stackoom
  简体   繁体   中英

WSS4j 1.5: How to skip password validation?

 原文  2016-03-21 20:22:01       java/ security/ soap/ signing/ wss4j

Question

I'm required to use apache WSS4J 1.5 for some SOAP signing/verification, however I'm having trouble skipping/disabling the UsernameToken password validation.

In WSS4J 1.6+ I am able to configure the security engine to use the NoOpValidator() class to skip the username token authentication, but 1.5 doesn't have this support.

Is there any way to tell WSS4J 1.5 to skip the Username/Password validation routing altogether?

2 answers

solution1
 1  2016-03-21 22:08:59

you need to write your own call back handler implementation to skip the loading LoginContext .Then that handler class can be loaded from the system property.

referring from the source code of javax.security.auth.callback.CallbackHandler ,

A default CallbackHandler class implementation may be specified in the auth.login.defaultCallbackHandler security property.

The security property can be set in the Java security properties file located in the file named /lib/security/java.security. refers to the value of the java.home system property, and specifies the directory where the JRE is installed.

If the security property is set to the fully qualified name of a CallbackHandler implementation class, then a LoginContext will load the specified CallbackHandler and pass it to the underlying LoginModules.

The LoginContext only loads the default handler if it was not provided one. All default handler implementations must provide a public zero-argument constructor.

Also be aware of some risks comes with WSS4J 1.5.XX

solution2
 0 ACCPTED  2016-03-22 03:43:01

After digging around in the WSSecEngine class a little bit in more depth, I found that I needed not a CallBackHandler, but a custom Processor that skips the processing of the UsernameToken object:

        WSSecurityEngine secEngine = new WSSecurityEngine();
        WSSConfig wsConfig = WSSConfig.newInstance();
        wsConfig.setProcessor(UsernameToken.TOKEN, new Processor() {

            @Override
            public void handleToken(Element arg0, Crypto arg1, Crypto arg2, CallbackHandler arg3, WSDocInfo arg4, Vector arg5, WSSConfig arg6)
                    throws WSSecurityException {
                // skip the token processing
                logger.debug("Skipping processing of the username token");
            }

            @Override
            public String getId() {
                return null;
            }
        });
        secEngine.setWssConfig(wsConfig);

Although WSS4J 1.5 is incredibly old, hopefully this may hope someone else in the future.

WSS4J 1.6+ has changed the way these processors work with Validators instead.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to validate UsernameToken without password in wss4j 1.6? How to use encrypted password in WSS4J Spring Security How to make WSS4J load the keystore password from a callback? Apache CXF / WSS4J Certificate Validation Apache WSS4J Failing to Initialize ORA-01017: invalid username/password; logon denied when using wss4j Create Enveloped Signature with CXF and WSS4J Signing SOAP messages using WSS4J Error in WS-Secured header validation(WSS4j) with UsernameToken TimeStamp for different time zone Configurable location of keystore in WSS4J
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM