Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-849

Patch for Wss4jSecurityInterceptor 2.1.4 for securementCallbackHandler exposure as of spring-ws < 2.0.x

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      After upgrading from spring-ws 1.5.9 to latest 2.1.4 I've noticed that org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor no longer exposes the setSecurementCallbackHandler(CallbackHandler securementCallbackHandler) method.

      My project requires a custom callback in order to properly populate the WSPasswordCallback object, but this seems no longer possible with spring-ws 2.1.x as stated here:
      https://jira.springsource.org/browse/SWS-711

      I've analyzed the wss4j 1.6.5 source code and found something interesting in org.apache.ws.security.handler.WSHandler:

          /**
           * Get a CallbackHandler instance to obtain passwords.
           * @param reqData The RequestData which supplies the message context
           * @return the CallbackHandler instance to obtain passwords.
           * @throws WSSecurityException
           */
          public CallbackHandler getPasswordCallbackHandler(RequestData reqData) 
              throws WSSecurityException {
              return 
                  getCallbackHandler(
                      WSHandlerConstants.PW_CALLBACK_CLASS,
                      WSHandlerConstants.PW_CALLBACK_REF,
                      reqData
                  );
          }
      

      So it seems possible to specify a callbackHandler when WSHandlerConstants.PW_CALLBACK_CLASS or WSHandlerConstants.PW_CALLBACK_REF is specified (the first represents the className of the callback to instantiate, the second is the instance itself).

      I choose to use the WSHandlerConstants.PW_CALLBACK_REF property, but it requires some changes in spring-ws code.

      Firstly, org.springframework.ws.soap.security.wss4j.Wss4jHandler use Properties to store <String, String> pair of options for wss4j, so it's not possible to simply store a <WSHandlerConstants.PW_CALLBACK_REF, beanReference>. I've hacked a bit and created a simple workaround:

      public class SecurementCallbackAwareWss4jHandler extends Wss4jHandler {
      	private CallbackHandler	securementCallbackHandler;
      
      	public void setSecurementCallbackHandler(CallbackHandler securementCallbackHandler) {
      		this.securementCallbackHandler = securementCallbackHandler;
      	}
      
      	@Override
      	public Object getOption(String key) {
      		if (WSHandlerConstants.PW_CALLBACK_REF.equals(key))
      			return this.securementCallbackHandler;
      		else
      			return super.getOption(key);
      	}
      }
      

      Secondly, I rewrote org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor in order to use my SecurementCallbackAwareWss4jHandler as "handler" instance and the simply re-add this setter:

      public void setSecurementCallbackHandler(CallbackHandler securementCallbackHandler) {
          handler.setSecurementCallbackHandler(securementCallbackHandler);
      }
      

      With those 2 changes I'm able to reuse the "securementCallbackHandler" logic.

      I hope those changes could help you

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                gregturn Greg Turnquist
                Reporter:
                ferrerogg Gianni Ferrero
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: