Do you want to send a digest password, or no password at all? If the former, then you shouldn't have a "NoPassword" policy defined...
Colm. On Tue, Oct 8, 2013 at 2:06 AM, difrad76 <[email protected]> wrote: > Hello, > > Let me start by saying I am new to CXF . I am trying to implement > WS-Security using latest and greatest release of CXF which is 2.7.7. Also, > I > don't use spring framework. > > In my wsdl I have the following code for WS-Security > > <wsp:Policy wsu:Id="DoubleItDigestPolicy"> > > <sp:ProtectionToken> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > > <sp:NoPassword/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > > </sp:ProtectionToken> > </wsp:Policy> > > > In cxf-beans.xml bellow I have defined custom CallbackHandler > > <jaxws:inInterceptors> > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > <constructor-arg> > <map> > <entry key="action" value="UsernameToken" /> > <entry key="passwordType" value="PasswordDigest" /> > <entry key="passwordCallbackClass" > value="com.security.ServerPasswordCallback" /> > </map> > </constructor-arg> > </bean> > </jaxws:inInterceptors> > > However I am getting the following exceptions > > Oct 07, 2013 7:58:19 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor > handleMessage > WARNING: > org.apache.ws.security.WSSecurityException: The security token could not be > authenticated or authorized > at > > org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:199) > at > > org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:97) > at > > org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:172) > at > > org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:67) > at > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) > at > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) > at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) > at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) > at > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) > at > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462) > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250) > at > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188) > at > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166) > at > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:724) > > Oct 07, 2013 7:58:19 PM org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > WARNING: Interceptor for {http://ws.security.com/}ManagerService has > thrown > exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: The security token could not be > authenticated or authorized > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:788) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) > at > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) > at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) > at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) > at > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) > at > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462) > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250) > at > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188) > at > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166) > at > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:724) > Caused by: org.apache.ws.security.WSSecurityException: The security token > could not be authenticated or authorized > at > > org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:199) > at > > org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:97) > at > > org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:172) > at > > org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:67) > at > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279) > ... 29 more > > > I think I need to add a custom validator but I am not sure neither how to > bind it nor which interface to implement. I am sure people had this issue > before but unfortunately I can't find a good example to send me on my way. > > Thank you for your help. > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Help-with-custom-user-credential-validator-tp5734798.html > Sent from the cxf-dev mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
