Hi,
I am not a security specialist and I picked up this ws security handling
from the rampart tutorials and samples I went through. So from what I
understand...
- In the client side handler you could set the passwords for various client
identities.
- On the server side this is the handler that you use to retrieve the
passwords from the handler on one side and then prob. from some user
registry and do a comparison. If the passwords match you return otherwise
you throw an exception from the handler.
Here is a snippet that I picked up for this from the rampart samples for a
typical server side handler. Not that this method has to be precisely this
way, it is more to give you an idea of what typcially goes on in the server
side handler.
public class PWCBHandler implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
//When the server side need to authenticate the user
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)
{
if(pwcb.getIdentifer().equals("alice") &&
pwcb.getPassword().equals("bobPW"))
{
return;
} else {
throw new UnsupportedCallbackException(callbacks[i],
"check failed");
}
}
//When the client requests for the password to be added in to
the
//UT element
pwcb.setPassword("bobPW");
}
}
}
Hope this helps. Let me know if you still have trouble getting things in
place and I'd be happy to help you further.
Thanks
- Venkat
On 10/15/07, Dietrich, Björn <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
>
> I tried to understand the helloworld-ws-reference-secure and
> helloworld-ws-service-secure example, provided with the SCA Version 1.0.
>
> In the defintions.xml there are Policies defined for security. I think the
> Username is provided directly in this Policy-file.
> For both client and service a callback-classes to determe the password are
> defined.
>
> <passwordCallbackClass>helloworld.ClientPWCBHandler</passwordCallbackClass>"
> +
>
> <passwordCallbackClass>helloworld.ServerPWCBHandler
> </passwordCallbackClass>
>
> The implementations of server callback and client callback are
> identical.So I suppose that the tuscany runtime calls this callbacks to
>
> get the password form client and server-side and compares them.
>
> public void handle(Callback[] callbacks) throws IOException,
>
> UnsupportedCallbackException {
>
> for (int i = 0; i < callbacks.length; i++) {
>
> System.out.println("*** Calling Client UserId/Password Handler .... ");
>
> WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
>
> //System.out.println( pwcb.getPassword());
>
> pwcb.setPassword("TuscanyWsUserPasswd");
>
> //System.out.println( pwcb.getPassword());
>
> }
>
> }
>
> Now I changed the password one client-side to
>
> pwcb.setPassword("123");
>
>
>
> I expected that the call of the WS would fail, but to my supprise I could
> still call the Service.
>
> I want to implement a gui on client side where the user has to enter user
> and password. On server side I want to check these user/password against
> some configuration-file.
>
> I suppose that one can implement the username also as callback, but I did
> not find any documentation on that.
>
> I want to services in tunscany-java which use security and are
> conversation-based. Is there a documentation how to implement these
> policies with tuscany.
>
> From my understanding the <tuscany:wsConfigParam> section is specific to
> Tuscany. What subnotes are allowed inside this section ?
>
>
>
> thanks for your help
>
>
>
> Björn Dietrich
>
>
>
>
>
>
>
>
>
>
>
> CENIT AG Systemhaus, Industriestrasse 52-54, 70565 Stuttgart, Tel.: +49
> 711 7825-30, Fax: +49 711 7825-4000, Internet: www.cenit.de
> Geschaeftsstellen: Berlin, Duesseldorf, Frankfurt, Hamburg, Hannover,
> Muenchen, Saarbruecken
> Vorstandsmitglieder: Kurt Bengel, Christian Pusch
> Aufsichtsratsmitglieder: Falk Engelmann (Vorsitzender des Aufsichtsrats),
> Hubert Leypoldt, Dr. Dirk Lippold
> Bankverbindungen: Deutsche Bank (BLZ 600 700 70) Kto. 1661 040,
> Commerzbank (BLZ 600 400 71) Kto. 532 015 500, BW-Bank (BLZ 600 501 01) Kto.
> 2 403 313
> Registergericht: Amtsgericht Stuttgart
> Handelsregister: HRB Nr. 19117
> Umsatzsteuer: ID-Nr. DE 147 862 777
>
