Discussion:
axis2 rampart
juergen sorg
2014-12-12 11:45:51 UTC
Permalink
hi,

i tried to authenticate soap service users against an microsoft active
directory.
is it possible within the CallbackHandler to get the password provided
by the user within the soap message?

i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
the settings in rampart to get axis call the callback in this way. (in
this case the password sould be provided by WSPasswordCallback.getPassword)

i also tried to get a MessageContext within the callback routine. but
this is not possible. the result of getCurrentMessageContext is null.

thanks in advance


gruss juergen
wp11034684-001
2014-12-12 14:04:52 UTC
Permalink
Hi,

it is quite simple to fetch the username/password from the WS-Security
UserNameToken :


public class PasswordCBHandler
implements CallbackHandler
{
@Override
public void handle( Callback[] callbacks )
throws IOException, UnsupportedCallbackException
{
for( Callback cb : callbacks ) {
WSPasswordCallback pwcb = (WSPasswordCallback)cb;
if( (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN) ||
(pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) )
{
String userid = pwcb.getIdentifier();
String pwd = pwcb.getPassword();

boolean isvalid = false;
// Do the authentication stuff here, leads to isvalid=true/false

if( isvalid ) {
logInfo( "PasswordCBHandler.handle(): "+userid+" ok." );
return;
} else {
logWarn( "PasswordCBHandler.handle(): "+userid+" failed." );
throw new UnsupportedCallbackException(cb, "check failed");
}
}
}
}
}

And in services.xml of the webservices:

<service name="SomeService" scope="application"
class="xx.yy.SomeService" >

<parameter name="useOriginalwsdl">true</parameter>
<parameter name="modifyUserWSDLPortAddress">true</parameter>
<!-- some other configurations -->

<!-- Authentifizierung via WS-Security (Username-Token) -->
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass>
xx.yy.PasswordCBHandler
</passwordCallbackClass>
</action>
</parameter>

</service>


That should work, if rampart is activated in axis.xml.

Cheers
Jörg
Post by juergen sorg
hi,
i tried to authenticate soap service users against an microsoft active
directory.
is it possible within the CallbackHandler to get the password provided
by the user within the soap message?
i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
the settings in rampart to get axis call the callback in this way. (in
this case the password sould be provided by WSPasswordCallback.getPassword)
i also tried to get a MessageContext within the callback routine. but
this is not possible. the result of getCurrentMessageContext is null.
thanks in advance
gruss juergen
juergen sorg
2014-12-12 14:46:50 UTC
Permalink
hi joerg,

thanks for your reply.


but this do not work for me, because pwcb.getPassword() returns always
null when usage is WSPasswordCallback.USERNAME_TOKEN. In this case you
have to set the password with pwcb.setPassword(pw) and rampart compares
this password with the transmitted password (but this do not work
because the active directory transfers no passwords)

i thought there is an option in rampart to provide the transmitted
password within the callbackhandler

gruss juergen
Post by wp11034684-001
Hi,
it is quite simple to fetch the username/password from the WS-Security
public class PasswordCBHandler
implements CallbackHandler
{
@Override
public void handle( Callback[] callbacks )
throws IOException, UnsupportedCallbackException
{
for( Callback cb : callbacks ) {
WSPasswordCallback pwcb = (WSPasswordCallback)cb;
if( (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN) ||
(pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) )
{
String userid = pwcb.getIdentifier();
String pwd = pwcb.getPassword();
boolean isvalid = false;
// Do the authentication stuff here, leads to isvalid=true/false
if( isvalid ) {
logInfo( "PasswordCBHandler.handle(): "+userid+" ok." );
return;
} else {
logWarn( "PasswordCBHandler.handle(): "+userid+" failed." );
throw new UnsupportedCallbackException(cb, "check failed");
}
}
}
}
}
<service name="SomeService" scope="application"
class="xx.yy.SomeService" >
<parameter name="useOriginalwsdl">true</parameter>
<parameter name="modifyUserWSDLPortAddress">true</parameter>
<!-- some other configurations -->
<!-- Authentifizierung via WS-Security (Username-Token) -->
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass>
xx.yy.PasswordCBHandler
</passwordCallbackClass>
</action>
</parameter>
</service>
That should work, if rampart is activated in axis.xml.
Cheers
Jörg
Post by juergen sorg
hi,
i tried to authenticate soap service users against an microsoft active
directory.
is it possible within the CallbackHandler to get the password provided
by the user within the soap message?
i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
the settings in rampart to get axis call the callback in this way. (in
this case the password sould be provided by WSPasswordCallback.getPassword)
i also tried to get a MessageContext within the callback routine. but
this is not possible. the result of getCurrentMessageContext is null.
thanks in advance
gruss juergen
Martin Gainty
2014-12-12 15:04:06 UTC
Permalink
Date: Fri, 12 Dec 2014 12:45:51 +0100
Subject: axis2 rampart
hi,
MG>Guten Tag
i tried to authenticate soap service users against an microsoft active
directory.
is it possible within the CallbackHandler to get the password provided
by the user within the soap message?
i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
the settings in rampart to get axis call the callback in this way. (in
this case the password sould be provided by WSPasswordCallback.getPassword)
i also tried to get a MessageContext within the callback routine. but
this is not possible. the result of getCurrentMessageContext is null.
MG>public class TestCBHandler implements javax.security.auth.callback.CallbackHandler{
MG> public void handle(javax.security.auth.callback.Callback[] callbacks) throws IOException, javax.security.auth.callback.UnsupportedCallbackException
{
for (javax.security.auth.callback.Callback callback : callbacks) {
if (callback instanceof org.apache.ws.security.WSPasswordCallback) {
org.apache.ws.security.WSPasswordCallback pc = (org.apache.ws.security.WSPasswordCallback) callback;
/*
* This usage type is used only in case we received a
* username token with a password of type PasswordText or
* an unknown password type.
*
* This case the WSPasswordCallback object contains the
* identifier (aka username), the password we received, and
* the password type string to identify the type.
*
* Here we perform only a very simple check.
*/
if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
if (pc.getIdentifier().equals("Username") ) { //default is Username
return;
}
if (pc.getPassword().equals("Password")) { //default is Password
return;
}
throw new javax.security.auth.callback.UnsupportedCallbackException(callback,"check failed");
}
MG>then in your rampartConfig
<wsp:Policy wsu:Id="5" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>UnencryptedUsername</ramp:user>
<ramp:encryptionUser>Username</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass>

<ramp:signatureCrypto>
<!-- merlin only supports keys < 1024b...if you want stronger go with bouncycastle -->
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<!-- make sure the jks exists and the password for this jks matches the password below -->
<ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
<!-- here is the password which must match the password from the above .jks -->
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">Password</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
thanks in advance
gruss juergen
MG>mit freundlichen grüßen
MG>Martin
Loading...