I am using Apache CXF to create a web service. It uses Apache WSS4J to provide WS-Security functionality. I need to make a SOAP request and it must be signed.
This is the contents of the properties file that I am passing to WSS4J:
org.apache.ws.security.crypto.provider = org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type = PKCS12 org.apache.ws.security.crypto.merlin.keystore.provider = BC org.apache.ws.security.crypto.merlin.keystore.password = 12345678 org.apache.ws.security.crypto.merlin.keystore.alias = my-alias org.apache.ws.security.crypto.merlin.keystore.file = my_certificate.p12
I want to get rid of this line with my password written as plain text. I deleted this line and provided a password callback handler to my WSS4JOutInterceptor, as in the above code:
public SoapInterceptor newSignerInterceptor() { Map<String, Object> outProps = new HashMap<String, Object>(); outProps.put(WSHandlerConstants.ACTION, "Signature"); outProps.put(WSHandlerConstants.USER, config.getKeyAlias()); outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); outProps.put(WSHandlerConstants.USE_REQ_SIG_CERT, WSHandlerConstants.SIGNATURE_USER); outProps.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false"); outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, this.getClass().getName()); outProps.put(WSHandlerConstants.SIG_PROP_FILE, config.getPropertiesFileName()); return new WSS4JOutInterceptor(outProps); } @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { ((WSPasswordCallback) callbacks[i]).setPassword(password); } } }
But that did not work. It does not find the password in the properties file and uses the default password, "security".
How to force to use a callback to receive the password?
source share