Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-849

Patch for Wss4jSecurityInterceptor 2.1.4 for securementCallbackHandler exposure as of spring-ws < 2.0.x

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      After upgrading from spring-ws 1.5.9 to latest 2.1.4 I've noticed that org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor no longer exposes the setSecurementCallbackHandler(CallbackHandler securementCallbackHandler) method.

      My project requires a custom callback in order to properly populate the WSPasswordCallback object, but this seems no longer possible with spring-ws 2.1.x as stated here:
      https://jira.springsource.org/browse/SWS-711

      I've analyzed the wss4j 1.6.5 source code and found something interesting in org.apache.ws.security.handler.WSHandler:

          /**
           * Get a CallbackHandler instance to obtain passwords.
           * @param reqData The RequestData which supplies the message context
           * @return the CallbackHandler instance to obtain passwords.
           * @throws WSSecurityException
           */
          public CallbackHandler getPasswordCallbackHandler(RequestData reqData) 
              throws WSSecurityException {
              return 
                  getCallbackHandler(
                      WSHandlerConstants.PW_CALLBACK_CLASS,
                      WSHandlerConstants.PW_CALLBACK_REF,
                      reqData
                  );
          }

      So it seems possible to specify a callbackHandler when WSHandlerConstants.PW_CALLBACK_CLASS or WSHandlerConstants.PW_CALLBACK_REF is specified (the first represents the className of the callback to instantiate, the second is the instance itself).

      I choose to use the WSHandlerConstants.PW_CALLBACK_REF property, but it requires some changes in spring-ws code.

      Firstly, org.springframework.ws.soap.security.wss4j.Wss4jHandler use Properties to store <String, String> pair of options for wss4j, so it's not possible to simply store a <WSHandlerConstants.PW_CALLBACK_REF, beanReference>. I've hacked a bit and created a simple workaround:

      public class SecurementCallbackAwareWss4jHandler extends Wss4jHandler {
      	private CallbackHandler	securementCallbackHandler;
       
      	public void setSecurementCallbackHandler(CallbackHandler securementCallbackHandler) {
      		this.securementCallbackHandler = securementCallbackHandler;
      	}
       
      	@Override
      	public Object getOption(String key) {
      		if (WSHandlerConstants.PW_CALLBACK_REF.equals(key))
      			return this.securementCallbackHandler;
      		else
      			return super.getOption(key);
      	}
      }

      Secondly, I rewrote org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor in order to use my SecurementCallbackAwareWss4jHandler as "handler" instance and the simply re-add this setter:

      public void setSecurementCallbackHandler(CallbackHandler securementCallbackHandler) {
          handler.setSecurementCallbackHandler(securementCallbackHandler);
      }

      With those 2 changes I'm able to reuse the "securementCallbackHandler" logic.

      I hope those changes could help you

        Issue Links

          Activity

          Hide
          rwinch Rob Winch added a comment -

          Moved to Spring Web Services since that is where the code is located

          Show
          rwinch Rob Winch added a comment - Moved to Spring Web Services since that is where the code is located
          Hide
          gregturn Greg Turnquist added a comment -

          Evaluate if we want to restore setSecurementCallbackhandler in Spring WS 2.3 release.

          Show
          gregturn Greg Turnquist added a comment - Evaluate if we want to restore setSecurementCallbackhandler in Spring WS 2.3 release.
          Hide
          gregturn Greg Turnquist added a comment -

          When updating to wss4j 2.0, investigate supporting this request since we'll be in the middle of the same set of code.

          Show
          gregturn Greg Turnquist added a comment - When updating to wss4j 2.0, investigate supporting this request since we'll be in the middle of the same set of code.
          Hide
          gregturn Greg Turnquist added a comment -

          This issue is no longer relevant as of Spring WS 2.3 which moves to wss4j 2.1

          Show
          gregturn Greg Turnquist added a comment - This issue is no longer relevant as of Spring WS 2.3 which moves to wss4j 2.1
          Hide
          WajdiTn Wajdi added a comment -

          Hello Greg and all Spring folks who can read this post,
          Can you please give me a quick explanation how I can use Wss4jSecurityInterceptor without the securementCallbackHandler?
          ( I have implemented a cutomized CallbackHandler)
          Now I am using the 2.0.3 Release and moving to 2.2.4.RELEASE , but my webservices are bugging ..

          Thanks,

          Show
          WajdiTn Wajdi added a comment - Hello Greg and all Spring folks who can read this post, Can you please give me a quick explanation how I can use Wss4jSecurityInterceptor without the securementCallbackHandler? ( I have implemented a cutomized CallbackHandler) Now I am using the 2.0.3 Release and moving to 2.2.4.RELEASE , but my webservices are bugging .. Thanks,
          Hide
          gregturn Greg Turnquist added a comment -

          Checkout 2.3.0.BUILD-SNAPSHOT and org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.

          Show
          gregturn Greg Turnquist added a comment - Checkout 2.3.0.BUILD-SNAPSHOT and org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.
          Hide
          jmiddleton Jorge L. Middleton added a comment -

          @Greg, I'm wondering if you have implemented this because I cannot see it in 2.4.0

          Thanks

          Show
          jmiddleton Jorge L. Middleton added a comment - @Greg, I'm wondering if you have implemented this because I cannot see it in 2.4.0 Thanks
          Hide
          gregturn Greg Turnquist added a comment -

          I'm afraid not. With 2.4, we have upgraded to wss4j 2.0, so you must use the updated API. If there is still something outstanding, feel free to write up a more detailed message in light of this major upgrade of wss4j.

          Show
          gregturn Greg Turnquist added a comment - I'm afraid not. With 2.4, we have upgraded to wss4j 2.0, so you must use the updated API. If there is still something outstanding, feel free to write up a more detailed message in light of this major upgrade of wss4j.

            People

            • Assignee:
              gregturn Greg Turnquist
              Reporter:
              ferrerogg Gianni Ferrero
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: