cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Password Callback did not fire
Date Wed, 27 Jul 2016 13:43:31 GMT
Hi Victor,

On Sat, Jul 23, 2016 at 8:51 AM, Emulator <emulator.chen@gmail.com> wrote:

>
>         2. For custom PasswordEncryptor, there should be have an construct
> args for WSS4jInterceptor that construct a instance from class just like
> callback hander does.
>

You can specify a custom PasswordEncryptor using the WSS4J property
"passwordEncryptorInstance".


>     Now I am stuck at http:conduit, is there any way that I can hide all
> keystore password/key password or even entire TLS parameters from
> applicationContext.xml? Things like callback or passwordEncryptor are ok
> for
> me, just cannot find anything from source.
>

No I'm afraid not. You have the option of specifying them programatically
however.

Colm.


>
> Regards,
> Victor Chen
>
>
>
> coheigea wrote
> > Ok, I understand the problem now (I think). You can specify the private
> > key
> > password either in the Crypto properties file or else via a
> > CallbackHandler. However, you can only specify the keystore password in
> > the
> > Crypto properties file. You have two options here:
> >
> > a) If you're worried about putting a plaintext password in a file, you
> can
> > encrypt the password and use a CallbackHandler to retrieve a master key
> > for
> > decryption.
> > b) You can write your own Crypto instance. Simply override Merlin and
> > change the logic in terms of where it retrieves a password from.
> >
> > Colm.
> >
> > On Fri, Jul 22, 2016 at 2:44 PM, Emulator &lt;
>
> > emulator.chen@
>
> > &gt; wrote:
> >
> >> Hi Colm:
> >>     Please take a look my second post, now the private key has no
> problem
> >> with PasswordCallback(though I don't know why it needs "UsernameToken"
> to
> >> be
> >> added to Action), but I also need keystone password encrypted or set by
> >> PasswordCallback(or any other way out from properties).
> >>
> >>     So I need to remove
> >> org.apache.wss4j.crypto.merlin.keystore.password=password or decrypt
> this
> >> value.
> >>
> >>     If you are looking the reason for adding UsernameToken, can you
> >> provide
> >> a example wsdl for me to make a quick example? I am not that familiar
> >> with
> >> wsdl definition.
> >>
> >> Regards,
> >> Victor Chen
> >>
> >>
> >> coheigea wrote
> >> > Hi,
> >> >
> >> > I can't reproduce this problem. For example, see the following CXF
> test
> >> > configuration (search for "*DoubleItSignedTimestampPort")*:
> >> >
> >> >
> >>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml;h=ad76afe61c83b576059acd9791394910de2f691f;hb=HEAD
> >> >
> >> > A passwordCallbackClass is specified. "alice.properties" does not have
> >> the
> >> > private key specified in it:
> >> >
> >> >
> >>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/alice.properties;h=f2dbb4b60bdd6adba0ab3f07ba82850c9f58fd9b;hb=HEAD
> >> >
> >> > Could you create a quick test-case to reproduce the problem and I'll
> >> take
> >> > a
> >> > look? Failing that, you could try debugging the WSS4J code. The
> >> > CallbackHandler is queried in WSHandler.getPasswordCB, called in turn
> >> from
> >> > the SignatureAction class.
> >> >
> >> > Colm.
> >> >
> >> >
> >> > On Fri, Jul 22, 2016 at 9:33 AM, Emulator &lt;
> >>
> >> > emulator.chen@
> >>
> >> > &gt; wrote:
> >> >
> >> >> A quick update, I found that I add UsernameToken into Action, now the
> >> >> private
> >> >> key password works.
> >> >> But when I try to remove the keystone password or modify wrong one,
> >> >> PasswordCallback is constructed but never call handle method and
> throw
> >> >> such
> >> >> exception:
> >> >>
> >> >> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Failed
to
> >> >> load
> >> >> credentials.
> >> >> Original Exception was java.io.IOException: Keystore was tampered
> >> with,
> >> >> or
> >> >> password was incorrect
> >> >>         at
> org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:397)
> >> >>         at
> >> >> org.apache.wss4j.common.crypto.Merlin.loadProperties(Merlin.java:218)
> >> >>         at org.apache.wss4j.common.crypto.Merlin.
> >> >
> > <init>
> >> > (Merlin.java:151)
> >> >>         at
> >> >>
> >> >>
> >>
> org.apache.wss4j.common.crypto.CryptoFactory.getInstance(CryptoFactory.java:127)
> >> >>         ... 46 more
> >> >> Caused by: java.io.IOException: Keystore was tampered with, or
> >> password
> >> >> was
> >> >> incorrect
> >> >>         at
> >> >> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
> >> >>         at
> >> >>
> >> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
> >> >>         at
> >> >>
> >> >>
> >>
> sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
> >> >>         at
> >> >>
> >> >>
> >>
> sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
> >> >>         at java.security.KeyStore.load(KeyStore.java:1445)
> >> >>         at
> org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:391)
> >> >>         ... 49 more
> >> >> Caused by: java.security.UnrecoverableKeyException: Password
> >> verification
> >> >> failed
> >> >>         at
> >> >> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
> >> >>         ... 54 more
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >>
> >>
> http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770580.html
> >> >> Sent from the cxf-user mailing list archive at Nabble.com.
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >>
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770592.html
> >> Sent from the cxf-user mailing list archive at Nabble.com.
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770644.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message