I'm using Apache CXF to build a Web Service. It uses Apache WSS4J to provide WS-Security functionality. I need to make a SOAP request and it must be signed.
This is the content of the properties file I pass to WSS4J:
org.apache.ws.security.crypto.provider = org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type = PKCS12
org.apache.ws.security.crypto.merlin.keystore.provider = BC
org.apache.ws.security.crypto.merlin.keystore.password = 12345678
org.apache.ws.security.crypto.merlin.keystore.alias = my-alias
org.apache.ws.security.crypto.merlin.keystore.file = my_certificate.p12
I want to get rid of that line with my password wrote as plain text. I removed that line and provided a password callback handler to my WSS4JOutInterceptor, like in the code above:
public SoapInterceptor newSignerInterceptor() {
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, config.getKeyAlias());
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.USE_REQ_SIG_CERT, WSHandlerConstants.SIGNATURE_USER);
outProps.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, this.getClass().getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, config.getPropertiesFileName());
return new WSS4JOutInterceptor(outProps);
}
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
((WSPasswordCallback) callbacks[i]).setPassword(password);
}
}
}
But that didn't work. It doesn't find the password in the properties file and uses a default password, "security".
How to make it use a callback to get the password?