Sure thing. I'll hope to have it done in time for the next beta release.
I am not familiar w/ the WSS4J source-- so if you would, please comment
on my approach:
Add a constant to WSHandlerConstants for the password text identifier,
and then add support for processing the value in the classes that
operate on the properties when sending-- I am not planning on having to
effect anything related to receiving.
An user's client implementation (hacking WSDL2Java generated stubs)
would then look something like:
> snip <
_call.setClientHandlers(new WSDoAllSender(), null);
_call.setProperty(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN);
_call.setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PW_TEXT);
//call.setProperty(UsernameToken.PASSWORD_TYPE,
WSConstants.PW_DIGEST);
_call.setProperty(WSHandlerConstants.USER, "username");
_call.setProperty(WSHandlerConstants.PASSWORD, "password");
_call.setProperty(WSHandlerConstants.MUST_UNDERSTAND, "false");
> snip <
Matt Pavlovich
Werner Dittmann wrote:
Matt,
because we are just preparing a Beta release can you provide
a patch / diff of the sorces about the changes or enhancements
you would like? Pls don't forget a testcase.
We can then check all the required modifiaction, e.g. if there
are sideeffects in terms of security or other topics.
Thanks.
Regards,
Werner
Matt Pavlovich schrieb:
Werner-
I understand the concept and how it makes for a clean model where the
client and server are virtually the same in implementation; however,
I think that having additional support for generating the client side
Usernametoken in a simple method will be a big win for developers who
are just trying to get the basic clients working quickly. Since
other implementations offer a similar approach, I think it makes
sense to provide the interface (in addition to what is in place now)
in order to attract people who may want to migrate from those platforms.
Matt Pavlovich
Dittmann Werner wrote:
Matt,
its just as simple as you wrote. Take a look at the
attached "meta java class" that uses the mechanisms
of callback in a very few lines of code by just
extending the WSClient class to implement an interface.
During develpoment we considered to have the password
as a Axis handler property (there is no other way for Axis
handler to simply "set a parameter"). This however works
for the client side only, a server side handler (receiver)
cannot do this because the server does not know the user
beforehand. To keep implementation the same for both
sides we then decided to go the callback way and to
provide a simple way to set the callback class as shown
in the code snippet.
As I noted as reply to the thread you mentioned: very often
it is not recognized that the handler part of WSS4J is
an Axis handler - to use this handler one should be
familiar with the techniques Axis uses to deal with handlers,
both in terms of static deployment and, if required,
for dynamic deployment.
Regards,
Werner
-----Urspr�ngliche Nachricht-----
Von: Matt Pavlovich [mailto:[EMAIL PROTECTED] Gesendet:
Dienstag, 24. Mai 2005 17:33
An: Dittmann Werner
Betreff: Re: AW: AW: AW: WSS4J
Dittmann Werner wrote:
Matt,
to which e-mail discussion do you refer? AFAIK there
was no discussion not to use a callback. Problem is that
WSS4J needs a somewhat clever way to retrieve a password.
Defining a password in deployment file seems not a good
idea because it is visible to everyone in cleartext.
Werner-
Please let me be clear that I am not criticising the WSS4J
development efforts, just making a suggestion. Hopefully with some
intelligence ;).
The thread seems to be going down the same road I am:
"Setting the username token dynamically at runtime"
If you take the example where the WS Client is just a conduit for
another application, the callback method seems to be overly complex
for the simple approach of using usernametoken and SSL for
transport. Take our example of a customer facing portal that uses
secure web service clients for accessing internal secured web
services.
1) Customer logs into portal
2) Customer credentials passed to WS client class
3) WS client inserts security token and attempts to invoke a secure WS
4) Result
The ability to add a few method calls to WSDL2Java generated WS
clients would make it easier for developers to implement secure WS
clients. .NET and Bea both support this type of approach. I
understand that Axis is a different implementation, but it seems
that if you are adding the username text, that you would be able to
add the password text at the same time. I do not know enough about
Axis internals to know if this is possible, but I imagine most
people will be using simple usernametokens for username and
password and SSL for transport security, as that has been the case
with most Internet services to date.
I just saw your post to the list and would like to clarify that I
am talking about just having a simple solution to adding a username
and password to a SOAP request without having to go through a
callback, or processing a descriptor file. I understand the
complications with sign/encrypt.
Please steer me in the right direction, or correct me if I have any
inaccurate points.
