Well,
To answer my own question for the sake of getting into the archives.
I still haven't found a way to do "UsernameToken Signature" in the same
action line - only a single user is allowed to be specified.
However I got around the problem by "decorating" the properties that
go in the second set of actions with the string "1" at the end:
options.put("cyrpto_props", cryptoProvider);
options.put("cyrpto_props1", cryptoProvider);
options.put(WSHandlerConstants.PW_CALLBACK_REF, myCallback);
options.put(WSHandlerConstants.PW_CALLBACK_REF + "1", myCallback);
Why? Because WSS4J uses recursion to handle multiple outflow securities
and because all the security parameters are communicated via the
properties of the message context (which is only plain <name, value>
pairs).
And so to support it, all "recursed" outflow security structures are
"flattened" by adding a digit to the name of the parameter.
However when "global" parameters are requested (ones that are not
specific for the currently processed outflow security) they still
use the helper getters that decorate the param names. And so both
the crypto_props and the callback handler names needs to be hacked
in order for WSS4J to find them.
Now the question to WSS4J developers is:
Do you need a JIRA for this and would that affect the Policy-based
configuration?
Best Regards,
George
-----Original Message-----
From: George Stanchev [mailto:[EMAIL PROTECTED]
Sent: Friday, June 29, 2007 10:21 AM
To: [email protected]; [EMAIL PROTECTED]
Subject: username token with different signature user using deprecated
configuration structures
Hi,
I am trying to create a message with "Timestamp UsernameToken Signature"
actions using
the old deprecated InflowConfiguration() and OutflowConfiguration()
settings (please no "switch to policy-based config" suggestions) and I
am having a little trouble making it work when the subject in the
wsse:UsernameToken needs to be different than the one signing the
message.
Here is what I do:
OutflowConfiguration ofc = new OutflowConfiguration(2);
ofc.setActionItems("Timestamp UsernameToken"); ofc.setUser("joeshmoe");
ofc.setPasswordType(WSConstants.PW_TEXT);
myCallback.setUTUsername("joeschmoe");
myCallback.setUTPassword("joeschmoe's secret"); ofc.nextAction();
ofc.setUser("signature-joeshmoe");
ofc.setSignaturePropRefId("cyrpto_props");
ofc.setSignatureKeyIdentifier("DirectReference");
ofc.setOptimizeParts(...blah-blah...);
myCallback.setKeystorePassword("secret");
myCallback.setSignatureKeyAlias("joeshmoes-key-alias");
ofc.previousAction(); // to reset to the action list [0]
Properties cryptoProvider = new Properties();
cryptoProvider.setProperty("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
cryptoProvider.setProperty("org.apache.ws.security.crypto.merlin.file",
"c:/keystore.jks");
cryptoProvider.setProperty("org.apache.ws.security.crypto.merlin.keystor
e.type", "JKS");
cryptoProvider.setProperty("org.apache.ws.security.crypto.merlin.keystor
e.password", "secret");
options.put("cyrpto_props", cryptoProvider);
options.put(WSHandlerConstants.PW_CALLBACK_REF, myCallback);
// invoke
However, when I have two actions entries, the signature handler from
within wss4j is complaining that it cannot find the crypto_props.
That works fine if I have 1 action entry (say "Timestamp UsernameToken
Signature").
Any ideas what do I need to do to pass the the crypto provider to the
signature handler?
I am using Rampart 1.2 btw...
Thanks in advance!
George
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
