cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "O hEigeartaigh, Colm" <Colm.OhEigearta...@iona.com>
Subject RE: Security Problem
Date Wed, 16 Jan 2008 11:50:42 GMT
Hi Pawel,

please see the documentation for the handleUsernameToken method:

http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/processor/User
nameTokenProcessor.html#handleUsernameToken(org.w3c.dom.Element,%20javax
.security.auth.callback.CallbackHandler)

namely

"If the password is of type password text or any other yet unknown
password type the delegate the password validation to the callback
class."

Thanks,

Colm.

-----Original Message-----
From: Pawel Janusz [mailto:pjanusz@intertele.pl] 
Sent: 15 January 2008 22:34
To: cxf-user@incubator.apache.org
Subject: Security Problem

Hello,
I met a problem with security. I want to use it in my WS.
Here is my endpoint coinfiguration:
<jaxws:endpoint id="SD_Users"
                  implementor="SD.services.Users"
                  address="/SD_Users">
    <jaxws:inInterceptors>
             <bean 
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
             <bean 
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                 <property name="properties">
                     <map>
                         <entry key="action" value="UsernameToken"/>
                         <entry key="passwordCallbackClass" 
value="SD.util.Secure"/>
                         <entry key="passwordType"
value="PasswordText"/>
                     </map>
                 </property>
             </bean>
         </jaxws:inInterceptors>
  </jaxws:endpoint>

and this is my callback:
public class Secure implements CallbackHandler
{
    public void handle(Callback[] callbacks) throws IOException, 
UnsupportedCallbackException
    {

        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

        if (pc.getIdentifer().equals("joe") )
        {
            // set the password on the callback. This will be compared 
to the
            // password which was sent from the client.
            pc.setPassword("password");
        }
    }


}

The problem is method from WS is invoked even if i pass user:'aaa' 
without password.
What I'm doing wrong?

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland

Mime
View raw message