1

I'm required to use apache WSS4J 1.5 for some SOAP signing/verification, however I'm having trouble skipping/disabling the UsernameToken password validation.

In WSS4J 1.6+ I am able to configure the security engine to use the NoOpValidator() class to skip the username token authentication, but 1.5 doesn't have this support.

Is there any way to tell WSS4J 1.5 to skip the Username/Password validation routing altogether?

Eric B.
  • 23,425
  • 50
  • 169
  • 316

2 Answers2

1

you need to write your own call back handler implementation to skip the loading LoginContext.Then that handler class can be loaded from the system property.

referring from the source code of javax.security.auth.callback.CallbackHandler,

A default CallbackHandler class implementation may be specified in the auth.login.defaultCallbackHandler security property.

The security property can be set in the Java security properties file located in the file named /lib/security/java.security. refers to the value of the java.home system property, and specifies the directory where the JRE is installed.

If the security property is set to the fully qualified name of a CallbackHandler implementation class, then a LoginContext will load the specified CallbackHandler and pass it to the underlying LoginModules.

The LoginContext only loads the default handler if it was not provided one. All default handler implementations must provide a public zero-argument constructor.

Also be aware of some risks comes with WSS4J 1.5.XX

Sasi Kathimanda
  • 1,788
  • 3
  • 25
  • 47
  • I'm still a little confused how to register the callback handler. I looked through the source code for the `UsernameTokenProcessor`, but by the time it looks at the callback handler here, it is already comparing a returned password. I need to prevent WSS4J from even trying to process the UsernameToken, but am not entirely sure what the callback handler should be or how it should be registered. Do you know if there are any docs/examples for this? I realize that WSS4J 1.5 is quite old, and all docs I have been able to find are for WSS4J 2+. – Eric B. Mar 22 '16 at 02:04
  • Ok - so I dug around in the code a little more and saw that it wasn't a CallbackHandler that I needed but a custom processor. – Eric B. Mar 22 '16 at 03:40
0

After digging around in the WSSecEngine class a little bit in more depth, I found that I needed not a CallBackHandler, but a custom Processor that skips the processing of the UsernameToken object:

        WSSecurityEngine secEngine = new WSSecurityEngine();
        WSSConfig wsConfig = WSSConfig.newInstance();
        wsConfig.setProcessor(UsernameToken.TOKEN, new Processor() {

            @Override
            public void handleToken(Element arg0, Crypto arg1, Crypto arg2, CallbackHandler arg3, WSDocInfo arg4, Vector arg5, WSSConfig arg6)
                    throws WSSecurityException {
                // skip the token processing
                logger.debug("Skipping processing of the username token");
            }

            @Override
            public String getId() {
                return null;
            }
        });
        secEngine.setWssConfig(wsConfig);

Although WSS4J 1.5 is incredibly old, hopefully this may hope someone else in the future.

WSS4J 1.6+ has changed the way these processors work with Validators instead.

Eric B.
  • 23,425
  • 50
  • 169
  • 316