CallbackHandler - username and password token
Hi,
I use a CallbackHandler and server_security_config.xml on the server to authenticate and authorize the user.
I get the correct username and password token on the server and do my validation directly in:
public class AuthenticationValidator implements PasswordValidationCallback.PasswordValidator
{
public boolean validate(PasswordValidationCallback.Request request)
throws PasswordValidationCallback.PasswordValidationException
{
System.out.println("AuthenticationValidator public boolean validate");
PasswordValidationCallback.PlainTextPasswordRequest req =(PasswordValidationCallback.PlainTextPasswordRequest) request;
System.out.println("Username: " + req.getUsername());
System.out.println("Passowrd: " + req.getPassword());
// check with database!
// return false; // not OK
return true; // OK
}
}
I don't want to use a JAAS Login module.
The auth works fine.
Now I have a big and a little problem.
1.) I need the username (String username = req.getUsername();) from xwss in my service implementation class. But how can I transfer this value?
I have ajavax.security.auth.callback.CallbackHandler class and no Logicalhandler with aMessageContext object.
2.) My second question:
If the authentication failsAuthenticationValidator returnsreturn false; and the client gets a SoapFault Exception. It is possible to catch this exception and throw a user defined exception?
Please helped me, thanks!!
Please see also here:
https://xwss.dev.java.net/servlets/ReadMsg?list=users&msgNo=54
Regards,
Rocci
[1754 byte] By [
Rocci2a] at [2007-10-2 22:21:39]
Ideally you could have used SubjectAccessor API [1] to get hold of the data you need. Unfortunately it seems to be broken when using XWSS with jaxws. We will fix it soon and let you know. Will inform you as soon as the fix is available.
You can get the bits from https://xwss.dev.java.net.
[1]http://java.sun.com/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro5.html#wp567402
Message was edited by:
venugr_sun
Kumar has just uploaded the latest bits at https://xwss.dev.java.net/files/documents/4864/36186/xwss-2.0.zip.In your server side code access the Subject from MessageContext using"javax.security.auth.Subject" key.Let us know how it wentHTH Venu
Hi,
thanks for your fast answer and sorry for my late answer.
I tried it and now nothing is working any more.
I get with the new libraries the following exception:
22.06.2006 11:28:36 com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher receive
SCHWERWIEGEND: java.lang.IllegalArgumentException: Illegal use of setScope() on non-existant property :javax.security.auth.Subject
java.lang.RuntimeException: java.lang.IllegalArgumentException: Illegal use of setScope() on non-existant property :javax.security.auth.Subject
at com.sun.xml.xwss.SystemHandlerDelegateImpl.processRequest(SystemHandlerDelegateImpl.java:274)
at com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher.receive(SOAPMessageDispatcher.java:144)
at com.sun.xml.ws.server.Tie.handle(Tie.java:88)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.handle(WSServletDelegate.java:333)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:288)
at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:77)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
I have in my validator class:
Subject subject = new Subject();
subject.getPrincipals().add(new X500Principal("CN=" + userName));
subject.getPrivateCredentials().add(password);
and in my service implementation class:
Object o = messageContext.get("javax.security.auth.Subject");
With the old libs o was null. Now with the new libsI get ealier the above mentioned exception.
Any further help would be very nice.
Regards,
Rocci
Can anybody help me with this?Is this a bug?Thanks,Rocci
Hi ,can you check with the latest bitsVenu
Hi,
now it works, great!!
A little point which I don't understand exactly:
- ServerSecurityEnvironmentHandler implements CallbackHandler contains in the handle method this code:
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof PasswordValidationCallback) {
PasswordValidationCallback cb = (PasswordValidationCallback) callbacks[i];
if (cb.getRequest() instanceof PasswordValidationCallback.PlainTextPasswordRequest){
// plain text handling
cb.setValidator(new AuthenticationValidator());
- code of AuthenticationValidator implements PasswordValidationCallback.PasswordValidator
public boolean validate(PasswordValidationCallback.Request request)
throws PasswordValidationCallback.PasswordValidationException {
PasswordValidationCallback.PlainTextPasswordRequest req =
(PasswordValidationCallback.PlainTextPasswordRequest) request;
// TODO validate here or do this in the service implementation
Subject subject = new Subject();
subject.getPrincipals().add(new X500Principal("CN=" + req.getUsername()));
subject.getPrivateCredentials().add(req.getPassword());
return true; // or false
}
The point is that the 3 rows for setting of the subject patently are not neccesary.
Is this allways the case.?
Regards and many thanks,
Rocci
Hi ,Why do you want to do that ?Venu
