Examples of org.apache.wss4j.common.ext.WSPasswordCallback

• org.apache.wss4j.common.ext.WSPasswordCallback
  Simple class to provide a password callback mechanism.

  It uses the JAAS authentication mechanisms and callback methods. In addition to the identifier (user name) this class also provides information what type of information the callback handle method shall provide.

  The WSPasswordCallback class defines the following usage codes:

  • UNKNOWN - an unknown usage. Never used by the WSS4J implementation and shall be treated as an error by the handle method.
  • DECRYPT - need a password to get the private key of this identifier (username) from the keystore. WSS4J uses this private key to decrypt the session (symmetric) key. Because the encryption method uses the public key to encrypt the session key it needs no password (a public key is usually not protected by a password).
  • USERNAME_TOKEN - need the password to fill in or to verify a UsernameToken.
  • SIGNATURE - need the password to get the private key of this identifier (username) from the keystore. WSS4J uses this private key to produce a signature. The signature verification uses the public key to verify the signature.
  • SECURITY_CONTEXT_TOKEN - need the key to to be associated with a wsc:SecurityContextToken.
  • PASSWORD_ENCRYPTOR_PASSWORD - return the password used with a PasswordEncryptor implementation to decrypt encrypted passwords stored in Crypto properties files

     */
    private String getPassword(
        String identifier,
        CallbackHandler cb
    ) throws WSSecurityException {
        WSPasswordCallback pwCb =
            new WSPasswordCallback(identifier, WSPasswordCallback.Usage.DECRYPT);
        try {
            Callback[] callbacks = new Callback[]{pwCb};
            cb.handle(callbacks);
        } catch (IOException e) {
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE,
                "noPassword",
                new Object[]{identifier},
                e
            );
        } catch (UnsupportedCallbackException e) {
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILURE,
                "noPassword",
                new Object[]{identifier},
                e
            );
        }

        return pwCb.getPassword();
    }

    public JasyptPasswordEncryptor(CallbackHandler callbackHandler, String algorithm) {
        passwordEncryptor = new StandardPBEStringEncryptor();
        passwordEncryptor.setAlgorithm(algorithm);

        WSPasswordCallback pwCb =
            new WSPasswordCallback("", WSPasswordCallback.Usage.PASSWORD_ENCRYPTOR_PASSWORD);
        try {
            callbackHandler.handle(new Callback[]{pwCb});
        } catch (IOException e) {
            LOG.debug("Error in getting master password: ", e);
        } catch (UnsupportedCallbackException e) {
            LOG.debug("Error in getting master password: ", e);
        }
        if (pwCb.getPassword() != null) {
            passwordEncryptor.setPassword(pwCb.getPassword());
        }
    }

    /**
     * Set the raw (plain text) password used to compute secret key.
     */
    public void setRawPassword(RequestData data) throws WSSecurityException {
        WSPasswordCallback pwCb =
            new WSPasswordCallback(
                getName(), getPassword(), getPasswordType(),
                WSPasswordCallback.Usage.USERNAME_TOKEN
            );

        if (data.getCallbackHandler() == null) {
            LOG.debug("CallbackHandler is null");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
        try {
            data.getCallbackHandler().handle(new Callback[]{pwCb});
        } catch (IOException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(e.getMessage(), e);
            }
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e
            );
        } catch (UnsupportedCallbackException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(e.getMessage(), e);
            }
            throw new WSSecurityException(
                WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e
            );
        }
        rawPassword = pwCb.getPassword();
    }

    public void handle(Callback[] callbacks)
        throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            if (callbacks[i] instanceof WSPasswordCallback) {
                WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
                //
                // Deliberately wrong password
                //
                pc.setPassword("securit");
            } else {
                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
            }
        }
    }

        @Override
        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbacks) {
                if (callback instanceof WSPasswordCallback) {
                    WSPasswordCallback passwordCallback = (WSPasswordCallback)callback;
                    if (passwordCallback.getUsage() == WSPasswordCallback.Usage.CUSTOM_TOKEN) {
                        passwordCallback.setCustomToken(customElement);
                        return;
                    }
                }
            }

        final String password;
        if (passwordType != null) {
            password = passwordType.getValue();
        } else if (salt != null) {
            WSPasswordCallback pwCb = new WSPasswordCallback(username.getValue(),
                   WSPasswordCallback.Usage.USERNAME_TOKEN);
            try {
                WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
            } catch (WSSecurityException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
            }
            password = pwCb.getPassword();
        } else {
            password = null;
        }

        UsernameSecurityTokenImpl usernameSecurityToken = new UsernameSecurityTokenImpl(

        PasswordString passwordType,
        byte[] nonceVal,
        String created,
        TokenContext tokenContext
    ) throws WSSecurityException {
        WSPasswordCallback pwCb = new WSPasswordCallback(username,
                null,
                passwordType.getType(),
                WSPasswordCallback.Usage.USERNAME_TOKEN);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }

        if (pwCb.getPassword() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }

        String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
        if (!passwordType.getValue().equals(passDigest)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
        passwordType.setValue(pwCb.getPassword());
    }

    protected void verifyPlaintextPassword(
        String username,
        PasswordString passwordType,
        TokenContext tokenContext
    ) throws WSSecurityException {
        WSPasswordCallback pwCb = new WSPasswordCallback(username,
                null,
                passwordType.getType(),
                WSPasswordCallback.Usage.USERNAME_TOKEN);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }

        if (pwCb.getPassword() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }

        if (!passwordType.getValue().equals(pwCb.getPassword())) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
        passwordType.setValue(pwCb.getPassword());
    }

                Key key = getSecretKey().get(algorithmURI);
                if (key != null) {
                    return key;
                }

                WSPasswordCallback passwordCallback = new WSPasswordCallback(
                        identifier, WSPasswordCallback.Usage.SECURITY_CONTEXT_TOKEN);
                WSSUtils.doSecretKeyCallback(
                        tokenContext.getWssSecurityProperties().getCallbackHandler(), passwordCallback, null);
                if (passwordCallback.getKey() == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE,
                            "noKey", securityContextTokenType.getId());
                }
                String keyAlgorithm = JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
                key = new SecretKeySpec(passwordCallback.getKey(), keyAlgorithm);
                setSecretKey(algorithmURI, key);
                return key;
            }

            @Override

            }
        }

        // We have no supplied key. So use the PasswordCallback to get a secret key or password
        String alias = securityProperties.getSignatureUser();
        WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
            WSSUtils.doPasswordCallback(securityProperties.getCallbackHandler(), pwCb);

        String password = pwCb.getPassword();
        byte[] secretKey = pwCb.getKey();
        Key key = null;
        X509Certificate[] x509Certificates = null;
        try {
            if (password != null && securityProperties.getSignatureCrypto() != null) {
                key = securityProperties.getSignatureCrypto().getPrivateKey(alias, password);