cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Problem with AbstractUsernameTokenInInterceptor
Date Thu, 03 Feb 2011 14:00:20 GMT
Hi - I do not understand why it not works. I've checked the code and I see
that no test involving a hashed password exists. Likewise I don't understand
why it works at the same time with clear passwords and no callbacks.
I'm a bit busy right now, is there any chance that you could download the
source for CXF 2.3.2, remove the ServerCallback property and just add a
breakpoint in WSS4JInInterceptor.handleMessage() ?

I think you're on the right track. I do not see other options for dealing
with *hashed passwords*, well, unless you;re prepared to do some hacks by
doing the container-managed authentication from the callback itself but that
would not let you register the proper security context because the one which
is created by the WSS4JInInterceptor has only a (WSS4J-created) Principal
registered, i.e, no info about roles is available.

I'd definitely follow this route myself.
Note that AbstractUsernameTokenAuthenticatingInterceptor (in the ws-security
module) is the other, legacy interceptor that you may also extend - as far
as I know, a 3rd-party container has a test for a hashed UT involving this
particular interceptor. No need to set the "ws-security.ut.no-callbacks",
unless you have a wsdl-first case. Concrete implementations need to extend a
method with several UT-related parameters which is a bit brittle in that
adding more parameters to the AbstractUsernameTokenAuthenticatingInterceptor
will break the users' interceptors.

Thus extending AbstractUsernameTokenInterceptor (in rt/core/.../security) is
recommended because we can easily update CXF UsernameToken bean with the new
properties ((say the UT salt property, etc)) without the existing  users
noticing.

Debug it if you can - it would help

Sergey



On Thu, Feb 3, 2011 at 1:02 PM, Anand R <Anand.Raman@ibsplc.com> wrote:

