cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Container validation of UsernameToken passwords?
Date Tue, 04 Dec 2012 12:06:43 GMT
I don't think there is a way to handle this at the moment. You could plug
in a custom Validator for (WS-Security) UsernameTokens and do some
container-specific validation I guess.

Colm.

On Fri, Nov 30, 2012 at 4:51 PM, Glen Mazza <glen.mazza@gmail.com> wrote:

> Hi folks, I just confirmed by testing Metro w/UsernameToken over SSL
> transport (haven't tried UT via their symmetric binding yet), that if I
> *don't* configure a server-side password callback handler like here:
>
> https://github.com/gmazza/blog-samples/blob/master/metro_usernametoken_profile/service/src/main/resources/DoubleIt.wsdl#L89
> , Metro transparently switches to container validation instead -- in my
> case, the tomcat-users.xml file:
> http://www.jroller.com/gmazza/entry/ssl_for_web_services#SSL5 .  The
> validation appears to be the same validation done with SSL with basic
> authentication, i.e., checking that the username and password exists within
> the roles defined in the web.xml in the WAR hosting the web service.
>  Having
> not yet debugged the Metro source code, I'm not sure whether Metro is
> hardcoded to be able to handle only GlassFish and Tomcat or can generically
> do container validation with any servlet container (I would suspect the
> latter), or what it would do for OSGi environments for that matter.
>
> Is there a way to do this right now with CXF?  CXF raises "General security
> error (WSSecurityEngine: No password callback supplied)" if I don't provide
> a server-side password callback handler as here:
>
> https://github.com/gmazza/blog-samples/blob/master/cxf_usernametoken_profile/war/src/main/webapp/WEB-INF/cxf-servlet.xml#L19
> .
> If not, I'm not sure if it's worth implementing--I guess it's a question of
> how much additional benefit it would provide, the amount of effort it would
> take to do so in a generic fashion, and risk of security vulnerabilities.
>
> Regards,
> Glen
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Container-validation-of-UsernameToken-passwords-tp5719516.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message