Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-245

WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9, 1.6
    • Component/s: WSS4J Core
    • Labels:
      None
    • Environment:
      WSS4J 1.5.8, Axis1.4, Java 5

      Description

      It looks as if only the MesageContext is searched for the PW_CALLBACK_REF property and not the HandlerOptions as well, as is the case for PW_CALLBACK_CLASS. When setting HandlerOptions on an Axis Service for UsernameToken processing on the client, you can do one of two things for configuring the PasswordCallback:

      HashMap<String, Object> hOptions = new HashMap<String, Object>();
      // options for username token handle
      hOptions.put("action", "UsernameToken");
      hOptions.put("passwordType", "PasswordDigest");
      hOptions.put("deployment", "client");
      hOptions.put("flow", "request-only");
      hOptions.put("user", username);
      hOptions.put("passwordCallbackRef", myCallBackClassObject);

      This, theoretically, simply grabs the reference to the object I hand to it and calls its "handle" method, and if I botch that, well, it's garbage in, garbage out.

      What I've been chasing is failure to handle the "passwordCallbackRef" option appropriately, and I've chased it down to this:

      in WSHandler(getPassword):799

      else if ((cbHandler = (CallbackHandler) getProperty(mc, refProp)) != null) {

      Chasing through the various methods, the outcome is that this line attempts to get the CallbackHandler directly from the MessageContext property list only, but does not also check the HandlerOptions. What should instead be done is:

      else if ((cbHandler = (CallbackHandler) getOption(refProp)) != null ||
      (cbHandler = (CallbackHandler) getProperty(mc, refProp)) != null) {

      This searches for the CallbackHandler from the HandlerOptions which has been set up as described above as well as checking the MessageContext. This is identical in operation to the way that the "passwordCallbackClass" option is searched for, i.e. via the both the HandlerOptions and the MessageContext.
      I made this change to my local copy of the WSS4J 1.5.8 source and it worked perfectly (or, at least, it worked as I expected it to work). The order can be reversed depending on which location for the property you want to override the other, but the order I have above is identical to the order in which PW_CALLBACK_CLASS is searched.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              gernblandston Benjamin Temko
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1m
                1m
                Remaining:
                Remaining Estimate - 1m
                1m
                Logged:
                Time Spent - Not Specified
                Not Specified