javacxfws-securitywss4j

How to make WSS4J load the keystore password from a callback?

I'm using Apache CXF to build a Web Service. It uses Apache WSS4J to provide WS-Security functionality. I need to make a SOAP request and it must be signed.

This is the content of the properties file I pass to WSS4J:

org.apache.ws.security.crypto.provider = org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type = PKCS12
org.apache.ws.security.crypto.merlin.keystore.provider = BC
org.apache.ws.security.crypto.merlin.keystore.password = 12345678
org.apache.ws.security.crypto.merlin.keystore.alias = my-alias
org.apache.ws.security.crypto.merlin.keystore.file = my_certificate.p12

I want to get rid of that line with my password wrote as plain text. I removed that line and provided a password callback handler to my WSS4JOutInterceptor, like in the code above:

public SoapInterceptor newSignerInterceptor() {
    Map<String, Object> outProps = new HashMap<String, Object>();
    outProps.put(WSHandlerConstants.ACTION, "Signature");
    outProps.put(WSHandlerConstants.USER, config.getKeyAlias());
    outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
    outProps.put(WSHandlerConstants.USE_REQ_SIG_CERT, WSHandlerConstants.SIGNATURE_USER);
    outProps.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
    outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, this.getClass().getName());
    outProps.put(WSHandlerConstants.SIG_PROP_FILE, config.getPropertiesFileName());
    return new WSS4JOutInterceptor(outProps);

}

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {
        if (callbacks[i] instanceof WSPasswordCallback) {
            ((WSPasswordCallback) callbacks[i]).setPassword(password);
        }
    }
}

But that didn't work. It doesn't find the password in the properties file and uses a default password, "security".

How to make it use a callback to get the password?

Solution

  • You can implement a CallbackHandler:

    public class PasswordCallbackHandler implements CallbackHandler {

    @Override
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for(Callback callBack:callbacks){
            if(callBack instanceof WSPasswordCallback){
                ((WSPasswordCallback)callBack).setPassword("password");
            }
        }
    }
}

    then add the handler to the properties: 

    outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, PasswordCallbackHandler.class);

    you can also use PW_CALLBACK_REF to set a reference of the handler.