WS-Security handlers

[res1st]

Hi,

i doesn't understand something.
If i use a XwsSecurityInterceptor, then i can add handlers. That's why the signature contains an array.

Code:

setCallbackHandlers(CallbackHandler[] callbackHandler)

But if i look into the CallbackHandler interface, the interface itself contains only this method.

Code:

void handle(Callback[] callbacks)

But why does it also contain an array? I expected something like this method but without an array.

Cheers,

Ingo

[res1st]

Sometimes something get only clearer if i have already post it.
This two handlers are quite different ones. But i still didn't understand it right.

The handler which implements the CallbackHandler has to process different request, like "password validation" or "timestamp validation". The valdidation is done or delegated here.

But why can i also add more than one handler to the XwsSecurityInterceptor?
One for certificate checks and one for authentication checks? How does the
XwsSecurityInterceptor know, which handler to ask for?

Ingo

[wlsmith]

But why can i also add more than one handler to the XwsSecurityInterceptor? One for certificate checks and one for authentication checks?

Exactly.

How does the XwsSecurityInterceptor know, which handler to ask for?

It doesn't. Each of the Callback handler implementations is invoked, and they decide whether they should do anything or not. If they don't want to handle the callback, they throw UnsupportedCallbackException. The decision is generally based on the class of the javax.security.auth.callback.Callback that is passed to the handler.

To add a level of confusion the callbacks are generally internal to XWSS (package com.sun.xml.wss.impl.callback) and it isn't clear (to me, yet) how/why XWSS fires off the various callbacks. Look through some of the org.springframework.ws.soap.security.xwss.callback handler implementations to see how they make the decision.

A bit of related discussion is in http://forum.springframework.org/showthread.php?t=29126.

[res1st]

Thank you.
I never thought that web service security can be so circuitous.

wlsmith, do you also use the ACL of ACEGI? Do you know something about the new 1.1 version? I downloaded the nightly build but it doesn't generate the documents(some ugly maven error, which isn't easy to solve).

Does someone knows a up-to-date book which explains WS-Security in every detail?

Ingo

[wlsmith]

No, I'm not using ACLs... just certificates for signatures, authentication and authorization through the WS interface. Other forms of ACEGI-based security on other (non-WS) interfaces within the system, but no ACLs necessary at the moment. I've been using ACEGI 1.0.1: Sorry, I don't know anything about a 1.1 version.

The WS-Security standard is relatively (hah!) straightforward. The circuitous fun comes in from the implementations you use to support the standard. For example, ACEGI is a (very nice, IMO) implementation of general security activities... it isn't specific to Web Service security, but can be used where appropriate. XWSS is Sun's implementation of a framework to support the WS-Security standard. There are others (e.g., WSS4J, plus non-Java variants). XWSS is based on other things like XML Digitial Signatures, etc., depending on what path you take in securing your WS. Spring-WS uses XWSS for the WS-Security portions, but I believe you could try other implementations... I haven't.

I haven't found a good book with a practical (i.e., implementation) discussion of WS-Security. Most talk about either the standard in general or a narrow implementation toolset. You need to pick your tools and then learn about them, unfortunately.