Thanks,
Matt Pavlovich
Using a callback you may simply return a password (this
does not enhance security very much),
you may dig into a DB
you may implement some user intercation
you may implement some intercation with a crypto-card
or any other way to get the password to sign/encrypt
Regards,
Werner
-----Urspr�ngliche Nachricht-----
Von: Matt Pavlovich [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 24. Mai 2005 16:53
An: Dittmann Werner
Betreff: Re: AW: AW: WSS4J
Werner-
Is there a reason why the callback is the only supported
mechanism?
Peaking at the mailing list, it appears there are others that are
trying to do the same thing I am.
Thanks for all your help,
Matt Pavlovich
Dittmann Werner wrote:
Matt,
currently it is not possible to use WSS4J library code without
the callback. To simplify the whole thing you can also (similar
to other parameters) set it programatically.
I've copied part of your code snippet to give an idea how to do
it:
_call.setProperty(WSHandlerConstants.PASSWORD_TYPE,
WSConstants.PW_TEXT);
_call.setProperty(WSHandlerConstants.USER, "username");
_call.setProperty(WSHandlerConstants.ENC_CALLBACK_REF , this);
To use "this" you have to implement the callback interface.
BTW, your code snippet containes some errors. To control
the handler
you should use the constants defined by WSHandlerConstants, they
reflect the same parameters as in the WSDD deployment file.
Other constants, as WSConstants.PW_TEXT above, refelct requirements
for WSS itself (here you also used the wrong string, PW_TEXT
and PW_DIGEST are used to define which password type to use
as documented - pls refer to javadoc.
Regards,
Werner
-----Urspr�ngliche Nachricht-----
Von: Matt Pavlovich [mailto:[EMAIL PROTECTED]
Gesendet: Montag, 23. Mai 2005 23:10
An: Dittmann Werner
Betreff: Re: AW: WSS4J
Dittmann-
Thank you for the reply. After going through the WS some more,
I realized that there were a lot of structural problems
and
I had the
developer make those changes, so the error message I had
earlier does
not apply. We would like to implement a simple wrapper
class that
invokes the WS Client object (w/ WSS4J mods) and pass
username/password without using the callback model. Is this
possible?
The client code generated by WSDL2Java works fine without
WSS4J, but
fails with the WSS4J additions before the call is made to
the WS. I
have tried adding the WSS4J bits before and after the
setRequestHeaders() and setAttachments() calls without luck.
Below is the method snippet and Exception.
public com.broadwing.ordering.xml.OrderStatusResponse
getOrderStatus(com.broadwing.ordering.xml.OrderStatusRequest
orderStatusRequest) throws java.rmi.RemoteException {
if (super.cachedEndpoint == null) {
throw new org.apache.axis.NoEndPointException();
}
org.apache.axis.client.Call _call = createCall();
_call.setOperation(_operations[1]);
_call.setUseSOAPAction(true);
_call.setSOAPActionURI("http://www.openuri.org/getOrderStatus";);
_call.setEncodingStyle(null);
_call.setProperty(org.apache.axis.client.Call.SEND_TYPE_ATTR,
Boolean.FALSE);
_call.setProperty(org.apache.axis.AxisEngine.PROP_DOMULTIREFS,
Boolean.FALSE);
_call.setSOAPVersion(org.apache.axis.soap.SOAPConstants.SOAP11
_CONSTANTS);
_call.setOperationName(new
javax.xml.namespace.QName("http://broadwing.com/ordering/ws";,
"getOrderStatus"));
// Start WSS4J items.. before setRequestHeaders /
setAttachments
// _call.setProperty(UsernameToken.PASSWORD_TYPE,
WSConstants.PASSWORD_TEXT);
//_call.setProperty(WSHandlerConstants.USER, "username");
// _call.setProperty(WSConstants.PW_TEXT, "password");
// End WSS4J items
setRequestHeaders(_call);
setAttachments(_call);
// Start WSS4J items.. after setRequestHeaders /
setAttachments]
_call.setProperty(UsernameToken.PASSWORD_TYPE,
WSConstants.PASSWORD_TEXT);
_call.setProperty(WSHandlerConstants.USER, "username");
_call.setProperty(WSConstants.PW_TEXT, "password");
// End WSS4J items
try { java.lang.Object _resp = _call.invoke(new
java.lang.Object[] {orderStatusRequest});
if (_resp instanceof java.rmi.RemoteException) {
throw (java.rmi.RemoteException)_resp;
}
else {
extractAttachments(_call);
try {
return
(com.broadwing.ordering.xml.OrderStatusResponse) _resp;
} catch (java.lang.Exception _exception) {
return
(com.broadwing.ordering.xml.OrderStatusResponse)
org.apache.axis.utils.JavaUtils.convert(_resp,
com.broadwing.ordering.xml.OrderStatusResponse.class);
}
}
} catch (org.apache.axis.AxisFault axisFaultException) {
throw axisFaultException;
}
}
Exception
Exception in thread "main" AxisFault
faultCode:
{http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.lang.ClassCastException:
org.apache.axis.message.Text
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:java.lang.ClassCastE
xception:
org.apache.axis.message.Text
at org.apache.axis.message.SOAPFaultBuilder.onEndChild(SOAPFaultB
uilder.java:299)
at org.apache.axis.encoding.DeserializationContext.endElement(Des
erializationContext.java:1090)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.e
ndElement(AbstractSAXParser.java:633)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerIm
pl.scanEndElement(XMLNSDocumentScannerImpl.java:719)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentSca
nnerImpl$FragmentContentDispatcher.dispatch(XMLDocumentFragmen
tScannerImpl.java:1685)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentSca
nnerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:368)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.
