I am trying to secure a CXF endpoint with JAAS. But am hitting an issue/not
fully understanding how to get the PasswordDigest working. I have the
solution working when the password type is PasswordText.So I've created a
new realm, which points to a file as per below:
<jaas:config name="webservices" rank="-1">
<jaas:module
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required"> users =
$[karaf.base]/etc/com.garethahealy.webservices.cfg
encryption.enabled
= true encryption.name = jasyptencryption.prefix = ENC(
encryption.suffix = ) detailed.login.exception = true
debug = true</jaas:module></jaas:config>
The contents of the file on first run is 'user.gareth=healy', which is then
re-written after the first call, to be ENC(hashed value), which seems
correct.Below is the WSS4J / JAAS / CXF setup:
<bean id="authenticationInterceptor"
class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
<property name="contextName" value="webservices"/>
<property name="reportFault"
value="true"/></bean><bean
id="wss4jInInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<argument><map> <entry
key="action"
value="UsernameToken Timestamp" /> <entry
key="passwordType" value="PasswordDigest" /> <!--
PasswordText / PasswordDigest --></map>
</argument></bean> <cxf:cxfEndpoint
id="helloWorldCxf"
address="${cxf.helloworld.transport}://0.0.0.0:${cxf.helloworld.port}/cxf/helloWorldService"
serviceClass="com.garethahealy.helloworld.HelloWorldEndpoint">
<cxf:inInterceptors> <ref
component-id="wss4jInInterceptor" /> <ref
component-id="authenticationInterceptor" />
</cxf:inInterceptors> <cxf:properties> <entry
key="schema-validation-enabled"
value="${schema.validation.enabled}" /><entry
key="loggingFeatureEnabled"
value="${logging.isCxfDebug}" /> <entry
key="ws-security.validate.token" value="false"/>
</cxf:properties></cxf:cxfEndpoint>
Below is the request when sending PasswordDigest:
Address: http://0.0.0.0:9001/cxf/helloWorldServiceEncoding:
UTF-8Http-Method: POSTContent-Type: text/xml;charset=UTF-8Headers:
{accept-encoding=[gzip,deflate], connection=[keep-alive],
Content-Length=[1242], content-type=[text/xml;charset=UTF-8],
Host=[0.0.0.0:9001],
SOAPAction=["http://helloworld.garethahealy.com/SayHello";],
User-Agent=[Apache-HttpClient/4.1.1 (java 1.5)]}Payload:<soapenv:Envelope
xmlns:hel="http://helloworld.garethahealy.com";
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header>;
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soapenv:mustUnderstand="1"><wsu:Timestamp
wsu:Id="TS-85795D5F327115C93A141467959615289">
<wsu:Created>2014-10-30T14:33:16Z</wsu:Created>
<wsu:Expires>2014-10-30T14:33:17Z</wsu:Expires>
</wsu:Timestamp><wsse:UsernameToken
wsu:Id="UsernameToken-85795D5F327115C93A141467959615188">
<wsse:Username>user.gareth</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">y2rUhVaSPSYGGJxx5vz/gAe8Kxo=</wsse:Password>;
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AsgNPh2VykCuQ0CN4EvRPw==</wsse:Nonce>;
<wsu:Created>2014-10-30T14:33:16.151Z</wsu:Created>
</wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body>
<hel:helloWorldRequest><hello>gareth</hello>
</hel:helloWorldRequest></soapenv:Body></soapenv:Envelope>
Which fails on the password match with: Unauthorized : Password for
user.gareth does not match.Any pointers to what i am doing wrong would be
helpful. This is running on JBoss Fuse 6.1 - redhat379 and i am sending the
request from SoapUI 5
--
View this message in context:
http://camel.465427.n5.nabble.com/CXF-with-WS-Security-using-JAAS-tp5758345.html
Sent from the Camel - Users mailing list archive at Nabble.com.