Regarding the Password Callback Class, I was wondering if anyone had a diagram of how this class fits into the greater scheme. For instance, where does it come into play starting from the client request until the response is received? I guess I'm looking for a more detailed explanation of the role of the password callback class. Are there any books on this subject?
Thanks -----Original Message----- From: Sanjay Vivek [mailto:[EMAIL PROTECTED] Sent: Mon 6/30/2008 9:56 PM To: [email protected] Subject: RE: Apache Rampart Hi Roxanne, The tutorial at [1] provides a very good introduction to implementing Rampart enabled Web Services. You're well on your way to implementing Rampart enabled WS if you walk through the tutorial. Policy.xml merely describes the security policy of the service. It tells the client how to invoke the service and the various security requirments of the service. Rampart uses a password callback class to authenticate username tokens (i.e. a username/password combo). On the service side, the service expects the username/password to be sent as input and validates accordlingly. A code snippet is given below: if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; logInfo(pc); // We are doing authentication only, so the usage code must // match the WSPasswordCallback.USERNAME_TOKEN_UNKNOWN value // i.e. "5" if (pc.getUsage() != WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) { throw new UnsupportedCallbackException(callbacks[i], "Usage code was not USERNAME_TOKEN_UNKNOWN - value was " + pc.getUsage()); } // Get the username and password that were sent String username = pc.getIdentifer(); String password = pc.getPassword(); // Now pass them to your authentication mechanism authenticate(username, password); // throws WSSecurityException.FAILED_AUTHENTICATION on failure } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } On the client side, the client makes the request and as such, needs the callback class to find and "fill" in the password. A code snippet is given below: if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; logInfo(pc); // We need the password to fill in, so the usage code must // match the WSPasswordCallback.USERNAME_TOKEN value // i.e. "2" if (pc.getUsage() != WSPasswordCallback.USERNAME_TOKEN) { throw new UnsupportedCallbackException(callbacks[i], "Usage code was not USERNAME_TOKEN - value was " + pc.getUsage()); } // Get the username that was sent String username = pc.getIdentifer(); // Now find the password from the user store, and set it String password = findPassword(username); pc.setPassword(password); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } You will have to implement the authentication mechanism yourself. Hope this helps. [1] - http://wso2.org/library/3190 Cheers Sanjay >-----Original Message----- >From: Roxanne Yee [mailto:[EMAIL PROTECTED] >Sent: 01 July 2008 02:22 >To: [email protected] >Subject: FW: Apache Rampart >Importance: High > >To Whom It May Concern, > > Hello, I'm completely new to Apache and Web Services in >general and I'm trying to implement WS-Security, using Axis2 >in Tomcat as the server side and soapUI as the client side. >It seems that Apache Rampart can accomplish this task. >However, I am very unfamiliar with all the steps and >parameters needed for Rampart to function as I would like. Is >it possible to ask for a detailed walkthrough on exactly what >each parameter in the 'action' > element does? > > I know that there is a table with a brief description of the >parameters and an example, but I find the information given a >bit too terse and I don't understand what is needed, what's a >variable, what's a keyword, etc. > > Thank you. > > >
