Finding out the "client"'s username in a method which web service client called. Tomcat, axis, wss4j, username/password tokens.
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Anonymous
Posted On:   Thursday, September 8, 2005 06:49 AM

I have an axis webservice which requires client to send username/password tokens for authentication. my server does the "authentication" with no problem (match client's username and password with server's password). I have many users (that means many clients with different usernames and passwords) when the user calls one of my allowed methods I want to know which user called that method. I would appreciate if you help me finding out which "client"(user) is calling the allowed method. I use wss4j to process username/password tokens. In my wssd file I have following to show where my password checking will take place:    More>>

I have an axis webservice which requires client to send username/password tokens for authentication. my server
does the "authentication" with no problem (match client's username and password with server's password).
I have many users (that means many clients with different usernames and passwords) when the user calls
one of my allowed methods I want to know which user called that method.
I would appreciate if you help me finding out which "client"(user) is calling the allowed method.



I use wss4j to process username/password tokens.


In my wssd file I have following to show where my password checking will take place:


			












In my Callnack class com.alex.ws.callback.PWCallback I have:



			

public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {

for (int i = 0; i < callbacks.length; i++) {
System.out.println("1");
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];

if (pc.getUsage() == WSPasswordCallback.KEY_NAME) {
pc.setKey(key);
} else {
pc.setPassword(UserStore.getPassword(pc.getIdentifer()));
}

} else {
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}






When the user sends SOAP message with Username/Password token
PWCallback class works fine and authentication is done with no problem.



One of my allowed method is :


			

public String doIt(String msg)
{
System.out.println("Here is the message:"+msg);

String username= "";

//some code to find the username
//of the sender. Please help me in here

System.out.println("Here is the username that sent the msg:"+username);
}




Can you help me to find out how I can find out the "username" of client within the allowed method.

   <<Less

Re: Finding out the "client"'s username in a method which web service client called. Tomcat, axis, wss4j, username/password tokens.

Posted By:   Anonymous  
Posted On:   Monday, November 7, 2005 11:56 AM

Hi Alex,

with the following modification of your code you can get at some interesting security results (see class org.apache.ws.security.WSSecurityEngineResult):


public String doIt(String msg)
{
System.out.println("Here is the message:"+msg);

String username= "";

//some code to find the username
//of the sender. Please help me in here

// get the message context first
MessageContext msgContext = MessageContext.getCurrentContext();

Vector results = null;
// get the result Vector from the property
if ((results = (Vector) msgContext.getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
System.out.println("No security results!!");
} else {
System.out.println("Number of results: " + results.size());
for (int i = 0; i < results.size(); i++) {
WSHandlerResult hResult = (WSHandlerResult) results.get(i);
Vector hResults = hResult.getResults();
for (int j = 0; j < hResults.size(); j++) {
WSSecurityEngineResult eResult = (WSSecurityEngineResult) hResults.get(j);
// Note: an encryption action does not have an associated principal
// only Signature and UsernameToken actions return a principal
if (eResult.getAction() != WSConstants.ENCR) {
System.out.println("eResult[" + j + "].principal=" + eResult.getPrincipal());
if (eResult.getPrincipal() != null) {
System.out.println("eResult[" + j + "].principal.name=" + eResult.getPrincipal().getName());
// store user name
username = eResult.getPrincipal().getName();
}
}
}
}
}

System.out.println("Here is the username that sent the msg:"+username);
}
About | Sitemap | Contact