parse(XML11Configuration.java:834)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.
parse(XML11Configuration.java:764)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XML
Parser.java:148)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.p
arse(AbstractSAXParser.java:1242)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:375)
at org.apache.axis.encoding.DeserializationContext.parse(Deserial
izationContext.java:227)
at
org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
at org.apache.axis.Message.getSOAPEnvelope(Message.java:424)
at org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(Mus
tUnderstandChecker.java:62)
at
org.apache.axis.client.AxisClient.invoke(AxisClient.java:206)
at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
at org.apache.axis.client.Call.invoke(Call.java:2748)
at org.apache.axis.client.Call.invoke(Call.java:2424)
at org.apache.axis.client.Call.invoke(Call.java:2347)
at org.apache.axis.client.Call.invoke(Call.java:1804)
at com.broadwing.ordering.ws.OrderingServiceSoapStub.getOrderStat
us(OrderingServiceSoapStub.java:827)
at
com.broadwing.ordering.OrderingClient.main(OrderingClient.java:37)
{http://xml.apache.org/axis/}hostname:rival
java.lang.ClassCastException: org.apache.axis.message.Text
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at
org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:701)
at org.apache.axis.Message.getSOAPEnvelope(Message.java:424)
at org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(Mus
tUnderstandChecker.java:62)
at
org.apache.axis.client.AxisClient.invoke(AxisClient.java:206)
at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
at org.apache.axis.client.Call.invoke(Call.java:2748)
at org.apache.axis.client.Call.invoke(Call.java:2424)
at org.apache.axis.client.Call.invoke(Call.java:2347)
at org.apache.axis.client.Call.invoke(Call.java:1804)
at com.broadwing.ordering.ws.OrderingServiceSoapStub.getOrderStat
us(OrderingServiceSoapStub.java:827)
at
com.broadwing.ordering.OrderingClient.main(OrderingClient.java:37)
Caused by: java.lang.ClassCastException:
org.apache.axis.message.Text
at org.apache.axis.message.SOAPFaultBuilder.onEndChild(SOAPFaultB
uilder.java:299)
at org.apache.axis.encoding.DeserializationContext.endElement(Des
erializationContext.java:1090)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.e
ndElement(AbstractSAXParser.java:633)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerIm
pl.scanEndElement(XMLNSDocumentScannerImpl.java:719)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentSca
nnerImpl$FragmentContentDispatcher.dispatch(XMLDocumentFragmen
tScannerImpl.java:1685)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentSca
nnerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:368)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.
parse(XML11Configuration.java:834)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.
parse(XML11Configuration.java:764)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XML
Parser.java:148)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.p
arse(AbstractSAXParser.java:1242)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:375)
at org.apache.axis.encoding.DeserializationContext.parse(Deserial
izationContext.java:227)
at
org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
... 10 more
Dittmann Werner wrote:
Matt,
usually Axis clients don't need to use a servlet engine.
Once upon a time :-) there were some references to the servlet
jar but IMO this is not longer the case.
I'm not the big specialist for Axis. However, looking at your
code snippet I miss where you initialize the generated stub.
Even if you do a partly dynamic setup of the call you need
to initialize the client stub. If you do a fully dynamic setup
(as I can see in your code snippet) you need to do _much_ more
setup to instruct Axis how to deal with all the parameters.
Te usual way to do an Axis/WSS standalone client is:
- generate all the necessary file, stubs with wsdl4java
(wsdl4java can also generate the Axis deployment file for
the client *.wsdd)
- then just write your client code that uses the stub
- after testing it withou security add the security measures.
This can be done by modifying the client's deployment file.
