Skip to main content

Runtime Information in samlHandler (CallbackHandler)

38 replies [Last post]
ernestojpg
Offline
Joined: 2005-10-09

The classes implementing 'CertSelector' interface can have a constructor which takes a 'Map' as an argument. WSIT Security runtime would instantiate the class passing it a 'Map' of Runtime Properties. And the 'select()' method of 'AliasSelector' is passed a 'Map' of Runtime Properties too. Developers can then set some properties from their client code and then use those properties inside the 'AliasSelector' or 'CertSelector' to dynamically select the Alias/Certificate.

But I need a similar mechanism in my samlHandler (CallbackHandler) to dynamically issue the proper SAML Assertion on the client side. Is this possible?

Thanks!

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
shyam_rao
Offline
Joined: 2006-05-05

This issue is fixed. Please verify it with Today's nightly build.

ernestojpg
Offline
Joined: 2005-10-09

Well, I tested it and seems to work fine. For me, this is one of the most significant improvements in Metro 1.2. Thank you Kumar and Shyam! :D

With regard to my 'Metro Success Story', I'm working on my 'Degree Final Project', which consists of a system for simulating communications at Socket level using Web Services. In this way, all communications goes over HTTP, thus avoiding problems with firewalls, NAT, etc..

On the client side, a simple Java SE client is installed, that creates a listener socket. When a new connection is received, the client sends the data to the Web Service, and it (the WS) sends the data to the real server (for example, a mail server). Two-way communication of the socket is simulated with the 'comet' technique.

A fundamental point of the system is security, which is built on the basis of the separation of the authorization and access control management responsabilities. For this reason, the client must access before to a 'Secure Token Service' to obtain a 'Authorization Token'. The client must sends a set of attribute certificates to the STS, signed by an 'Attribute Authority'.

The Metro project has enabled me to perform the following tasks:

+ To implement this three-part system (client, server, and STS) easily. It can be done easily with NetBeans.
+ Creating and managing of SAML assertions. SAML assertions are used to transport the client's attributes, and the authorization decision of the STS.
+ Establishing a Secure Conversation between the client and server. This is extremely important because it provides us with integrity and confidentiality in a very efficient way.

This is only an overview. When I finished the project I could explain it in more detail.

Thanks!

kumarjayanti
Offline
Joined: 2003-12-10

Thanks a Lot for the writeup. Wish you good luck.

Thanks,
kumar

ernestojpg
Offline
Joined: 2005-10-09

Hi Kumar!

After this, I only have to test the renewal of the Secure Conversations. I let you know if I find any issue about it.

What do you mean by 'provide a Metro Success Story'? Do you mean I write a paper explaining my application?

Regards.

kumarjayanti
Offline
Joined: 2003-12-10

> Hi Kumar!
>
> After this, I only have to test the renewal of the
> Secure Conversations. I let you know if I find any
> issue about it.

OK...
>
> What do you mean by 'provide a Metro Success Story'?
> Do you mean I write a paper explaining my
> application?
Certainly not a whole paper :-) but a few lines explaining your successful usage of Metro.

Thanks.

ernestojpg
Offline
Joined: 2005-10-09
kumarjayanti
Offline
Joined: 2003-12-10

After we fix this issue, are there any other issues pending for you ?.

I mean will your App be ready :-) for deployment ?. If so then are you willing to Provide us a Metro Success Story.

I know we took a long time to fix your issues (because we had to work on other higher priority customer issues) and you had given us valuable feedback and pointed out issues in our impl.

Thanks,
kumar

ernestojpg
Offline
Joined: 2005-10-09

Hi Kumar!

I've tested it and It seems to work perfectly! Thanks! :D

I've found a related issue. When I use 'Secure Conversation', the Runtime Properties is not passed either SAMLCallBackHandler, or KeyStoreCallbackHandler, or TrustStoreCallbackHandler, or AliasSelector, ...

It is not a regression, since neither worked before. Do you want that I fire a new issue?

Regards.

kumarjayanti
Offline
Joined: 2003-12-10

Good to know it is working for you.

