How can I obtain UsernameToken information at the service?

When Apache Rampart(Axis2 module that provides WS-Security and WS-SecureConversation support)/WSS4J is used to secure Web services in Axis2/Axis1.x we can extract the results of security processing at any state of the execution flow.
Date: Tue, 13th Jun, 2006
Level:
Reads: 6984 Comments: 0 | Login or register to post comments
Ruchith Fernando
Software Engineer
WSO2 Inc.
Apache Rampart/ WSS4J stores the results of security processing in the message context under the key WSHandlerConstants.RECV_RESULTS. This is a java.util.Vector of WSHandlerResult which holds the security processing results of a "Security" header of a certain actor. If there is only one "Security" header there will only be a single WSHandlerResult instance in the java.util.Vector instance. A WSHandlerResult instance contains another java.util.Vector instance which contains WSSecurityEngineResult instances. These WSSecurityEngineResult instances carries the results of security processing of a particular "Security" header. The following code snippet show how to extract WSSecurityEngineResult instances from the message context. Note: msgCtx is the message context instance. 
Vector results = null;
if ((results = (Vector) msgCtx
		.getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
	throw new RuntimeException("No security results!!");
} else {
	for (int i = 0; i < results.size(); i++) {
		//Get hold of the WSHandlerResult instance
		WSHandlerResult rResult = (WSHandlerResult) results.get(i);
		Vector wsSecEngineResults = rResult.getResults();

		for (int j = 0; j < wsSecEngineResults.size(); j++) {
			//Get hold of the WSSecurityEngineResult instance
			WSSecurityEngineResult wser = (WSSecurityEngineResult)
wsSecEngineResults.get(j);

		}
	}
}
In the case where we have a single UsernameToken in a Security header there will be one WSSecurityEngineResult instance and one can extract UsernameToken information from it as shown below: 
//Extract the principal
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal)
wser.getPrincipal();

//Get user/pass
String user = principal.getName();
String passwd = principal.getPassword();
This is very useful in the case where we use Apache Rampart/ WSS4J to process an incoming UsernameToken which bares a plain text password, since Apache Rampart/WSS4J does not authenticate the UsernameToken. Therefore one can authenticate the user at a handler or the service implementation (from anywhere that one can access the message context of the message that carried the UsernameToken).

Applies To:

  • Apache WSS4J and Apache Rampart/Java
  • JDK - 1.4, 1.5
Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
Popular Content
Hot Topic
Hot
Topic

WSO2 Gadget Server - Inter Gadget Communication with Pub/Sub
Google Gadgets are a nice way to develop user interfaces for distributed services. The fact that they can be hosted anywhere over a network, not necessarily in the very portal server they eventually run in makes them re-usable and allows users to quickly...
more>

Mini Banners
WSO2Con 2010
Latest Webinar
Fighting the Many-headed Hydra of Lock-in
In this webinar we'll share the range of concerns we've heard from the industry, and survey some of the new and sometimes subtle types of lock-in associated with cloud technologies.
Wednesday, 8 September, 10.00 AM (PDT)
Register Now!