Hi Daph, > The trouble is that the request is processed even with a bad user or > password in PasswordText mode.
When the password is sent in PasswordText mode, all authentication is delegated to the callback class. So it's up to your CallbackHandler implementation below to throw an exception if authentication fails. For PasswordDigest mode, the CallbackHandler must supply the password, and the subsequent digesting and authentication is performed in WSS4J. This whole area will hopefully get completely rewritten for the 2.0 release, as it's caused a huge amount of confusion to users. Colm. -----Original Message----- From: daphbou [mailto:[EMAIL PROTECTED] Sent: 17 September 2008 17:25 To: [email protected] Subject: WSSE-UsernameToken: accepts all user/password Hello, I try to set up a Soap transaction with wss4j 1.5.4 and Axis (1.4 or 1.2) using a UsernameToken password. The trouble is that the request is processed even with a bad user or password in PasswordText mode. I spent much time changing parameters or jar, reading documentation and searching the web, but I found nothing. Can anyone help? I am sure the solution must be quite simple, but it is the first time I use wss4j ... Thanks. Daph Here is all information about this project. I did the following tests: - without soapenv header the request is rejected (WSDoAllReceiver: Request does not contain required Security header) - in PasswordDigest mode all requests are rejected, even with correct user/password (WSSecurityException: The security token could not be authenticated or authorized) At first I try to use the PasswordText mode, and here is my server-config.wsdd file (I changed some namespaces and names): <deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> <globalConfiguration> <parameter name="sendMultiRefs" value="true"/> <parameter name="disablePrettyXML" value="true"/> <parameter name="adminPassword" value="admin"/> <parameter name="attachments.Directory" value="/exec/jonas/v486/webapps"/> <parameter name="dotNetSoapEncFix" value="true"/> <parameter name="enableNamespacePrefixOptimization" value="false"/> <parameter name="sendXMLDeclaration" value="true"/> <parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/> <parameter name="sendXsiTypes" value="true"/> <requestFlow> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="session"/> </handler> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="request"/> <parameter name="extension" value=".jwr"/> </handler> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" > <parameter name="passwordCallbackClass" value="com.myAppli.ws.PWCallback"/> <parameter name="action" value="UsernameToken"/> <parameter name="user" value="user"/> <parameter name="passwordType" value="PasswordDigest"/> <!--<parameter name="passwordType" value="PasswordText"/>--> </handler> </requestFlow> </globalConfiguration> <handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/> <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/> <!-- Services from WSDL --> <service name="ExternalManagementPort" provider="java:RPC" style="wrapped" use="literal"> <parameter name="wsdlTargetNamespace" value="uri://myAppli/1.0"/> <parameter name="wsdlServiceElement" value="ExternalManagementService"/> <parameter name="schemaQualified" value="urn:com.serviceconf"/> <parameter name="schemaUnqualified" value="uri://myAppli/-xp/types/1.0,uri://myAppli/1.0,uri://myAppli/types /1.0"/> <parameter name="wsdlServicePort" value="ExternalManagementPort"/> <parameter name="className" value="com.myAppli.messages.ExternalManagementSoapBindingSkeleton"/> <parameter name="wsdlPortType" value="ExternalManagement"/> <parameter name="typeMappingVersion" value="1.2"/> <parameter name="allowedMethods" value="*"/> ... <transport name="http"> <requestFlow> <handler type="URLMapper"/> <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/> </requestFlow> <parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> <parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> </transport> <transport name="local"> <responseFlow> <handler type="LocalResponder"/> </responseFlow> </transport> </deployment> And the PWCallback class (logs are processed): package com.myAppli.ws; import java.io.IOException; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.log4j.Logger; import org.apache.ws.security.WSPasswordCallback; import org.apache.axis.MessageContext; import org.apache.axis.message.SOAPEnvelope; import javax.xml.soap.SOAPMessage; public class PWCallback implements CallbackHandler { private static Logger logger = Logger.getLogger(PWCallback.class.getName()); public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { logger.debug("Inside PWCallback.handle"); for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; String user = pc.getIdentifer(); pc.setPassword("testpass"); logger.debug("Callback found, usage " + pc.getUsage() + ", user " + user); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } } The request (sent with soap-ui for testing) looks like: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:urn="urn:gccsca.francetelecom.com.serviceconf"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>SLSd</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-t oken-profile-1.0#PasswordText">testpasstttt</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> The application is deployed through Jonas (v4.8.6 on linux RedHat 5, or v4.9.2 on Windows XP). I put also here a list of jar files included in the war. I am not sure of all versions (except those for wss4j). Maybe it can help ... At first I used Axis 1.2, I tried to update to Axis 1.4, then I added some other jar files that could be used. activation.jar - addressing-1.0.jar axis-1.4.jar - axis-ant-1.4.jar - axis-jaxrpc-1.4.jar - axis-saaj-1.4.jar bcprov-jdk13-132.jar classes12.jar commons-beanutils.jar - commons-codec-1.3.jar - commons-collections.jar - commons-discovery-0.2.jar - commons-httpclient-3.0-rc2.jar commons-lang.jar - commons-logging-1.0.4.jar - commons-pool.jar - commons-validator.jar dom4j.jar junit-3.8.1.jar - log4j-1.2.9.jar mail.jar - opensaml-1.0.1.jar optional.jar - ostermillerutil.jar - regexp.jar serializer-2.7.0.jar - wsdl4j-1.5.1.jar - wss4j-1.5.4.jar xalan-2.7.0.jar - xercesImpl.jar - xml-apis.jar - xmlParserAPIs.jar - xmlsec-1.4.0.jar -- View this message in context: http://www.nabble.com/WSSE-UsernameToken%3A-accepts-all-user-password-tp 19535971p19535971.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
