Examples of org.apache.ws.security.WSPasswordCallback

• org.apache.ws.security.WSPasswordCallback
  Simple class to provide a password callback mechanism.

  It uses the JAAS authentication mechanisms and callback methods. In addition to the identifier (user name) this class also provides information what type of information the callback handle method shall provide.

  The WSPasswordCallback class defines the following usage codes:

  • UNKNOWN - an unknown usage. Never used by the WSS4J implementation and shall be treated as an error by the handle method.
  • DECRYPT - need a password to get the private key of this identifier (username) from the keystore. WSS4J uses this private key to decrypt the session (symmetric) key. Because the encryption method uses the public key to encrypt the session key it needs no password (a public key is usually not protected by a password).
  • USERNAME_TOKEN - need the password to fill in or to verify a UsernameToken.
  • SIGNATURE - need the password to get the private key of this identifier (username) from the keystore. WSS4J uses this private key to produce a signature. The signature verification uses the public key to verify the signature.
  • KEY_NAME - need the key, not the password, associated with the identifier. WSS4J uses this key to encrypt or decrypt parts of the SOAP request. Note, the key must match the symmetric encryption/decryption algorithm specified (refer to {@link org.apache.ws.security.handler.WSHandlerConstants#ENC_SYM_ALGO}).
  • USERNAME_TOKEN_UNKNOWN - either an not specified password type or a password type passwordText. In these both cases only the password variable is set. The callback class now may check if the username and password match. If they don't match the callback class must throw an exception. The exception can be a UnsupportedCallbackException or an IOException.
  • SECURITY_CONTEXT_TOKEN - need the key to to be associated with a wsc:SecurityContextToken.

  @author Werner Dittmann (Werner.Dittmann@siemens.com).

            * - the alias name for the private key
            *
            * Now use the callback here to get password that enables
            * us to read the private key
            */
            WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.DECRYPT);
            Callback[] callbacks = new Callback[1];
            callbacks[0] = pwCb;
            try {
                cb.handle(callbacks);
            } catch (IOException e) {
                throw new WSSecurityException(WSSecurityException.FAILURE,
                        "noPassword",
                        new Object[]{alias});
            } catch (UnsupportedCallbackException e) {
                throw new WSSecurityException(WSSecurityException.FAILURE,
                        "noPassword",
                        new Object[]{alias});
            }
            String password = pwCb.getPassword();
            if (password == null) {
                throw new WSSecurityException(WSSecurityException.FAILURE,
                        "noPassword", new Object[]{alias});
            }

    public static SAMLKeyInfo getSAMLKeyInfo(SAMLAssertion assertion, Crypto crypto,
            CallbackHandler cb) throws WSSecurityException {

        //First ask the cb whether it can provide the secret
        WSPasswordCallback pwcb = new WSPasswordCallback(assertion.getId(), WSPasswordCallback.CUSTOM_TOKEN);
        if (cb != null) {
            try {
                cb.handle(new Callback[]{pwcb});
            } catch (Exception e1) {
                throw new WSSecurityException(WSSecurityException.FAILURE, "noKey",
                        new Object[] { assertion.getId() }, e1);
            }
        }

        byte[] key = pwcb.getKey();

        if (key != null) {
            return new SAMLKeyInfo(assertion, key);
        } else {
            Iterator statements = assertion.getStatements();

        for (int i = 0; i < callbacks.length; i++) {

            if (callbacks[i] instanceof WSPasswordCallback) {

                WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];

                /*

                * This usage type is used only in case we received a

                * username token with a secret of type PasswordText or

                * an unknown secret type.

                *

                * This case the WSPasswordCallback object contains the

                * identifier (aka username), the secret we received, and

                * the secret type string to identify the type.

                *

                * Here we perform only a very simple check.

                */

                if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {

                    if (pc.getIdentifer().equals("Ron") && pc.getPassword().equals("noR")) {

                        return;

                    }

                    if (pc.getIdentifer().equals("joe") && pc.getPassword().equals("eoj")) {

                        return;

                    }

                    if (pc.getPassword().equals("sirhC")) {

                        return;

                    }

                    throw new UnsupportedCallbackException(callbacks[i],

                        "check failed");

                }

                /*

                 * here call a function/method to lookup the secret for

                 * the given identifier (e.g. a user name or keystore alias)

                 * e.g.: pc.setSecret(passStore.getSecret(pc.getIdentfifier))

                 * for Testing we supply a fixed name here.