Yes please file a bug for RuntimeProperties not being present for SecureConversation.

ernestojpg
Offline
Joined: 2005-10-09

Thanks Kumar! It looks great! :D

I suppose that I can use a '[i]AliasSelector[/i]' and a '[i]CertSelector[/i]' too, can't I ?

Can I use this new feature with today nightly build?

Thanks!

kumarjayanti
Offline
Joined: 2003-12-10

Yes, i realized that this would be your next question :-). They should continue to work. Let me know...

ernestojpg
Offline
Joined: 2005-10-09

Thank you very much for your effort, Kumar. I hope you can implement the feature soon ;)

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

I have implemented a solution that will work for your problem and hopefully for a few others who are having a different issue with the keystore and truststore.

Please take a look at the details in :
https://wsit.dev.java.net/issues/show_bug.cgi?id=844

And Let me know. I am sure it will solve your problem as well except that you will have to change your code a bit.

If it does not then i will try to solve your problem the way we discussed earlier.

ernestojpg
Offline
Joined: 2005-10-09

Hi Kumar!

Any news on this improvement? Will it be ready for the Metro 1.2 Final Release?

Thanks!

kumarjayanti
Offline
Joined: 2003-12-10

Will try to get this done over the weekend. I can't spend my weekdays on this because of other high priority stuff and last weekend i could not do any work.

ernestojpg
Offline
Joined: 2005-10-09

Thanks Kumar! That would be great! :D

I wait your news!

Regards.

ernestojpg
Offline
Joined: 2005-10-09

Thanks Kumar!

It would be great if that could be done! I wait your news ;)

kumarjayanti
Offline
Joined: 2003-12-10

As the code exists today it won't work, you will not get RuntimeProperties because the callbacks for this are done during service.getXXPort() calls. I think i can delay this and support your usecase. I will work on it early next week if that is fine with you.

Thanks.

ernestojpg
Offline
Joined: 2005-10-09

Hi!

Any news? I thought about creating my own [i]xwssCallbackHandler[/i], but because the form it is instantiated (an empty constructor) I think it would not solve my problem :(

It's important for me to have access to the properties from the 'Key Password Selector'. Any help?

kumarjayanti
Offline
Joined: 2003-12-10

sorry, i was on leave the whole of last week. Expect an email from me by tomorrow on whether this is possible.

ernestojpg
Offline
Joined: 2005-10-09

Hi! Any news about that?

Regards.

ernestojpg
Offline
Joined: 2005-10-09

Thanks for your help Kumar,

I need to have the runtime properties in my custom 'Alias Selector' (this works fine), and in my custom 'Key Password Selector' (this doesn't work because it receives a [i]javax.security.auth.callback.PasswordCallback[/i]).

[i]
[/i]

The reason is that my client should be able to call different web services, and these calls may use different Key Aliases and different passwords for these Key Aliases.

I think the problem is that this callback is generated during DefaultCallbackHandler instantiation, isn't it? And I don't know if the runtime properties are available at this point ...

kumarjayanti
Offline
Joined: 2003-12-10

yes the password callback is generated during instantiaton of Default CBH. whether runtime props are available at that time or not, let me check and get back.

ernestojpg
Offline
Joined: 2005-10-09

Hi Kumar!

I think it's a good idea. I've tested the 4th Feb nightly build, but it doesn't work yet.

I've added the 'useXWSSCallbacks' attribute in my WSIT config file like this:

[i]...

[/b]


...[/i]

but my custom 'handlers.KeyPassSelector' class is still receiving a [i]javax.security.auth.callback.PasswordCallback[/i].

Regards.

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

>
> > wspp:visibility="private" [b]useXWSSCallbacks="true"
> >[/b]
> > classname="handlers.SamlCallbackHandler"/>
> /sc:CallbackHandlerConfiguration>
> ...[/i]
>

You do not have a usernameHandler or a passwordHandler configured in your config. If you do that then you should really see :

com.sun.xml.wss.impl.callback.UsernameCallback and
com.sun.xml.wss.impl.callback.PasswordCallback getting used

Now I see that you need this functionality even for the Password Callbacks that happen for the Keystore Access.

