Re: UsernameToken Authentication with WSS4J

gdprao wrote:

I am facing a problem with the password comparison using WSS4J interceptors.  I see the username and password are passed from the client to the server correctly and invoking PasswordCallbackHandler from SOAP message logs.  As per my understanding the actual password comparison is done by WSS4J.  The problem I am facing is that the service is getting invoked even if the passwords are not matching while I am expecting the SOAP fault to be thrown. The client is sending the password "test" while the server is expecting "test123" for the user "admin".  Here are my logs and configuration.  Please let me know if I am missing anything.

Server side applicationContext-cxf.xml:

<jaxws:endpoint id="helloWorld"
                implementor="com.mydomain.cxfauth.HelloWorldImpl"
                address="/HelloWorld">

                <jaxws:features>
                        <bean class="org.apache.cxf.feature.LoggingFeature" />
                </jaxws:features>
                <jaxws:inInterceptors>
                        <bean
                                class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
                        <ref bean="wss4jInConfiguration" />
                </jaxws:inInterceptors>
        </jaxws:endpoint>
        <bean id="wss4jInConfiguration"
                class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                <property name="properties">
                        <map>
                                <entry key="action" value="UsernameToken" />
                                <entry key="passwordType" value="PasswordText" />
                                <entry>
                                        <key>
                                                <value>passwordCallbackRef</value>
                                        </key>
                                        <ref bean="passwordCallback" />
                                </entry>
                        </map>
                </property>
        </bean>

<bean id="passwordCallback" class="com.mydomain.cxfauth.interceptors.PasswordCallbackHandler"/>

Server side Password callback handler:

public void handle(Callback[] callbacks) throws IOException,
                        UnsupportedCallbackException {
                WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
                logger.debug("identifier on server: " + pc.getIdentifer());
                if (pc.getIdentifer().equals("admin")) {
                        logger.debug("Inside if: " + pc.getIdentifer());
                        //set the password on the callback. This will later be compared to the password which was sent from the client.
                        pc.setPassword("test123");
                }

        }

Client side client-cxf.xml:

<bean id="client" class="com.mydomain.cxfauth.HelloWorld"
                factory-bean="clientFactory" factory-method="create" />

        <bean id="clientFactory"
                class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
                <property name="serviceClass"
                        value="com.mydomain.cxfauth.HelloWorld" />
                <property name="address"
                        value="http://localhost:8080/cxfauth/services/HelloWorld" />
                <property name="outInterceptors">
                        <list>
                                <bean
                                        class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
                                <ref bean="wss4jOutConfiguration" />
                        </list>
                </property>
        </bean>
        <bean id="wss4jOutConfiguration"
                class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
                <property name="properties">
                        <map>
                                <entry key="action" value="UsernameToken" />
                                <entry key="user" value="admin" />
                                <entry key="passwordType" value="PasswordText" />
                                <entry>
                                        <key>
                                                <value>passwordCallbackRef</value>
                                        </key>
                                        <ref bean="passwordCallback" />
                                </entry>
                        </map>
                </property>
        </bean>
        <bean id="passwordCallback"
                class="com.mydomain.cxfauthclient.interceptors.PasswordCallbackHandler" />

Client side PasswordCallbackHandler:

public void handle(Callback[] callbacks) throws IOException,
                        UnsupportedCallbackException {
                WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
                logger.debug("identifier on client: " + pc.getIdentifer());
                if (pc.getIdentifer().equals("admin")) {
                        //set the password on the callback on client side
                        pc.setPassword("test");
                }

        }


Server Log:

Sep 12, 2007 10:25:21 AM org.apache.cxf.transport.servlet.CXFServlet replaceDestionFactory
INFO: servlet transport factory already registered
Sep 12, 2007 10:26:10 AM org.apache.cxf.interceptor.LoggingInInterceptor handleMessage
INFO: Inbound Message
--------------------------------------
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-12741398" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">admin</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">test</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sayHi xmlns:ns1="http://cxfauthmydomaincom/"><arg0>Durgaprasad</arg0></ns1:sayHi></soap:Body></soap:Envelope>
--------------------------------------
2007-09-12 10:26:10,728 - DEBUG (com.mydomain.cxfauth.interceptors.PasswordCallbackHandler:handle:20) - identifier on server: admin
2007-09-12 10:26:10,744 - DEBUG (com.mydomain.cxfauth.interceptors.PasswordCallbackHandler:handle:22) - Inside if: admin
Sep 12, 2007 10:26:11 AM org.apache.cxf.interceptor.LoggingOutInterceptor$LoggingCallback onClose
INFO: Outbound Message
--------------------------------------
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns1:sayHiResponse xmlns:ns1="http://cxfauth.mydomain.com/"><return>Welcome, Durgaprasad to the CXF web services</return></ns1:sayHiResponse></soap:Body></soap:Envelope>
--------------------------------------

Client response Log:

Sep 12, 2007 10:26:09 AM org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
INFO: Creating Service {http://cxfauth.mydomain.com/}HelloWorldService from class com.mydomain.cxfauth.HelloWorld
2007-09-12 10:26:10,135 - DEBUG (com.mydomain.cxfauthclient.interceptors.PasswordCallbackHandler:handle:20) - identifier on client: admin
2007-09-12 10:26:11,119 - DEBUG (com.mydomain.cxfauthclient.CXFAuthClient:main:21) - Response: Welcome, Durgaprasad to the CXF web services