wse (.net) client to wss4j web service allows all passwords, why?
- From: ntad <ntad@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 13 Feb 2007 12:27:03 -0800
Hi,
I’m trying to do the simplest security implementation before trying anything
more complex. I have a web service written in java and I’m trying to
implement security with wss4j. I have a .NET client and I’m trying to use
WSE 3.0 to securely connect to my java web service. So I’m testing with a
hard-coded userid and password (for now), using Username tokens and sending
plain text (and not even over SSL). Testing with a java client, everything
works fine! Testing with the .NET client, wss4j accepts any password and any
userid (as long as my callback method does not throw an exception). (So I
added a “throw exception” if the userid was not found and that works to fail
the userid.) But I can’t really get wss4j to validate the password when the
request is coming from .net/wse. Any ideas? Code details below.
For wss4j, my server-config.wsdd file contains this: (NOTE: it throws an
exception without the Timestamp)
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass" value="PWCallback"/>
<parameter name="action" value="UsernameToken Timestamp"/>
<!-- NOTE: add Timestamp to be compatible with WSE on the .net side -->
</handler>
My callback class is very basic:
public class PWCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
if ("wss4j".equals(pc.getIdentifer())) {
pc.setPassword("security");
} else {
// doing this actually shows up as "Callback supplied
// no password for: wss4j"
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback"); }
} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}
In .NET, I’ve added the reference to Microsoft.Web.Services3 and went
through the WSE Settings 3.0 wizard: checked Enable this project for Web
Services Enhancements, checked Enable Policy and added the
usernameTokenSecurity policy, and left everything else as defaults. Thus, my
wse3policyCache.config looks like this:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364" />
</extensions>
<policy name="usernameTokenSecurity">
<usernameOverTransportSecurity />
<requireActionHeader />
</policy>
</policies>
Then refreshing my Web Reference gives me the WSE version of my web service
proxy. And the calling code looks like this:
using Microsoft.Web.Services3.Security;
using Microsoft.Web.Services3.Security.Tokens;
UsernameToken token = new UsernameToken(“wss4j”, "security",
PasswordOption.SendPlainText);
wsProxy = new myJavaWebServiceWse();
wsProxy.SetClientCredential(token);
wsProxy.SetPolicy("usernameTokenSecurity");
String strXML = wsProxy.getTest();
Again with the .net/wse client, wss4j seems to allow any password and an
extra “throw exception” is needed to truly validate the userid. This is not
the case with my java client; it works fine. And I have not been able to
google anything on this.
Thanks
.
- Prev by Date: Re: Odd problem with WSE
- Next by Date: RE: Can I set security on private key programmatically
- Previous by thread: Re: Odd problem with WSE
- Next by thread: RE: Disabling WS-Addressing
- Index(es):
Relevant Pages
|
Loading