So i missed out on changing that, but i would like to state that we try to make sure the keystore url and password are correct much ahead of the actual request being made (during Initialization of the Service/Proxy),

And we do not try to re-open the keystore (with a password) on each request. So i am afraid i cannot provide any runtimeproperties over there even if i make it to use XWSS Callbacks.

Let me know if that is fine.

ernestojpg
Offline
Joined: 2005-10-09

Thanks Kumar. It is essential for me, since my client should call different web services, and these calls may use different Key Aliases and different passwords for these Key Aliases.

This workaround could be enough for me. I will wait for your news about the best way to do this. Please, let me know.

Thanks!

kumarjayanti
Offline
Joined: 2003-12-10

Please take 4th Feb nightly and you will have to add attribute :

useXWSSCallbacks="true" on CallbackHandlerConfiguration element.

I am yet to test it out and so please let me know if you happen to test it before me.

Thanks.

ernestojpg
Offline
Joined: 2005-10-09

Hi Kumar!

It works fine. Thanks! :)

Another question. How can I to access to the Runtime Properties from my custom Key Password Handler?

I've seen that this class must implements [i]javax.security.auth.callback.CallbackHandler[/i] and that it must handles the [i]javax.security.auth.callback.PasswordCallback[/i]. The problem is that this PasswordCallback can't contain any Runtime Properties. I think that the solution can be to generate a [i]com.sun.xml.wss.impl.callback.PasswordCallback[/i] instead, that can contain the Runtime Properties. Is this posible?

Regards.

kumarjayanti
Offline
Joined: 2003-12-10

We wanted to adapt more and more of what is in Java Standards and the NameCallback and PasswordCallback existed so we decided to use them.

If that is essential what i can do is populate both :

javax.security.auth.callback.PasswordCallback

and

com.sun.xml.wss.impl.callback.PasswordCallback

into the Callback[] array passed to your Handler. Will that work ?. You can then retrieve the runtime props from the other callback.

This is just a workaround

will talk to our architect and see if we can do something else, atleast one other person is asking for this.

The same thing can be done for NameCallback as well.

Thanks.

ernestojpg
Offline
Joined: 2005-10-09

It seems that WSIT nightly build just to be updated :D

https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5472&e...

I will test the fix and let you know.

Regards.

ernestojpg
Offline
Joined: 2005-10-09

Hi Kumar, it seems that this file has no the recent changes :(

ernestojpg
Offline
Joined: 2005-10-09

Hi Kumar!

I tested it but it doesn't work.The Runtime Properties in SAMLCallback are empty :-(

I tried to get the latest WSIT nightly build from here:

https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5472&e...

but it look like not updated (17 January 2008) :(

For this reason, I got the latest METRO nightly build (22 January 2008) from here:

https://metro.dev.java.net/servlets/ProjectDocumentList?folderID=8118&ex...

Are these the correct files, with the latest corrections?

Regards.

kumarjayanti
Offline
Joined: 2003-12-10

>
> I tried to get the latest WSIT nightly build from
> here:
>
> https://jax-ws.dev.java.net/servlets/ProjectDocumentLi
> st?folderID=5472&expandFolder=5472&folderID=5647
>
> but it look like not updated (17 January 2008) :(

Ok, my fix was not in Jan 17th build.

>
> For this reason, I got the latest METRO nightly build
> (22 January 2008) from here:
>
> https://metro.dev.java.net/servlets/ProjectDocumentLis
> t?folderID=8118&expandFolder=8118

This is Metro 1.1 and what you need is Metro 1.2 which off the Main Trunk

Not sure why the builds after 17th are not getting posted, will check and get back.

kumarjayanti
Offline
Joined: 2003-12-10
ernestojpg
Offline
Joined: 2005-10-09

Thanks Kumar!

I will test it in the tomorrow nightly build, and let you know.

Regards.

ernestojpg
Offline
Joined: 2005-10-09

Thanks Kumar! :D

Let me know when you make the fix!

Regards.

kumarjayanti
Offline
Joined: 2003-12-10

done

kumarjayanti
Offline
Joined: 2003-12-10

Will do.
You can call SAMLCallback.getRuntimeProperties() once i make the fix.