users@jax-rpc.java.net

Re: XWS Security, programmatic interface to set a user-authentication token?

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Thu, 11 Aug 2005 12:09:05 +0530

Hi David,

David Sharp wrote:

> I can't seem to figure out how to programmatically set the
> user-authentication token used by a JAX-RPC web service call. I have
> created a CallbackHandler that can set the username and password,
> however it does not have the information necessary to determine which
> userid and password to use.
>
> My application is basically a web application, that uses web service
> calls behind the scenes to retrieve information. Depending on the
> user that is logged in, the endpoint will vary along with the username
> and password the endpoint will expect. So the problem I'm having, is
> that my servlet that is calling the web service, has enough
> information to create the stub, set the endpoint, and call the web
> service. It even has enough information to determine what username
> and password it should use. Unfortunately, there does not appear to
> be a way to pass this information to the callback handler that will
> actually be setting the username and password.
>
> If I can guarantee that the password handler will run in the same
> thread as the servlet making the web service call, I could set a
> system property keyed on the current thread, that has the
> information. However this seems to be an ugly hack. What I really
> need, is a way to pass parameters at runtime from a web-service caller
> to the CallbackHandler that will eventually handle set the username
> and password used to create the authentication token.
>
> Any help would be greatly appreciated.


There is a way to do this if you are using JWSDP 1.6 ( i.e XWS Security
2.0 EA). There is sample called dynamic-policy which would be relevant
in this case for more information (copy the CallbackHandler present in
the dynamic-policy sample to get the relevant import statements).


Here are the steps :

1. your client side Security Configuration should look like the following :

<xwss:JAXRPCSecurity
xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">

    <xwss:Service>
        <!-- the exact policy to apply will be decided by the
SecurityEnvironmentHandler at runtime -->
        <xwss:SecurityConfiguration dumpMessages="true"
enableDynamicPolicy="true">
        </xwss:SecurityConfiguration>
   </xwss:Service>
                                                                                                                      

    <xwss:SecurityEnvironmentHandler>
        com.sun.xml.wss.sample.SecurityEnvironmentHandler
    
</xwss:SecurityEnvironmentHandler>

</xwss:JAXRPCSecurity>

 This would enable dynamic policy callbacks.


2. In the CallbackHandler add an else {....} clause to handle the
DynamicPolicyCallback.

    The code will look something like this :

    

> else if (callbacks[i] instanceof DynamicPolicyCallback) {
> DynamicPolicyCallback dpCallback =
> (DynamicPolicyCallback) callbacks[i];
> SecurityPolicy policy = dpCallback.getSecurityPolicy();
>
> if (policy instanceof DynamicSecurityPolicy) {
> try {
> handleDynamicSecurityPolicy (dpCallback);
> } catch (PolicyGenerationException pge) {
> throw new IOException (pge.getMessage());
> }
> }
> }

> private void handleDynamicSecurityPolicy (DynamicPolicyCallback callback)
> throws PolicyGenerationException {
>
>
> boolean inBound = false;
> DynamicSecurityPolicy policy = (DynamicSecurityPolicy)
> callback.getSecurityPolicy();
> DynamicApplicationContext dynamicContext =
> (DynamicApplicationContext) callback.getDynamicContext();
>
>
>
> java.util.Iterator prop =
> dynamicContext.getRuntimeProperties().entrySet().iterator();
>
> //You can look for the following Runtime properties here
> // 1. Service URL=http://localhost:8080/dynamicpolicy/Ping
> // 2.
> javax.xml.rpc.service.endpoint.address=http://localhost:8080/dynamicpolicy/Ping
> // 3. context.operation.name={http://xmlsoap.org/Ping}Ping

            // 4. javax.xml.rpc.security.auth.username=<whatever
username was set on the Stub)
            // 5.javax.xml.rpc.security.auth.password=<whatever password
was set on the Stub)

>
>
>
> while( prop.hasNext()) {
> System.out.println(prop.next());
> }
>
>
>
>
> inBound = dynamicContext.inBoundMessage();

            if (!inBound) {

>
>
>
> WSSPolicyGenerator generator = (WSSPolicyGenerator)
> policy.policyGenerator ();
> AuthenticationTokenPolicy atp = new AuthenticationTokenPolicy();
> AuthenticationTokenPolicy.UsernameTokenBinding utb =
> (AuthenticationTokenPolicy.UsernameTokenBinding)
> atp.newUsernameTokenFeatureBinding();
> utb.setUsername(<username>); // username extracted from
> runtime properties above
> utb.setPassword(<password>); // password extracted from
> runtime properties above.
> MessagePolicy mPolicy = new MessagePolicy();
> mPolicy.dumpMessages(true); // if you want dumping of
> outgoing Messages
> mPolicy.append(atp);
> callback.setSecurityPolicy(mPolicy);
> }

}

Note: The API shown above is in Early Acess state and hence expect minor
changes to this in the FCS release of XWS Security 2.0.

>
> Thanks,
> Dave