                 */

                if (pc.getUsage() == WSPasswordCallback.KEY_NAME) {

                    pc.setKey(key);

                } else if (pc.getIdentifer().equals("alice")) {

                    pc.setPassword("password");

                } else if (pc.getIdentifer().equals("bob")) {

                    pc.setPassword("password");

                } else if (pc.getIdentifer().equals("Ron")) {

                    pc.setPassword("noR");

                } else if (pc.getIdentifer().equals("joe")) {

                    pc.setPassword("eoj");

                } else if (pc.getIdentifer().equals("ip")) {

                    pc.setPassword("password");

                } else {

                    pc.setPassword("sirhC");

                }

            } else {

        if (signToken) {
            STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();

            // Get the password
            String alias = stsProperties.getSignatureUsername();
            WSPasswordCallback[] cb = {new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)};
            LOG.fine("Creating SAML Token");
            stsProperties.getCallbackHandler().handle(cb);
            String password = cb[0].getPassword();

            LOG.fine("Signing SAML Token");

                handler.getCallbackHandler(
                    WSHandlerConstants.ENC_CALLBACK_CLASS,
                    WSHandlerConstants.ENC_CALLBACK_REF,
                    reqData
                );
            WSPasswordCallback passwordCallback =
                handler.getPasswordCB(reqData.getEncUser(), actionToDo, callbackHandler, reqData);
            byte[] embeddedKey = passwordCallback.getKey();
            wsEncrypt.setKey(embeddedKey);
            wsEncrypt.setDocument(doc);
        }
        if (reqData.getEncSymmAlgo() != null) {
            wsEncrypt.setSymmetricEncAlgorithm(reqData.getEncSymmAlgo());
        }
        if (reqData.getEncKeyTransport() != null) {
            wsEncrypt.setKeyEnc(reqData.getEncKeyTransport());
        }
        if (reqData.getEncDigestAlgorithm() != null) {
            wsEncrypt.setDigestAlgorithm(reqData.getEncDigestAlgorithm());
        }

        wsEncrypt.setUserInfo(reqData.getEncUser());
        wsEncrypt.setUseThisCert(reqData.getEncCert());
        Crypto crypto = reqData.getEncCrypto();
        boolean enableRevocation = Boolean.valueOf(handler.getStringOption(WSHandlerConstants.ENABLE_REVOCATION));
        if (enableRevocation && crypto != null) {
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(reqData.getEncUser());
            X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
            if (certs != null && certs.length > 0) {
                crypto.verifyTrust(certs, enableRevocation);
            }
        }
        if (reqData.getEncryptParts().size() > 0) {
            wsEncrypt.setParts(reqData.getEncryptParts());
        }
        if (!reqData.getEncryptSymmetricEncryptionKey()) {
            CallbackHandler callbackHandler =
                handler.getPasswordCallbackHandler(reqData);
            WSPasswordCallback passwordCallback =
                handler.getPasswordCB(reqData.getEncUser(), actionToDo, callbackHandler, reqData);
            wsEncrypt.setEphemeralKey(passwordCallback.getKey());
            wsEncrypt.setEncryptSymmKey(reqData.getEncryptSymmetricEncryptionKey());
        }
        try {
            wsEncrypt.build(doc, reqData.getEncCrypto(), reqData.getSecHeader());
        } catch (WSSecurityException e) {

        if (handler == null) {
            policyNotAsserted(info, "No callback handler and no password available");
            return null;
        }

        WSPasswordCallback[] cb = {new WSPasswordCallback(userName, type)};
        try {
            handler.handle(cb);
        } catch (Exception e) {
            policyNotAsserted(info, e);
        }

            store = st;
        }

        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbacks.length; i++) {
                WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];

                String id = pc.getIdentifier();

                if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(pc.getType())
                    || WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(pc.getType())) {
                    for (SecurityToken token : store.getValidTokens()) {
                        if (id.equals(token.getSHA1())) {
                            pc.setKey(token.getSecret());
                            return;
                        }
                    }
                } else {
                    SecurityToken tok = store.getToken(id);
                    if (tok != null) {
                        pc.setKey(tok.getSecret());
                        pc.setCustomToken(tok.getToken());
                        return;
                    }
                }
            }
            if (internal != null) {

            store = st;
        }

        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbacks.length; i++) {
                WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];

                String id = pc.getIdentifier();

                if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(pc.getType())
                    || WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(pc.getType())) {
                    for (String tokenId : store.getTokenIdentifiers()) {
                        SecurityToken token = store.getToken(tokenId);
                        if (token != null && id.equals(token.getSHA1())) {
                            pc.setKey(token.getSecret());
                            return;
                        }
                    }
                } else {
                    SecurityToken tok = store.getToken(id);
                    if (tok != null) {
                        pc.setKey(tok.getSecret());
                        pc.setCustomToken(tok.getToken());
                        return;
                    }
                }
            }
            if (internal != null) {

     * It attempts to get the password from the private
     * alias/passwords map.
     */
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];

            String pass = passwords.get(pc.getIdentifer());
            if (pass != null) {
                pc.setPassword(pass);
                return;
            }
        }
    }

            sigAlgo = SSOConstants.DSA_SHA1;
        }
        LOG.fine("Using Signature algorithm " + sigAlgo);

        // Get the password
        WSPasswordCallback[] cb = {new WSPasswordCallback(signatureUser, WSPasswordCallback.SIGNATURE)};
        callbackHandler.handle(cb);
        String password = cb[0].getPassword();

        // Get the private key
        PrivateKey privateKey = null;