axis2 rampart

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

axis2 rampart

juergen sorg
hi,

i tried to authenticate soap service users against an microsoft active
directory.
is it possible within the CallbackHandler to get the password provided
by the user within the soap message?

i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
the settings in rampart to get axis call the callback in this way. (in
this case the password sould be provided by WSPasswordCallback.getPassword)

i also tried to get a MessageContext within the callback routine. but
this is not possible. the result of getCurrentMessageContext is null.

thanks in advance


gruss juergen





smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: axis2 rampart

Jörg
Hi,
 
it is quite simple to fetch the username/password from the WS-Security UserNameToken :
 
 
public class PasswordCBHandler
             implements CallbackHandler
{
  @Override
  public void handle( Callback[] callbacks )
              throws IOException, UnsupportedCallbackException
  {
     for( Callback cb : callbacks ) {
        WSPasswordCallback pwcb = (WSPasswordCallback)cb;
        if( (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN) ||
            (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) )
        {
          String userid = pwcb.getIdentifier();
          String pwd = pwcb.getPassword();
 
          boolean isvalid = false;
          // Do the authentication stuff here, leads to isvalid=true/false

          if( isvalid ) {
              logInfo( "PasswordCBHandler.handle(): "+userid+" ok." );
              return;
          } else {
              logWarn( "PasswordCBHandler.handle(): "+userid+" failed." );
              throw new UnsupportedCallbackException(cb, "check failed");
          }
        }
     }
  }
}
 
And in services.xml of the webservices:
 
<service name="SomeService" scope="application"
                                class="xx.yy.SomeService" >

   <parameter name="useOriginalwsdl">true</parameter>
   <parameter name="modifyUserWSDLPortAddress">true</parameter>
    <!-- some other configurations -->

    <!-- Authentifizierung via WS-Security (Username-Token) -->
    <module ref="rampart" />
    <parameter name="InflowSecurity">
        <action>
           <items>UsernameToken</items>
           <passwordCallbackClass>
                 xx.yy.PasswordCBHandler
           </passwordCallbackClass>
        </action>
    </parameter>

</service>
 
 
That should work, if rampart is activated in axis.xml.
 
Cheers
Jörg
 
 
 

> juergen sorg <[hidden email]> hat am 12. Dezember 2014 um 12:45 geschrieben:
>
>
> hi,
>
> i tried to authenticate soap service users against an microsoft active
> directory.
> is it possible within the CallbackHandler to get the password provided
> by the user within the soap message?
>
> i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
> the settings in rampart to get axis call the callback in this way. (in
> this case the password sould be provided by WSPasswordCallback.getPassword)
>
> i also tried to get a MessageContext within the callback routine. but
> this is not possible. the result of getCurrentMessageContext is null.
>
> thanks in advance
>
>
> gruss juergen
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: axis2 rampart

juergen sorg
hi joerg,

thanks for your reply.


but this do not work for me, because pwcb.getPassword() returns always
null when usage is WSPasswordCallback.USERNAME_TOKEN. In this case you
have to set the password with pwcb.setPassword(pw) and rampart compares
this password with the transmitted password (but this do not work
because the active directory transfers no passwords)

i thought there is an option in rampart to provide the transmitted
password within the callbackhandler

gruss juergen





On 12/12/14 15:04, wp11034684-001 wrote:

