Hi,
I'm trying to do the simplest security implementation before trying
anything more complex. I have a web service written in java and I'm
trying to implement security with wss4j. I have a .NET client and I'm
using WSE 3.0 to securely connect to my java web service. So I'm
testing with a hard-coded userid and password (for now), using Username
tokens and sending plain text (and not even over SSL). Testing with a
java client, everything works fine! Testing with the .NET client, wss4j
accepts any password and any userid (as long as my callback method does
not throw an exception). (So I added a "throw exception" if the userid
was not found and that works to fail the userid.) But I can't really
get wss4j to validate the password when the request is coming from
.net/wse. Any ideas? Code details below.
For wss4j, my server-config.wsdd file contains this: (NOTE: it throws
an exception without the Timestamp)
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass" value="PWCallback"/>
<parameter name="action" value="UsernameToken Timestamp"/>
<!-- NOTE: add Timestamp to be compatible with WSE on the .net side
-->
</handler>
My callback class is very basic:
public class PWCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc =
(WSPasswordCallback)callbacks[i];
if ("wss4j".equals(pc.getIdentifer())) {
pc.setPassword("security");
} else {
// doing this actually shows up as "Callback
supplied
// no password for: wss4j"
throw new
UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback"); }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}
In .NET, I've added the reference to Microsoft.Web.Services3 and went
through the WSE Settings 3.0 wizard: checked Enable this project for Web
Services Enhancements, checked Enable Policy and added the
usernameTokenSecurity policy, and left everything else as defaults.
Thus, my wse3policyCache.config looks like this:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
</extensions>
<policy name="usernameTokenSecurity">
<usernameOverTransportSecurity />
<requireActionHeader />
</policy>
</policies>
Then refreshing my Web Reference gives me the WSE version of my web
service proxy. And the calling code looks like this:
using Microsoft.Web.Services3.Security;
using Microsoft.Web.Services3.Security.Tokens;
UsernameToken token = new UsernameToken("wss4j", "security",
PasswordOption.SendPlainText);
wsProxy = new myJavaWebServiceWse();
wsProxy.SetClientCredential(token);
wsProxy.SetPolicy("usernameTokenSecurity");
String strXML = wsProxy.getTest();
Again with the .net/wse client, wss4j seems to allow any password and an
extra "throw exception" is needed to truly validate the userid. This is
not the case with my java client; it works fine. I have not been able
to google anything on this.
Thanks, Dao
This email (including attachments) is covered by the Electronic Communications
Privacy Act, 18 U.S.C. ?? 2510-2521, is confidential and may be legally
privileged. If you are not the intended recipient ([email protected]),
you are hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited. Please reply to the
sender (Dao Nguyen) that you have received the message in error, and delete.
Thank you.
