0

I try to add the rampart security to my axis 2 web service using rampart and plain text password which should be extracted from database

what I have made

1.I have stored in a database the hashed value of "bobPW" password and the salt

In my PWCBHandler.java class

•I get the stored in password and salt •I hash pwcb.getPassword() with the stored salt •check if this hashed password is equal to the stored password

But I get null point exception is in these rows

         if((pwcb.getIdentifier().equals("bob")) && (passwordforchecking.equals(pasandsalt[0])) )

and

              passwordforchecking = hash(pwcb.getPassword(),Base64.decodeBase64(pasandsalt[1]));

But the problem that drives me really mad is that I'm sure that I extract the password and salt from the database because I have tested getdataforchecking in java application and everything is fine

code

p

ublic void handle(Callback[] callbacks)   throws IOException,  UnsupportedCallbackException
  {
     
      for (int i = 0; i < callbacks.length; i++)
       {         
        
       
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            try {
                pasandsalt = getdataforChecking();
          } catch (ClassNotFoundException e1) {
              // TODO Auto-generated catch block
              e1.printStackTrace();
          }
           
            try {
                passwordforchecking = hash(pwcb.getPassword(),Base64.decodeBase64(pasandsalt[1]));
               
            } catch (Exception e) {
               
               
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
           
                   
     
             if((pwcb.getIdentifier().equals("bob")) && (passwordforchecking.equals(pasandsalt[0])) )
             {
                 return;
                
             }
         }
          
   }

  private static String hash(String password, byte[] salt) throws Exception    
  { 
             SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
           KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 65536, 256);
           return Base64.encodeBase64String(f.generateSecret(spec).getEncoded());
                  
     }
 
 
  public static String[] getdataforChecking() throws ClassNotFoundException
  {
     
      String[] arr = new String [2];
      Connection conn = null;
      Class.forName("org.postgresql.Driver");
        try
        {
            conn = DriverManager.getConnection(
                    "jdbc:postgresql://localhost:5432/plovdivbizloca",
                    "postgres", "tan");
        }

        catch (SQLException ex)
        {

            ex.printStackTrace();
        }
      
     
        Statement mystmt = null;
        String selectQuery = "select * from passwordforservice;";
        try
        {
            mystmt = conn.createStatement();
            ResultSet mysr = mystmt.executeQuery(selectQuery);
            while (mysr.next())
            {
                arr[0] = mysr.getString(1);
                arr[1]= mysr.getString(2);
               
            }
           
        }
       
       
        catch (Exception ex)
        {
            ex.printStackTrace();
           
        }
        return arr;

 
 
}

  }

Here is the complete stacktrace

java.lang.NullPointerException
[ERROR] 
java.lang.NullPointerException
    at nilo.PWCBHandler.handle(PWCBHandler.java:54)
    at org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:98)
    at org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:168)
    at org.apache.ws.security.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:142)
    at org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:100)
    at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:131)
    at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:65)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:149)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    at nilo.PWCBHandler.hash(PWCBHandler.java:69)
    at nilo.PWCBHandler.handle(PWCBHandler.java:45)
    at org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:98)
    at org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:168)
    at org.apache.ws.security.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:142)
    at org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:100)
    at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:131)
    at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:65)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:149)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Community
  • 1
  • 1
Tania Marinova
  • 1,788
  • 8
  • 39
  • 67

1 Answers1

0

Maybe you can try pwcb.setPassword("pass") after you get the password String from the database in the call back class.

Or you can try to use pwcb.getRequestData().getPwType() to check the type you have been passed.

Nunser
  • 4,512
  • 8
  • 25
  • 37
shuang
  • 203
  • 2
  • 3