tag:blogger.com,1999:blog-7391783704166348052.post5973919012400979082..comments2024-03-15T22:26:58.542-07:00Comments on Open Source Security: [WSS4J 1.6] Introducing ValidatorsColm O hEigeartaighhttp://www.blogger.com/profile/10711987281965801793noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-7391783704166348052.post-43538422677229153972018-06-28T11:24:58.223-07:002018-06-28T11:24:58.223-07:00how to verify the signed soap message using org.ap...how to verify the signed soap message using org.apache.ws.security wss4j jar ? <br />Can anyone help me with the sample code.Prasad Shenoyhttps://www.blogger.com/profile/02058345194873990356noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-25887206161417980922017-11-22T03:41:07.605-08:002017-11-22T03:41:07.605-08:00Hi, thanks for your aportation. Share with you my ...Hi, thanks for your aportation. Share with you my necesary changes for migrating to cxf 2.5.3 and wss4j 1.6.x:<br /><br /><br />**ServerWSS4JInInterceptor.java<br /><br />public class ServerWSS4JInInterceptor extends WSS4JInInterceptor {<br />static Map map;<br />static {<br />map = new HashMap();<br /><br />map.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);<br />map.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PASSWORD_TEXT); // No usar: WSConstants.PW_TEXT);<br />map.put(WSHandlerConstants.PW_CALLBACK_REF, new AuthenticationTokenCallbackHandler());<br /><br />//Cambios necesarios que funcione con el nuevo WSS4J 1.6.x:<br /><br />map.put(WSHandlerConstants.IS_BSP_COMPLIANT, "false");<br /><br />final Map customMap = new HashMap();<br />CustomUsernameTokenValidator validator = new CustomUsernameTokenValidator();<br />customMap.put(WSSecurityEngine.USERNAME_TOKEN, validator);<br />map.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);<br /><br />}<br /><br /><br />public ServerWSS4JInInterceptor() {<br />super(map);<br />}<br /><br />}<br /><br />** CustomUsernameTokenValidator.java<br /><br />public class CustomUsernameTokenValidator extends UsernameTokenValidator implements Validator {<br /><br />@Override<br />protected void verifyDigestPassword(UsernameToken usernameToken,<br />RequestData data) throws WSSecurityException {<br /><br />...<br />//CORRECCIÓN AQUÍ: PARA QUE ARRASTRE LA CLAVE HACIA EL CALLBACK<br />// WSPasswordCallback pwCb = <br />// new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, data);<br />WSPasswordCallback pwCb = <br />new WSPasswordCallback(user, password, pwType, WSPasswordCallback.USERNAME_TOKEN, data);<br />...<br />}<br /><br /><br />** AuthenticationTokenCallbackHandler.java<br /><br />public class AuthenticationTokenCallbackHandler implements CallbackHandler {<br /><br />private static org.apache.commons.logging.Log log = <br />org.apache.commons.logging.LogFactory.getLog(AuthenticationTokenCallbackHandler.class);<br /><br />public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException<br />{<br />WSPasswordCallback pc = null;<br />for (Callback callback : callbacks) {<br />if (callback instanceof WSPasswordCallback) {<br />pc = (WSPasswordCallback) callback;<br />break;<br />}<br />}<br /><br /><br />if ((WSPasswordCallback.USERNAME_TOKEN_UNKNOWN != pc.getUsage()) <br />&& (WSPasswordCallback.USERNAME_TOKEN != pc.getUsage())){<br />throw new SecurityException("Only 'UsernameToken' is suported.");<br />}<br /><br /><br />//Nota:<br />//En este punto se podría verificar la password, aunque WS-Security 1.6.x indica<br />//que debe realizarse en CustomUsernameTokenValidator<br /><br />log.debug("Usuario recibido : " + pc.getIdentifier() + <br />" con uso " + pc.getUsage());<br />//+ " y pww="+pc.getPassword()<br /><br />}<br />}Jose Antoniohttps://www.blogger.com/profile/01362929327846720556noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-58767782347171521422017-11-22T03:33:35.527-08:002017-11-22T03:33:35.527-08:00This comment has been removed by the author.Jose Antoniohttps://www.blogger.com/profile/01362929327846720556noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-50954266767863278822014-05-09T01:57:21.330-07:002014-05-09T01:57:21.330-07:00I suggest asking the Rampart users list.
Colm.I suggest asking the Rampart users list.<br /><br />Colm.Colm O hEigeartaighhttps://www.blogger.com/profile/10711987281965801793noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-26416676294485960542014-05-08T12:30:29.113-07:002014-05-08T12:30:29.113-07:00Colm,
How can we implement UsernameToken with pla...Colm,<br /><br />How can we implement UsernameToken with plaintext password for Axis2 1.6.2 version?<br /><br />Thank you<br />AnitaAnitahttps://www.blogger.com/profile/16128347562320294319noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-3063665833949297012013-09-18T00:59:36.458-07:002013-09-18T00:59:36.458-07:00Hi Patrick,
please can you suggest any example ho...Hi Patrick, <br />please can you suggest any example how to set it up without CXF, preferable within Spring WS.<br /><br />Thank you!<br /><br />Best regards,<br />AndrejAndrejhttps://www.blogger.com/profile/09688706696439838954noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-16835274001433291462011-06-20T04:18:52.540-07:002011-06-20T04:18:52.540-07:00Hi Patrick,
I will post a blog entry soon explain...Hi Patrick,<br /><br />I will post a blog entry soon explaining more about how to use WSS4J Validators in CXF. In the meantime, it is possible to configure it for your case in a simpler way than modifying the VALIDATOR_MAP variable. Just set the following jaxws property "ws-security.ut.validator" to your custom validator:<br /><br />http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME_TOKEN_VALIDATOR<br /><br />Colm.Colm O hEigeartaighhttps://www.blogger.com/profile/10711987281965801793noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-90076063251430375242011-06-17T13:01:02.565-07:002011-06-17T13:01:02.565-07:00I have to accept UsernameToken with plaintext pass...I have to accept UsernameToken with plaintext password for a web service and authenticate against another data store... It took me a while, but I figured out how to register my custom validator using the CXF jaxws Spring namespace:<br /><br /><jaxws:endpoint id="myServiceEndpoint" ... ><br /> <jaxws:inInterceptors><br /> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"><br /> <constructor-arg><br /> <map><br /> <entry key="#{T(org.apache.ws.security.handler.WSHandlerConstants).ACTION}" value="#{T(org.apache.ws.security.WSConstants).USERNAME_TOKEN_LN}" /><br /> <entry key="#{T(org.apache.ws.security.handler.WSHandlerConstants).PASSWORD_TYPE}" value="#{T(org.apache.ws.security.WSConstants).PW_TEXT}" /><br /> <entry key="#{T(org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor).VALIDATOR_MAP}"><br /> <map><br /> <entry key="#{T(org.apache.ws.security.WSSecurityEngine).USERNAME_TOKEN}"><br /> <bean class="com.mycompany.wss4j.MyCustomUsernameTokenValidator" /><br /> </entry><br /> </map><br /> </entry><br /> </map><br /> </constructor-arg><br /> </bean><br /> </jaxws:inInterceptors><br /></jaxws:endpoint>Anonymoushttps://www.blogger.com/profile/09404101844684535984noreply@blogger.com