> Hi Sergey,
>
> As you had mentioned earlier, the namespace is
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>
> Please find the SOAP request message below.
>
> Actually, my requirement is to obtain the username and password from the
> SOAP header to perform container authentication and then associate the
> Subject with the current thread of execution. Am I using the correct
> approach or do I just need to write a SOAPHeaderInterceptor and get the
> required headers.
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>        <soap:Header>
>                <wsse:Security soap:mustUnderstand="1"
>                        xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
>                         <wsse:UsernameToken xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
>                                 xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>                                wsu:Id="UsernameToken-1">
>                                <wsse:Username>libuser</wsse:Username>
>                                <wsse:Password
>                                        Type="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
> ">K8k05oxjNDqbmQZjg33bwa9/oX0=</wsse:Password>
>                                <wsse:Nonce     EncodingType="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> ">L1Y86osooUEy96lwoEzpGQ==</wsse:Nonce>
>                                <wsu:Created>2011-02-03T12:32:27.752Z</
> wsu:Created>
>                        </wsse:UsernameToken>
>                </wsse:Security>
>        </soap:Header>
>        <soap:Body>
>                <ns2:doEcho xmlns:ns2="http://types.echo.wssecurity.learn/
> ">
>                        <arg0>
>                                <echoString>Hello WS-Security</echoString>
>                        </arg0>
>                </ns2:doEcho>
>        </soap:Body>
> </soap:Envelope>
> Thanks and regards,
> Anand R
>
>
>
> From:   Sergey Beryozkin <sberyozkin@gmail.com>
> To:     users@cxf.apache.org
> Date:   03-02-11 05:13 PM
> Subject:        Re: Problem with AbstractUsernameTokenInInterceptor
>
>
>
> Hi
>
> WSS4JInInterceptor is already registering a custom UT processor if the
> "ws-security.ut.no-callbacks" is set to true.
> So the hashed UTs should be supported with your configuration, without the
> need to register a callback.
> Can you give me a favor and check the actual WS-Security namespace that is
> used to qualify the security header ? You can add a CXF logging feature to
> the list of jaxws:features
>
> thanks, Sergey
>
> On Thu, Feb 3, 2011 at 11:33 AM, Anand R <Anand.Raman@ibsplc.com> wrote:
>
> > Thanks Sergy. I will try the custom UsernameTokenProcessor.
> > Thanks and regards,
> > Anand R
> >
> >
> >
> > From:   Sergey Beryozkin <sberyozkin@gmail.com>
> > To:     users@cxf.apache.org
> > Date:   03-02-11 04:39 PM
> > Subject:        Re: Problem with AbstractUsernameTokenInInterceptor
> >
> >
> >
> > Hi
> >
> > What WS-Security namespace is being used in the request ?
> > If the "ws-security.ut.no-callbacks" is set to true then the
> > org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor should not be
> > invoked because it does currently require a callback for hashed UTs. So
> if
> > the property is set then the WSS4JInInterceptor registers a custom
> > UsernameTokenProcessor for
> >
> > "
> >
> >
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>
> >
> > "
> > and
> > "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd".
> >
> > Thanks, Sergey
> >
> > On Thu, Feb 3, 2011 at 10:51 AM, Anand R <Anand.Raman@ibsplc.com> wrote:
> >
> > > Hi Sergey,
> > >
> > > Thanks for your response. I used to get the following exception when I
> > did
> > > not configure a callback handler. This exception does not come if the
> > > password is plain text instead of a digest.
> > >
> > > org.apache.cxf.interceptor.Fault: General security error
> > > (WSSecurityEngine: No password callback supplied)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processUsernameToken(UsernameTokenInterceptor.java:154)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:114)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:72)
> > >         at
> > >
> > >
> >
> >
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
> > >        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> > >        at
> > >
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:212)
> > >        at
> > >
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634)
> > >        at
> > >
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
> > >        at java.lang.Thread.run(Thread.java:595)
> > > Caused by: org.apache.ws.security.WSSecurityException: General
> security
> > > error (WSSecurityEngine: No password callback supplied)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:91)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.getPrincipal(UsernameTokenInterceptor.java:167)
> > >        at
> > >
> > >
> >
> >
>
> org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processUsernameToken(UsernameTokenInterceptor.java:129)
> > >        ... 24 more
> > >
> > >
> > > Thanks and regards,
> > > Anand R
> > > System Architect
> > > IBS Software Services Private Limited
> > > 2nd Floor - Left Wing, IBS Towers, Technopark Campus, Trivandrum -
> > 695581,
> > > Kerala, India
> > > Telephone - +91-471-6614291, Mobile - +91-9846324022
> > > E-Mail - anand.raman@ibsplc.com, www.ibsplc.com
> > >
> > >
> > >
> > >
> > > From:   Sergey Beryozkin <sberyozkin@gmail.com>
> > > To:     users@cxf.apache.org
> > > Date:   03-02-11 04:08 PM
> > > Subject:        Re: Problem with AbstractUsernameTokenInInterceptor
> > >
> > >
> > >
> > > Hi
> > >
> > > On Thu, Feb 3, 2011 at 6:37 AM, Anand R <Anand.Raman@ibsplc.com>
> wrote:
> > >
> > > > Hi,
> > > >
> > > > My requirement is to perform a custom authentication on the username
> > and
