Re: Container validation of UsernameToken passwords?

Tue, 04 Dec 2012 04:15:05 -0800

Will configuring WSS4JInInterceptor to skip validating the token ("ws-security.validate.token" property set to false) and using JAASLoginInterceptor do it ? 
http://cxf.apache.org/docs/security.html#Security-JAASLoginInterceptor

This path might work for UT only I guess

Cheers, Sergey

On 04/12/12 12:06, Colm O hEigeartaigh wrote:

I don't think there is a way to handle this at the moment. You could plug
in a custom Validator for (WS-Security) UsernameTokens and do some
container-specific validation I guess.

Colm.

On Fri, Nov 30, 2012 at 4:51 PM, Glen Mazza<glen.ma...@gmail.com>  wrote:


Hi folks, I just confirmed by testing Metro w/UsernameToken over SSL
transport (haven't tried UT via their symmetric binding yet), that if I
*don't* configure a server-side password callback handler like here:

https://github.com/gmazza/blog-samples/blob/master/metro_usernametoken_profile/service/src/main/resources/DoubleIt.wsdl#L89
, Metro transparently switches to container validation instead -- in my
case, the tomcat-users.xml file:
http://www.jroller.com/gmazza/entry/ssl_for_web_services#SSL5 .  The
validation appears to be the same validation done with SSL with basic
authentication, i.e., checking that the username and password exists within
the roles defined in the web.xml in the WAR hosting the web service.
  Having
not yet debugged the Metro source code, I'm not sure whether Metro is
hardcoded to be able to handle only GlassFish and Tomcat or can generically
do container validation with any servlet container (I would suspect the
latter), or what it would do for OSGi environments for that matter.

Is there a way to do this right now with CXF?  CXF raises "General security
error (WSSecurityEngine: No password callback supplied)" if I don't provide
a server-side password callback handler as here:

https://github.com/gmazza/blog-samples/blob/master/cxf_usernametoken_profile/war/src/main/webapp/WEB-INF/cxf-servlet.xml#L19
.
If not, I'm not sure if it's worth implementing--I guess it's a question of
how much additional benefit it would provide, the amount of effort it would
take to do so in a generic fashion, and risk of security vulnerabilities.

Regards,
Glen




--
View this message in context:
http://cxf.547215.n5.nabble.com/Container-validation-of-UsernameToken-passwords-tp5719516.html
Sent from the cxf-dev mailing list archive at Nabble.com.

Reply via email to