Hi David,
David Sharp wrote:
> I can't seem to figure out how to programmatically set the
> user-authentication token used by a JAX-RPC web service call. I have
> created a CallbackHandler that can set the username and password,
> however it does not have the information necessary to determine which
> userid and password to use.
>
> My application is basically a web application, that uses web service
> calls behind the scenes to retrieve information. Depending on the
> user that is logged in, the endpoint will vary along with the username
> and password the endpoint will expect. So the problem I'm having, is
> that my servlet that is calling the web service, has enough
> information to create the stub, set the endpoint, and call the web
> service. It even has enough information to determine what username
> and password it should use. Unfortunately, there does not appear to
> be a way to pass this information to the callback handler that will
> actually be setting the username and password.
>
> If I can guarantee that the password handler will run in the same
> thread as the servlet making the web service call, I could set a
> system property keyed on the current thread, that has the
> information. However this seems to be an ugly hack. What I really
> need, is a way to pass parameters at runtime from a web-service caller
> to the CallbackHandler that will eventually handle set the username
> and password used to create the authentication token.
>
> Any help would be greatly appreciated.
There is a way to do this if you are using JWSDP 1.6 ( i.e XWS Security
2.0 EA). There is sample called dynamic-policy which would be relevant
in this case for more information (copy the CallbackHandler present in
the dynamic-policy sample to get the relevant import statements).
Here are the steps :
1. your client side Security Configuration should look like the following :
<xwss:JAXRPCSecurity
xmlns:xwss="
http://java.sun.com/xml/ns/xwss/config">
<xwss:Service>
<!-- the exact policy to apply will be decided by the
SecurityEnvironmentHandler at runtime -->
<xwss:SecurityConfiguration dumpMessages="true"
enableDynamicPolicy="true">
</xwss:SecurityConfiguration>
</xwss:Service>
<xwss:SecurityEnvironmentHandler>
com.sun.xml.wss.sample.SecurityEnvironmentHandler
</xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
This would enable dynamic policy callbacks.
2. In the CallbackHandler add an else {....} clause to handle the
DynamicPolicyCallback.
The code will look something like this :
> else if (callbacks[i] instanceof DynamicPolicyCallback) {
> DynamicPolicyCallback dpCallback =
> (DynamicPolicyCallback) callbacks[i];
> SecurityPolicy policy = dpCallback.getSecurityPolicy();
>
> if (policy instanceof DynamicSecurityPolicy) {
> try {
> handleDynamicSecurityPolicy (dpCallback);
> } catch (PolicyGenerationException pge) {
> throw new IOException (pge.getMessage());
> }
> }
> }
> private void handleDynamicSecurityPolicy (DynamicPolicyCallback callback)
> throws PolicyGenerationException {
>
>
> boolean inBound = false;
> DynamicSecurityPolicy policy = (DynamicSecurityPolicy)
> callback.getSecurityPolicy();
> DynamicApplicationContext dynamicContext =
> (DynamicApplicationContext) callback.getDynamicContext();
>
>
>
> java.util.Iterator prop =
> dynamicContext.getRuntimeProperties().entrySet().iterator();
>
> //You can look for the following Runtime properties here
> // 1. Service URL=http://localhost:8080/dynamicpolicy/Ping
> // 2.
> javax.xml.rpc.service.endpoint.address=http://localhost:8080/dynamicpolicy/Ping
> // 3. context.operation.name={http://xmlsoap.org/Ping}Ping
// 4. javax.xml.rpc.security.auth.username=<whatever
username was set on the Stub)
// 5.javax.xml.rpc.security.auth.password=<whatever password
was set on the Stub)
>
>
>
> while( prop.hasNext()) {
> System.out.println(prop.next());
> }
>
>
>
>
> inBound = dynamicContext.inBoundMessage();
if (!inBound) {
>
>
>
> WSSPolicyGenerator generator = (WSSPolicyGenerator)
> policy.policyGenerator ();
> AuthenticationTokenPolicy atp = new AuthenticationTokenPolicy();
> AuthenticationTokenPolicy.UsernameTokenBinding utb =
> (AuthenticationTokenPolicy.UsernameTokenBinding)
> atp.newUsernameTokenFeatureBinding();
> utb.setUsername(<username>); // username extracted from
> runtime properties above
> utb.setPassword(<password>); // password extracted from
> runtime properties above.
> MessagePolicy mPolicy = new MessagePolicy();
> mPolicy.dumpMessages(true); // if you want dumping of
> outgoing Messages
> mPolicy.append(atp);
> callback.setSecurityPolicy(mPolicy);
> }
}
Note: The API shown above is in Early Acess state and hence expect minor
changes to this in the FCS release of XWS Security 2.0.
>
> Thanks,
> Dave