[jboss-user] [JBossWS] - WS-Security Username Token Password Digest

bschmoll1 do-not-reply at jboss.com
Sun Nov 30 17:02:08 EST 2008 

I'm having some dfficulty in converting a web service from a cleartext password to using a password digest. Following the directions from http://jbossws.jboss.org/mediawiki/index.php?title=WS-Security_options I've created a "JBossWSDigest" application policy in the login-config.xml 

  |     <application-policy name="JBossWSDigest">
  |   <authentication>
  |     <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
  |       <module-option name="usersProperties">props/jbossws-users.properties</module-option>
  |       <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
  |       <module-option name="hashAlgorithm">SHA</module-option>
  |       <module-option name="hashEncoding">BASE64</module-option>
  |       <module-option name="hashUserPassword">false</module-option>
  |       <module-option name="hashStorePassword">true</module-option>
  |       <module-option name="storeDigestCallback">org.jboss.ws.extensions.security.auth.callback.UsernameTokenCallback</module-option>
  |       <module-option name="unauthenticatedIdentity">anonymous</module-option>
  |     </login-module>
  |   </authentication>
  |     </application-policy>
  | 

The jboss-wsse-server.xml 

  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
  |                          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  |                          xsi:schemaLocation="http://www.jboss.com/ws-security/config 
  |                          http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
  | 	 <config>
  | 		<requires/>
  | 		<username digestPassword="true" useNonce="true" useCreated="true"/> 
  | 		<authenticate>
  | 			<usernameAuth/>
  | 		</authenticate>
  | 		<!-- <timestamp ttl="300"/> -->
  | 	</config>
  | </jboss-ws-security>
  | 

When I call the service via soapUI the following is dumped in the server.log

  | 2008-11-28 12:24:04,065 DEBUG [org.jboss.ejb3.security.Ejb3AuthenticationInterceptor] Authentication failure
  | javax.security.auth.login.LoginException: storeDigestCallback callback failed
  | 	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:409)
  | 	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:209)
  | 	at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  | 	at java.lang.reflect.Method.invoke(Method.java:597)
  | 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  | 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  | 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  | 	at java.security.AccessController.doPrivileged(Native Method)
  | 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  | 	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  | 	at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
  | 	at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
  | 	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
  | 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.wsf.container.jboss42.InvocationHandlerEJB3.invoke(InvocationHandlerEJB3.java:103)
  | 	at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:221)
  | 	at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466)
  | 	at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284)
  | 	at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201)
  | 	at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134)
  | 	at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
  | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  | 	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  | 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  | 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  | 	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
  | 	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  | 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  | 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  | 	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  | 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  | 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  | 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  | 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  | 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  | 	at java.lang.Thread.run(Thread.java:619)
  | Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback
  | 	at org.jboss.security.auth.callback.SecurityAssociationHandler.handle(SecurityAssociationHandler.java:128)
  | 	at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
  | 	at java.security.AccessController.doPrivileged(Native Method)
  | 	at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
  | 	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:399)
  | 	... 49 more
  | 
It seems like the exception is due to the "Unrecognized Callback" but I don't see what I'm missing in the configuration. 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4193274#4193274

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4193274

More information about the jboss-user mailing list