[
https://issues.apache.org/jira/browse/WSS-131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609786#action_12609786
]
Lisa Penninger commented on WSS-131:
------------------------------------
Hey, Fred, thanks for looking at this. This is purely an issue with WSS4J
apis. I'll leave it up to you guys to pick the component -- core just seemed
the most likely candidate to my unfamiliar eye. So here's more detail:
In the WSS schema, we have the following definition for SecurityHeader:
<xsd:complexType name="SecurityHeaderType">
<xsd:annotation>
<xsd:documentation>This complexType defines header block to use for
security-relevant data directed at a specific SOAP actor.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>The use of "any" is to allow extensibility and
different forms of security data.</xsd:documentation>
</xsd:annotation>
</xsd:any>
</xsd:sequence>
<xsd:anyAttribute namespace="##other" processContents="lax"/>
</xsd:complexType>
Note the annotation inside the sequence. The same language is in the spec,
very bottom of page 16. The way I understand it, I should be able to define my
own custom security data as follows:
<!-- Define a new token type for the security header -->
<xs:complexType name="OrganizationToken">
<xs:sequence>
<xs:element name="organizationName" type="wsse:AttributedString"/>
</xs:sequence>
<xs:attribute ref="wsu:Id"/>
</xs:complexType>
and then, in the client Java code, add my OrganizationToken to the
SecurityHeader. The way we've done our (vanilla) security header so far is to
use an interceptor to add the security header to all the requests, and this is
working:
Map<String, Object> outprops = new HashMap<String, Object>();
outprops.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
outprops.put(WSHandlerConstants.USER, "admin");
outprops.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
outprops.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientPasswordCallbackHandler.class.getName());
AuthenticationInterceptor wssout = new AuthenticationInterceptor(outprops);
endpoint.getOutInterceptors().add(new SAAJOutInterceptor());
endpoint.getOutInterceptors().add(wssout);
But, now I want to customize the header. I want to add my OrganizationToken,
which it seems I should be able to do by getting the WSSConfig from the
WSHandler.secEngine, and adding my new action and processor using setAction()
and setProcessor(), and then adding
outprops.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN +
" " + "OrganizationToken");
outprops.put("organizationName", "admin"); // this is handled by my new
classes
to my header setup code. However, I can't get far enough to worry about that
part, as org.apache.ws.security.util.WSSecurityUtil.decodeAction specifically
disallows any tokens not on the predefined list, and doesn't look at
WSSConfig.actionMap to see what new ones might have been defined. This just
seems wrong, given what's in the spec.
Thanks,
Lisa
> no support for extension of SecurityHeader
> ------------------------------------------
>
> Key: WSS-131
> URL: https://issues.apache.org/jira/browse/WSS-131
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.4
> Reporter: Lisa Penninger
> Assignee: Ruchith Udayanga Fernando
>
> The WSS SecurityHeader schema definition is extensible to allow different
> types of security information to be included, i.e., I could define a FooToken
> in my schema and include it in the SecurityHeader in addition to my
> UsernameToken. However, wss4j seems to actively prevent this, throwing an
> exception if an unrecognized token is found.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
