The password comparison happens I believe in the UsernameToken class. Why
don't you do a check like
String passwordDigest =
UsernameToken.doPasswordDigest(principal.getNonce(),
principal.getCreatedTime(), "REAL PASSWORD");
if (!principal.getPassword().equals(passwordDigest)) {
throw new RuntimeException("Invalid credentials");
}
or just the following if there's no digest being used:
if (!principal.getPassword().equals("REAL PASSWORD")) {
throw new RuntimeException("Invalid credentials");
}
gdprao wrote:
>
> Hi Zarar,
>
> Thanks for the reply. I have added SAAJInInterceptor() to the interceptor
> chain and error has gone. But the problem is that the service is getting
> invoked eventhough the passwords are not matching. I want to understand
> where does the password comparison occurs. From logs I have the
> following:
>
> - Inside ValidateUserTokenInterceptor..
> - principal.isPasswordDigest()= false
> - principal.getNonce()= null
> - principal.getPassword()= test
> - principal.getCreatedTime()= null
>
> The client is sending the password "test" while the CallbackHandler that
> is registered with the server is setting the password "test123".
>
> Thanks,
> Durga
>
>
> Zarar Siddiqi wrote:
>>
>> You're probably not adding SAAJInInterceptor() to your interceptor chain.
>>
>>
>>
>> gdprao wrote:
>>>
>>> Hi Zarar,
>>>
>>> Thanks for the link. I have changed my configurations with the
>>> @InInterceptors in the service implementation class and also coded
>>> WSSecurityInterceptor and ValidateUserTokenInterceptor as shown in the
>>> blog. Still I am getting the following exception when I try to invoke
>>> the service. Any clues are appreciated.
>>>
>>> 2007-09-12 16:37:43,562 - DEBUG
>>> (com.mydomain.cxfauth.interceptors.WSSecurityInterceptor:handleMessage:25)
>>> - Inside handleMessage() of WSSecurityInterceptor.
>>> Sep 12, 2007 4:37:43 PM org.apache.cxf.phase.PhaseInterceptorChain
>>> doIntercept
>>> INFO: Interceptor has thrown exception, unwinding now
>>> org.apache.cxf.binding.soap.SoapFault: NO_SAAJ_DOC
>>> at
>>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:116)
>>> at
>>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:59)
>>> at
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:207)
>>> at
>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:73)
>>> at
>>> org.apache.cxf.transport.servlet.ServletDestination.doMessage(ServletDestination.java:78)
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:231)
>>> at
>>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:139)
>>> at
>>> org.apache.cxf.transport.servlet.CXFServlet.invoke(CXFServlet.java:271)
>>> at
>>> org.apache.cxf.transport.servlet.CXFServlet.doPost(CXFServlet.java:249)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
>>> ....
>>>
>>> Further, I want to know where the passwords comparison occurs. From the
>>> following code snippet of ValidateUserTokenInterceptor:
>>>
>>> if (!principal.isPasswordDigest() ||
>>> principal.getNonce() == null ||
>>> principal.getPassword() == null ||
>>> principal.getCreatedTime() == null) {
>>> throw new RuntimeException("Invalid Security
>>> Header");
>>> } else {
>>>
>>> //Where does the passwords compared??
>>>
>>> userTokenValidated = true;
>>> }
>>>
>>>
>>> Thanks,
>>> Durga
>>>
>>>
>>>
>>>
>>> Zarar Siddiqi wrote:
>>>>
>>>> You'll need a ValidateUserTokenInterceptor as shown here:
>>>>
>>>> http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> gdprao wrote:
>>>>>
>>>>> I am facing a problem with the password comparison using WSS4J
>>>>> interceptors. I see the username and password are passed from the
>>>>> client to the server correctly and invoking PasswordCallbackHandler
>>>>> from SOAP message logs. As per my understanding the actual password
>>>>> comparison is done by WSS4J. The problem I am facing is that the
>>>>> service is getting invoked even if the passwords are not matching
>>>>> while I am expecting the SOAP fault to be thrown. The client is
>>>>> sending the password "test" while the server is expecting "test123"
>>>>> for the user "admin". Here are my logs and configuration. Please let
>>>>> me know if I am missing anything.
>>>>>
>>>>> Server side applicationContext-cxf.xml:
>>>>>
>>>>> <jaxws:endpoint id="helloWorld"
>>>>> implementor="com.mydomain.cxfauth.HelloWorldImpl"
>>>>> address="/HelloWorld">
>>>>>
>>>>> <jaxws:features>
>>>>> <bean class="org.apache.cxf.feature.LoggingFeature" />
>>>>> </jaxws:features>
>>>>> <jaxws:inInterceptors>
>>>>> <bean
>>>>>
>>>>> class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>>>>> <ref bean="wss4jInConfiguration" />
>>>>> </jaxws:inInterceptors>
>>>>> </jaxws:endpoint>
>>>>> <bean id="wss4jInConfiguration"
>>>>> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>>>>> <property name="properties">
>>>>> <map>
>>>>> <entry key="action" value="UsernameToken" />
>>>>> <entry key="passwordType" value="PasswordText"
>>>>> />
>>>>> <entry>
>>>>> <key>
>>>>>
>>>>> <value>passwordCallbackRef</value>
>>>>> </key>
>>>>> <ref bean="passwordCallback" />
>>>>> </entry>
>>>>> </map>
>>>>> </property>
>>>>> </bean>
>>>>>
>>>>> <bean id="passwordCallback"
>>>>> class="com.mydomain.cxfauth.interceptors.PasswordCallbackHandler"/>
>>>>>
>>>>> Server side Password callback handler:
>>>>>
>>>>> public void handle(Callback[] callbacks) throws IOException,
>>>>> UnsupportedCallbackException {
>>>>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>>>> logger.debug("identifier on server: " + pc.getIdentifer());
>>>>> if (pc.getIdentifer().equals("admin")) {
>>>>> logger.debug("Inside if: " + pc.getIdentifer());
>>>>> //set the password on the callback. This will later be
>>>>> compared to
>>>>> the password which was sent from the client.
