Communications management with PasswordDigest (WSPasswordCallback from WSS4J)
0 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   srgCaro
Posted On:   Wednesday, May 22, 2013 03:13 AM

      Scenario: We are developing a Java library to deploy an authentication subsystem, which acts as an intermediary of two end-points: an originator program (which sends us the SOAP message, made by the client, as a CallbackHandler implementation) and a WebService (based on CXF, which will validate de user&password given). Here it is a logical diagram of the system: |------| |-------| |Client|--SOAP msg->|Program| |--------| |------| \-Callback->|Java Lib| |--------| |--| |----| \-User&Pass-->|WS|<-(validation)->|LDAP|    More>>

 

 

 

Scenario:

We are developing a Java library to deploy an authentication subsystem, which acts as an intermediary of two end-points: an originator program (which sends us the SOAP message, made by the client, as a CallbackHandler implementation) and a WebService (based on CXF, which will validate de user&password given).

Here it is a logical diagram of the system:


			|------|            |-------|       |Client|--SOAP msg->|Program|      |--------|              |------|               \-Callback->|Java Lib|                                    |--------|      |--|                |----|                                      \-User&Pass-->|WS|<-(validation)->|LDAP|                                                    |--|   SOAP msg     |----|
		

As a is seen in other other implementations the code (to be added in our Java Lib) should be the next (taking into account that the type of the password, for -obviously- security reasons, is "PasswordDigest" (seen in the OASIS UserName Token specification , lines 196-197)):
if (callbacks[i] instanceof WSPasswordCallback)
{
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
        sString login = pc.getIdentifier(); String password = getPassword(login);
        pc.setPassword(password);
}

The line " String password = getPassword(login); " requires the local storage of a file (or a DB) in order to the user&pass maintenance and its subsequent check-up.

So, and that is the obstacle, we are NOT allowed to maintain that file. In addition, the WebService only provides an authentication service (yes/no to an user and password given) and we don't have any other access to the originator Program or to the client.

Any idea of how we should proceed?

Thanks in advance.

 

   <<Less
About | Sitemap | Contact