callback instanceof org.apache.ws.security.WSPasswordCallback) {
 = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=  =3B =3B =3B =3B =3B org.apache.ws.security.WSPasswordC= allback pc =3D (org.apache.ws.security.WSPasswordCallback) callback=3B
&= nbsp=3B =3B =3B =3B =3B =3B =3B =3B =3B&nbs= p=3B =3B =3B =3B =3B =3B /*
 =3B =3B =3B=  =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B =3B =3B * This usage type is used only in case we received a<= br> =3B =3B =3B =3B =3B =3B =3B =3B =3B=  =3B =3B =3B =3B =3B =3B * username token with a pa= ssword of type PasswordText or
 =3B =3B =3B =3B =3B&= nbsp=3B =3B =3B =3B =3B =3B =3B =3B =3B&nbs= p=3B * an unknown password type.
 =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=  =3B *
 =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B * This case the= WSPasswordCallback object contains the
 =3B =3B =3B =3B=  =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B =3B * identifier (aka username)=2C the password we received=2C an= d
 =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B * the password type str= ing to identify the type.
 =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B= *
 =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B * Here we perform only = a very simple check.
 =3B =3B =3B =3B =3B =3B&nb= sp=3B =3B =3B =3B =3B =3B =3B =3B =3B */ =3B =3B =3B =3B =3B =3B =3B =3B =3B&n= bsp=3B =3B =3B =3B =3B =3B if (pc.getUsage() =3D=3D WSP= asswordCallback.USERNAME_TOKEN_UNKNOWN) {
 =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=  =3B =3B =3B =3B =3B =3B if (pc.getIdentifier().equ= als("Username") ) { //default is Username
 =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=  =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B return=3B
 =3B =3B =3B =3B =3B =3B =3B=  =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B =3B =3B }
 =3B =3B =3B =3B =3B =3B=  =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B =3B =3B =3B if (pc.getPassword().equals("Password")) { //= default is Password
 =3B =3B =3B =3B =3B =3B&nbs= p=3B =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B return=3B
&n= bsp=3B =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B= }
 =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B=  =3B throw new javax.security.auth.callback.UnsupportedCallbackExceptio= n(callback=2C"check failed")=3B
 =3B =3B =3B =3B =3B=  =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B }
MG>=3Bthen in your rampartConfig
<=3Bwsp:Policy wsu:Id=3D= "5" xmlns:wsu=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws= security-utility-1.0.xsd" xmlns:wsp=3D"http://schemas.xmlsoap.org/ws/2004/0= 9/policy">=3B
 =3B =3B =3B <=3Bramp:RampartConfig xmlns:= ramp=3D"http://ws.apache.org/rampart/policy">=3B
 =3B =3B&nbs= p=3B  =3B =3B =3B <=3Bramp:user>=3BUnencryptedUsername<= =3B/ramp:user>=3B
 =3B =3B =3B  =3B =3B =3B &l= t=3Bramp:encryptionUser>=3BUsername<=3B/ramp:encryptionUser>=3B
&n= bsp=3B =3B =3B  =3B =3B =3B <=3Bramp:passwordCallback= Class>=3Borg.apache.rampart.TestCBHandler<=3B/ramp:passwordCallbackClas= s>=3B
 =3B =3B =3B  =3B =3B =3B
 =3B&n= bsp=3B =3B  =3B =3B =3B <=3Bramp:signatureCrypto>=3B<=3B!-- merlin =3B only supports keys <=3B 1024b...if you want str= onger go with bouncycastle -->=3B
 =3B =3B =3B  =3B&nb= sp=3B =3B  =3B =3B =3B <=3Bramp:crypto provider=3D"org.ap= ache.ws.security.components.crypto.Merlin">=3B
 =3B =3B = =3B  =3B =3B =3B  =3B =3B =3B  =3B =3B = =3B <=3Bramp:property name=3D"org.apache.ws.security.crypto.merlin.keysto= re.type">=3BJKS<=3B/ramp:property>=3B
<=3B!-- make sure the jks = exists and the password for this jks matches the password below -->=3B =3B =3B =3B  =3B =3B =3B  =3B =3B =3B=  =3B =3B =3B <=3Bramp:property name=3D"org.apache.ws.securit= y.crypto.merlin.file">=3Btest-resources/keys/interop2.jks<=3B/ramp:prop= erty>=3B
<=3B!-- here is the password which must match the password = from the above .jks -->=3B
 =3B =3B =3B  =3B =3B&n= bsp=3B  =3B =3B =3B  =3B =3B =3B <=3Bramp:propert= y name=3D"org.apache.ws.security.crypto.merlin.keystore.password">=3BPass= word<=3B/ramp:property>=3B
 =3B =3B =3B  =3B =3B=  =3B  =3B =3B =3B <=3B/ramp:crypto>=3B
 =3B = =3B =3B  =3B =3B =3B <=3B/ramp:signatureCrypto>=3B
&= nbsp=3B =3B =3B <=3B/ramp:RampartConfig>=3B
>=3B
>= =3B thanks in advance
>=3B
>=3B
>=3B gruss juergen
>= =3B
MG>=3Bmit freundlichen gr=FC=DFen
MG>=3BMartin
>=3B >=3B
= --_75af3023-1908-4f86-b214-640608acccd7_--