apache - CallbackHandler in CXF 3.X & WSS4J 2.X -
i'm trying upgrade our current application cxf 3 , wss4j 2. causing me quite headache.
the current application code client:
private void securewebservice( client client, final credentials credentials ) { // set ws-security info map<string,object> outprops = new hashmap<string,object>(); outprops.put( wshandlerconstants.action, wshandlerconstants.username_token ); outprops.put( wshandlerconstants.user, credentials.getusername() ); outprops.put( wshandlerconstants.password_type, wsconstants.pw_text ); // callback used retrieve password given user. outprops.put( wshandlerconstants.pw_callback_ref, new callbackhandler() { @override public void handle( callback[] callbacks ) throws ioexception, unsupportedcallbackexception { wspasswordcallback pc = (wspasswordcallback) callbacks[0]; pc.setpassword( credentials.getpassword() ); } }); wss4joutinterceptor wssout = new wss4joutinterceptor( outprops ); client.getoutinterceptors().clear(); client.getoutinterceptors().add( wssout ); } on server side...
public class serverpasswordcallback implements callbackhandler { public void handle( callback[] callbacks ) throws ioexception, unsupportedcallbackexception { wspasswordcallback pc = (wspasswordcallback)callbacks[0]; boolean result = false; seek { logincontext lc = new logincontext( container, new callbackhandler() { public void handle( callback[] callbacks ) throws ioexception, unsupportedcallbackexception { namecallback nc = (namecallback)callbacks[0]; nc.setname( mygetname() ); passwordcallback pc2 = (passwordcallback)callbacks[1]; string clientpasssword = pc.getpassword(); //used contain password null pc2.setpassword( clientpasssword.tochararray() ); } } ); lc.login(); result = true; } catch( loginexception le ) { le.printstacktrace(); //current stack trace nullpointerexception since "clientpassword" null // haven't authenticated, false returned } catch( securityexception se ) { throw new ioexception( "cannot create logincontext. " + se.getmessage() ); } homecoming result; } } my jax-ws endpoint config:
<bean id="wss4jpasswordcallback" class="com.mycompany.webservice.security.serverpasswordcallback"/> <jaxws:endpoint id="customerendpoint" implementor="#customerwebservice" address="/customer"> <jaxws:ininterceptors> <bean class="org.apache.cxf.ws.security.wss4j.wss4jininterceptor"> <constructor-arg> <map> <entry key="action" value="usernametoken"/> <entry key="passwordtype" value="plaintext"/> <entry key="passwordcallbackref"> <ref bean="wss4jpasswordcallback"/> </entry> </map> </constructor-arg> </bean> <bean class="com.mycompany.webservice.security.wss4jprincipalinjectorinterceptor"/> </jaxws:ininterceptors> <jaxws:outinterceptors> <bean class="com.mycompany.webservice.security.wss4jprincipalremoverinterceptor"/> </jaxws:outinterceptors> <jaxws:outfaultinterceptors> <bean class="com.mycompany.webservice.security.wss4jprincipalremoverinterceptor"/> </jaxws:outfaultinterceptors> </jaxws:endpoint> specifically, wspasswordcallback object passing null rather password used to. reading, cxf chose stop doing insufficient documentation regarding upgrade path. upgrade path this?
also, i've noticed wss4j changing lives. has moved "org.apache.ws.security" "org.apache.wss4j.common.ext". have updated constants "org.apache.wss4j.dom.wsconstants" & "org.apache.wss4j.dom.handler.wshandlerconstants" things compile. has drastically changed old "org.apache.ws.security.validate.validator" class in "org.apache.commons.validator.validator". classes quite different now. maybe "org.apache.wss4j.dom.validate.kerberostokenvalidator" new replacement? again, find no documentation fact.
please note: working code until moving new cxf , wss4j version!
it sounds upgrading old version of cxf used wss4j 1.5.x wss4j 1.6.x, callbackhandler no longer supplied password, must instead set password on callback. see here:
http://coheigea.blogspot.ie/2011/02/usernametoken-processing-changes-in.html
colm.
apache web-services cxf ws-security wss4j
No comments:
Post a Comment