>>>>> pc.setPassword("test123");
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>> Client side client-cxf.xml:
>>>>>
>>>>> <bean id="client" class="com.mydomain.cxfauth.HelloWorld"
>>>>> factory-bean="clientFactory" factory-method="create" />
>>>>>
>>>>> <bean id="clientFactory"
>>>>> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
>>>>> <property name="serviceClass"
>>>>> value="com.mydomain.cxfauth.HelloWorld" />
>>>>> <property name="address"
>>>>>
>>>>> value="http://localhost:8080/cxfauth/services/HelloWorld"; />
>>>>> <property name="outInterceptors">
>>>>> <list>
>>>>> <bean
>>>>>
>>>>> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
>>>>> <ref bean="wss4jOutConfiguration" />
>>>>> </list>
>>>>> </property>
>>>>> </bean>
>>>>> <bean id="wss4jOutConfiguration"
>>>>> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>>>>> <property name="properties">
>>>>> <map>
>>>>> <entry key="action" value="UsernameToken" />
>>>>> <entry key="user" value="admin" />
>>>>> <entry key="passwordType" value="PasswordText"
>>>>> />
>>>>> <entry>
>>>>> <key>
>>>>>
>>>>> <value>passwordCallbackRef</value>
>>>>> </key>
>>>>> <ref bean="passwordCallback" />
>>>>> </entry>
>>>>> </map>
>>>>> </property>
>>>>> </bean>
>>>>> <bean id="passwordCallback"
>>>>>
>>>>> class="com.mydomain.cxfauthclient.interceptors.PasswordCallbackHandler"
>>>>> />
>>>>>
>>>>> Client side PasswordCallbackHandler:
>>>>>
>>>>> public void handle(Callback[] callbacks) throws IOException,
>>>>> UnsupportedCallbackException {
>>>>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>>>> logger.debug("identifier on client: " + pc.getIdentifer());
>>>>> if (pc.getIdentifer().equals("admin")) {
>>>>> //set the password on the callback on client side
>>>>> pc.setPassword("test");
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>>
>>>>> Server Log:
>>>>>
>>>>> Sep 12, 2007 10:25:21 AM org.apache.cxf.transport.servlet.CXFServlet
>>>>> replaceDestionFactory
>>>>> INFO: servlet transport factory already registered
>>>>> Sep 12, 2007 10:26:10 AM
>>>>> org.apache.cxf.interceptor.LoggingInInterceptor handleMessage
>>>>> INFO: Inbound Message
>>>>> --------------------------------------
>>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>>>>> <soap:Header>
>>>>> <wsse:Security
>>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>>>>> soap:mustUnderstand="1"><wsse:UsernameToken
>>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>>>>> wsu:Id="UsernameToken-12741398"
>>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Username
>>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>admin</wsse:Username><wsse:Password
>>>>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";
>>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>test</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sayHi
>>>>> xmlns:ns1="http://cxfauthmydomaincom/";><arg0>Durgaprasad</arg0></ns1:sayHi></soap:Body></soap:Envelope>
>>>>> --------------------------------------
>>>>> 2007-09-12 10:26:10,728 - DEBUG
>>>>> (com.mydomain.cxfauth.interceptors.PasswordCallbackHandler:handle:20)
>>>>> - identifier on server: admin
>>>>> 2007-09-12 10:26:10,744 - DEBUG
>>>>> (com.mydomain.cxfauth.interceptors.PasswordCallbackHandler:handle:22)
>>>>> - Inside if: admin
>>>>> Sep 12, 2007 10:26:11 AM
>>>>> org.apache.cxf.interceptor.LoggingOutInterceptor$LoggingCallback
>>>>> onClose
>>>>> INFO: Outbound Message
>>>>> --------------------------------------
>>>>> <soap:Envelope
>>>>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><ns1:sayHiResponse
>>>>> xmlns:ns1="http://cxfauth.mydomain.com/";><return>Welcome, Durgaprasad
>>>>> to the CXF web
>>>>> services</return></ns1:sayHiResponse></soap:Body></soap:Envelope>
>>>>> --------------------------------------
>>>>>
>>>>> Client response Log:
>>>>>
>>>>> Sep 12, 2007 10:26:09 AM
>>>>> org.apache.cxf.service.factory.ReflectionServiceFactoryBean
>>>>> buildServiceFromClass
>>>>> INFO: Creating Service {http://cxfauth.mydomain.com/}HelloWorldService
>>>>> from class com.mydomain.cxfauth.HelloWorld
>>>>> 2007-09-12 10:26:10,135 - DEBUG
>>>>> (com.mydomain.cxfauthclient.interceptors.PasswordCallbackHandler:handle:20)
>>>>> - identifier on client: admin
>>>>> 2007-09-12 10:26:11,119 - DEBUG
>>>>> (com.mydomain.cxfauthclient.CXFAuthClient:main:21) - Response:
>>>>> Welcome, Durgaprasad to the CXF web services
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
--
View this message in context:
http://www.nabble.com/UsernameToken-Authentication-with-WSS4J-tf4431064.html#a12651556
Sent from the cxf-user mailing list archive at Nabble.com.