- pls be aware that all necessary jar files and other resource
files such as deployment files, callback classes (for the
password) are accessible via CLASSPATH.
Just have a look at the test/interop scenarios and the associated
files.
Regards,
Werner
-----Urspr�ngliche Nachricht-----
Von: Matt Pavlovich [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 12. Mai 2005 18:38
An: Dittmann Werner
Betreff: WSS4J
Werner-
I appologize for the ultimate in "top posting", but I am
having a heck of a time trying to get a simple stand-alone WS
client working w/ Axis and WSS4J. I have scoured the Net,
and posted to various mailing lists without success. All the
examples I have found are for apply WSSEC to code running in
a servlet container. Any assistance would
be greatly
appreciated.
I am trying to develop a very simple stand-alone WS client
that utilizes the most basic UsernameToken and clear text
password (security handled through SSL).
I generated a client stub from the WSDL using WSDL2Java, then
attempted to apply WSS4J modifications to the client stubs
without success.
In the *SoapStub.java class:
method {
snip <
org.apache.axis.client.Call _call = createCall();
snip <
// Begin WSS4J stuff
_call.setProperty(UsernameToken.PASSWORD_TYPE,
WSConstants.PASSWORD_TEXT);
_call.setProperty(WSHandlerConstants.USER, "[EMAIL PROTECTED]");
_call.setProperty(WSConstants.PW_TEXT, "orders");
// End WSS4J
_call.setSOAPVersion(org.apache.axis.soap.SOAPConstants.SOAP11
_CONSTANTS);
_call.setOperationName(new
javax.xml.namespace.QName("http://www.openuri.org/";,
"getOrderStatus"));
setRequestHeaders(_call);
setAttachments(_call);
snip <
}
Error message:
Exception in thread "main" AxisFault
faultCode:
{http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.lang.ClassCastException:
org.apache.axis.message.Text
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:java.lang.ClassCastE
xception:
org.apache.axis.message.Text
at
org.apache.axis.message.SOAPFaultBuilder.onEndChild(SOAPFaultB
uilder.java:299)
at
org.apache.axis.encoding.DeserializationContext.endElement(Des
erializationContext.java:1090)
at
org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
Source)
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement
(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$Fragment
ContentDispatcher.dispatch(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocu
ment(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unkno
wn Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unkno
wn Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknow
n Source)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:375)
at
org.apache.axis.encoding.DeserializationContext.parse(Deserial
izationContext.java:227)
at
org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
at org.apache.axis.Message.getSOAPEnvelope(Message.java:424)
at
org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(Mus
tUnderstandChecker.java:62)
at
org.apache.axis.client.AxisClient.invoke(AxisClient.java:206)
at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
at org.apache.axis.client.Call.invoke(Call.java:2748)
at org.apache.axis.client.Call.invoke(Call.java:2424)
at org.apache.axis.client.Call.invoke(Call.java:2347)
at org.apache.axis.client.Call.invoke(Call.java:1804)
at
org.openuri.www.ProcessSoapStub.getOrderStatus(ProcessSoapStub
.java:800)
at org.openuri.www.ProcessClient.main(ProcessClient.java:49)
{http://xml.apache.org/axis/}hostname:rival
java.lang.ClassCastException: org.apache.axis.message.Text
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at
org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:701)
at org.apache.axis.Message.getSOAPEnvelope(Message.java:424)
at
org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(Mus
tUnderstandChecker.java:62)
at
org.apache.axis.client.AxisClient.invoke(AxisClient.java:206)
at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
at org.apache.axis.client.Call.invoke(Call.java:2748)
at org.apache.axis.client.Call.invoke(Call.java:2424)
at org.apache.axis.client.Call.invoke(Call.java:2347)
at org.apache.axis.client.Call.invoke(Call.java:1804)
at
org.openuri.www.ProcessSoapStub.getOrderStatus(ProcessSoapStub
.java:800)
at org.openuri.www.ProcessClient.main(ProcessClient.java:49)
Caused by: java.lang.ClassCastException:
org.apache.axis.message.Text
at
org.apache.axis.message.SOAPFaultBuilder.onEndChild(SOAPFaultB
uilder.java:299)
at
org.apache.axis.encoding.DeserializationContext.endElement(Des
erializationContext.java:1090)
at
org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
Source)
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement
(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$Fragment
ContentDispatcher.dispatch(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocu
ment(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unkno
wn Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unkno
wn Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknow
n Source)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:375)
at
org.apache.axis.encoding.DeserializationContext.parse(Deserial
izationContext.java:227)
at
org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
... 10 more