> Hi,
>
> it is quite simple to fetch the username/password from the WS-Security
> UserNameToken :
>
>
> public class PasswordCBHandler
>               implements CallbackHandler
> {
>    @Override
>    public void handle( Callback[] callbacks )
>                throws IOException, UnsupportedCallbackException
>    {
>       for( Callback cb : callbacks ) {
>          WSPasswordCallback pwcb = (WSPasswordCallback)cb;
>          if( (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN) ||
>              (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) )
>          {
>            String userid = pwcb.getIdentifier();
>            String pwd = pwcb.getPassword();
>
>            boolean isvalid = false;
>            // Do the authentication stuff here, leads to isvalid=true/false
>
>            if( isvalid ) {
>                logInfo( "PasswordCBHandler.handle(): "+userid+" ok." );
>                return;
>            } else {
>                logWarn( "PasswordCBHandler.handle(): "+userid+" failed." );
>                throw new UnsupportedCallbackException(cb, "check failed");
>            }
>          }
>       }
>    }
> }
>
> And in services.xml of the webservices:
>
> <service name="SomeService" scope="application"
>                                  class="xx.yy.SomeService" >
>
>     <parameter name="useOriginalwsdl">true</parameter>
>     <parameter name="modifyUserWSDLPortAddress">true</parameter>
>      <!-- some other configurations -->
>
>      <!-- Authentifizierung via WS-Security (Username-Token) -->
>      <module ref="rampart" />
>      <parameter name="InflowSecurity">
>          <action>
>             <items>UsernameToken</items>
>             <passwordCallbackClass>
>                   xx.yy.PasswordCBHandler
>             </passwordCallbackClass>
>          </action>
>      </parameter>
>
> </service>
>
>
> That should work, if rampart is activated in axis.xml.
>
> Cheers
> Jörg
>
>
>
>
>> juergen sorg <[hidden email]> hat am 12. Dezember 2014 um 12:45
>> geschrieben:
>>
>>
>> hi,
>>
>> i tried to authenticate soap service users against an microsoft active
>> directory.
>> is it possible within the CallbackHandler to get the password provided
>> by the user within the soap message?
>>
>> i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
>> the settings in rampart to get axis call the callback in this way. (in
>> this case the password sould be provided by WSPasswordCallback.getPassword)
>>
>> i also tried to get a MessageContext within the callback routine. but
>> this is not possible. the result of getCurrentMessageContext is null.
>>
>> thanks in advance
>>
>>
>> gruss juergen
>>
>>
>>
>>


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: axis2 rampart

Martin Gainty
In reply to this post by juergen sorg

> Date: Fri, 12 Dec 2014 12:45:51 +0100
> From: [hidden email]
> To: [hidden email]
> Subject: axis2 rampart
>
> hi,
MG>Guten Tag

>
> i tried to authenticate soap service users against an microsoft active
> directory.
> is it possible within the CallbackHandler to get the password provided
> by the user within the soap message?
>
> i read something about getUsage==USERNAME_TOKEN_UNKOWN but i do not know
> the settings in rampart to get axis call the callback in this way. (in
> this case the password sould be provided by WSPasswordCallback.getPassword)
>
> i also tried to get a MessageContext within the callback routine. but
> this is not possible. the result of getCurrentMessageContext is null.
MG>public class TestCBHandler implements javax.security.auth.callback.CallbackHandler{
MG>  public void handle(javax.security.auth.callback.Callback[] callbacks) throws IOException, javax.security.auth.callback.UnsupportedCallbackException
{
        for (javax.security.auth.callback.Callback callback : callbacks) {
            if (callback instanceof org.apache.ws.security.WSPasswordCallback) {
                org.apache.ws.security.WSPasswordCallback pc = (org.apache.ws.security.WSPasswordCallback) callback;
                /*
                * This usage type is used only in case we received a
                * username token with a password of type PasswordText or
                * an unknown password type.
                *
                * This case the WSPasswordCallback object contains the
                * identifier (aka username), the password we received, and
                * the password type string to identify the type.
                *
                * Here we perform only a very simple check.
                */
                if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
                    if (pc.getIdentifier().equals("Username") ) { //default is Username
                        return;
                    }
                    if (pc.getPassword().equals("Password")) { //default is Password
                        return;
                    }
                    throw new javax.security.auth.callback.UnsupportedCallbackException(callback,"check failed");
                }
MG>then in your rampartConfig
<wsp:Policy wsu:Id="5" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
        <ramp:user>UnencryptedUsername</ramp:user>
        <ramp:encryptionUser>Username</ramp:encryptionUser>
        <ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass>
       
        <ramp:signatureCrypto>
<!-- merlin  only supports keys < 1024b...if you want stronger go with bouncycastle -->
            <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<!-- make sure the jks exists and the password for this jks matches the password below -->
                <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2.jks</ramp:property>
<!-- here is the password which must match the password from the above .jks -->
                <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">Password</ramp:property>
            </ramp:crypto>
        </ramp:signatureCrypto>
    </ramp:RampartConfig>
>
> thanks in advance
>
>
> gruss juergen
>
MG>mit freundlichen grüßen
MG>Martin
>
>