First thank you robert for everything; You really help me a lot and I want to
appologise for taking your time
2. I finally decided to try this-
if(pwcb.getPassword()==null)
{
try {
throw new Exception ("getPassword is null"
+pwcb.getPassword());
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
and so that is theproblem - as i said I extract with no problem the stored in
the database password and salt, but what may be the reason pwcb.getPassword()
to be empty
thank, thank you very much in advance robert
________________________________
From: robert lazarski <[email protected]>
To: [email protected]; Tania Marinova <[email protected]>
Sent: Wednesday, May 8, 2013 2:44 PM
Subject: Re: org.apache.axis2.AxisFault: The security token could not be
authenticated or authorized
On Wed, May 8, 2013 at 8:34 AM, Tania Marinova <[email protected]> wrote:
> yes, the null point exception is in these rows
>
> if((pwcb.getIdentifier().equals("bob")) &&
> (passwordforchecking.equals(pasandsalt[0])) )
>
>
> and
>
> passwordforchecking =
> hash(pwcb.getPassword(),Base64.decodeBase64(pasandsalt[1]));
>
>
>
>
> But the problem that drives me really mad is that I'm sure that I extract
> the password and salt from the database because I have tested
> getdataforchecking in java application and everything is fine
> So I really don't know what to do?
>
> and I should only use eclipse and axis2
>
> -----------------------------------
> I've made some changes to my Passwordcallback class so here is again my code
>
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException
> {
>
> for (int i = 0; i < callbacks.length; i++)
> {
>
>
> WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
> try {
> pasandsalt = getdataforChecking();
>
> } catch (ClassNotFoundException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> }
>
> try {
> passwordforchecking =
> hash(pwcb.getPassword(),Base64.decodeBase64(pasandsalt[1]));
>
>
> } catch (Exception e) {
>
>
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
>
>
> if((pwcb.getIdentifier().equals("bob")) &&
> (passwordforchecking.equals(pasandsalt[0])) )
> {
> return;
>
>
> }
> }
>
> }
>
> private static String hash(String password, byte[] salt) throws Exception
> {
> SecretKeyFactory f =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
> KeySpec spec = new PBEKeySpec(password.toCharArray(), salt,
> 65536, 256);
> return
> Base64.encodeBase64String(f.generateSecret(spec).getEncoded());
>
> }
As I mentioned you are doing this the hard way. And having the salt as
a db column makes a hackers job significantly easier as the can use it
with a rainbow table. Anyways, you need to test for null like so:
private static String hash(String password, byte[] salt) throws Exception
{
if (salt == null) {
throw new Exception("salt is null");
}
SecretKeyFactory f =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
if (f == null) {
throw new Exception("instance of SecretKeyFactory is null");
}
if (password == null || password.toCharArray() == null) {
throw new Exception("password is null");
}
KeySpec spec = new PBEKeySpec(password.toCharArray(), salt,
65536, 256);
if(spec == null) {
throw new Exception("KeySpec is null");
}
if (f.generateSecret(spec).getEncoded() == null) {
throw new Exception("encoding is null");
}
System.out.println("returning with encoded String");
return
Base64.encodeBase64String(f.generateSecret(spec).getEncoded());
}
- R
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