> > > > password that I receive as part of the UsernameToken header in the
> > > > incoming SOAP request. I discovered that cxf-2.3.2 provides an
> > > > AbstractUsernameTokenInInterceptor to perform this. I extended this
> > > class
> > > > and created my interceptor that overrides the createSubject method.
> > When
> > > I
> > > > configure my interceptor in my beans.xml as shown below, I am
> getting
> > an
> > > > exception.
> > > >
> > > > This exception comes up when I use a password digest. The plain text
> > > > password works fine. Is there any problem in the way I have
> configured
> > > my
> > > > interceptor?
> > > >
> > > >
> > > > Entry in beans.xml
> > > >
> > > >        <jaxws:endpoint id="echo"
> > > > implementor="learn.wssecurity.echo.EchoServiceImpl"
> > > >                wsdlLocation="wsdl/echo/EchoService.wsdl"
> > > > address="/EchoService">
> > > >                <jaxws:inInterceptors>
> > > >                          <bean
> > > > class="learn.wssecurity.echo.WSSUsernameTokenInterceptor"/>
> > > >                </jaxws:inInterceptors>
> > > >                <jaxws:properties>
> > > >                        <entry key="ws-security.callback-handler"
> > > > value="learn.wssecurity.echo.ServerPasswordCallback" />
> > > >                        <entry key="ws-security.ut.no-callbacks"
> > > > value="true" />
> > > >                </jaxws:properties>
> > > >        </jaxws:endpoint>
> > > >
> > > >
> > >
> > > What is the purpose of registering ServerPasswordCallback ? If you set
> a
> > > "ws-security.ut.no-callbacks" property then you only need a callback
> if
> > > you
> > > have an encrypted UT, so that the UT can be decrypted.
> > > So this callback that you're registering may be interfering in the
> case
> > > when
> > > you have a hashed UT token, can you remove it please and see what
> > happens
> > > ?
> > >
> > > Cheers, Sergey
> > >
> > >
> > >
> > >
> > > >
> > > > Exception
> > > >
> > > > java.lang.SecurityException: Security Token is not available on the
> > > > current message
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.interceptor.security.AbstractSecurityContextInInterceptor.reportSecurityException(AbstractSecurityContextInInterceptor.java:
> > > > 88)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.interceptor.security.AbstractSecurityContextInInterceptor.handleMessage(AbstractSecurityContextInInterceptor.java:47)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
> > > >        at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:228)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> > > >        at
> > > >
> > >
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:212)
> > > >        at
> > > >
> > >
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> > > >        at
> > > >
> > > >
> > >
> > >
> >
> >
>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:634)
> > > >        at
> > > >
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
> > > >        at java.lang.Thread.run(Thread.java:595)
> > > >
> > > > Thanks and regards,
> > > > Anand R
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > DISCLAIMER:
> > > >
> > > > "The information in this e-mail and any attachment is intended only
> > for
> > > > the person to whom it is addressed and may contain confidential
> and/or
> > > > privileged material. If you have received this e-mail in error,
> kindly
> > > > contact the sender and destroy all copies of the original
> > communication.
> > > > IBS makes no warranty, express or implied, nor guarantees the
> > accuracy,
> > > > adequacy or completeness of the information contained in this email
> or
> > > any
> > > > attachment and is not liable for any errors, defects, omissions,
> > viruses
> > > > or for resultant loss or damage, if any, direct or indirect."
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > DISCLAIMER:
> > >
> > > "The information in this e-mail and any attachment is intended only
> for
> > > the person to whom it is addressed and may contain confidential and/or
> > > privileged material. If you have received this e-mail in error, kindly
> > > contact the sender and destroy all copies of the original
> communication.
> > > IBS makes no warranty, express or implied, nor guarantees the
> accuracy,
> > > adequacy or completeness of the information contained in this email or
> > any
> > > attachment and is not liable for any errors, defects, omissions,
> viruses
> > > or for resultant loss or damage, if any, direct or indirect."
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
> > DISCLAIMER:
> >
> > "The information in this e-mail and any attachment is intended only for
> > the person to whom it is addressed and may contain confidential and/or
> > privileged material. If you have received this e-mail in error, kindly
> > contact the sender and destroy all copies of the original communication.
> > IBS makes no warranty, express or implied, nor guarantees the accuracy,
> > adequacy or completeness of the information contained in this email or
> any
> > attachment and is not liable for any errors, defects, omissions, viruses
> > or for resultant loss or damage, if any, direct or indirect."
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
> DISCLAIMER:
>
> "The information in this e-mail and any attachment is intended only for
> the person to whom it is addressed and may contain confidential and/or
> privileged material. If you have received this e-mail in error, kindly
> contact the sender and destroy all copies of the original communication.
> IBS makes no warranty, express or implied, nor guarantees the accuracy,
> adequacy or completeness of the information contained in this email or any
> attachment and is not liable for any errors, defects, omissions, viruses
> or for resultant loss or damage, if any, direct or indirect."
>
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message