2

I develop a webservice client for an existing webservice. I am using Apache CXF 2.2. The service requires security with Username and plain text password, which I configured like this:

<bean id="myPasswordCallback"
    class="com.kraemer_imd.mobilized.m2m_adapter.ClientPasswordCallback"/>

<jaxws:client id="m2mClientService"
              serviceClass="de.vodafone.easypu.ws.EasyPUOrderServicePortType"
              address="http://m2m.vodafone.de/speasy/services/EasyPUOrderService"
              bindingId="http://www.w3.org/2003/05/soap/bindings/HTTP/">

  <jaxws:outInterceptors>
    <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
      <constructor-arg>
        <map>
            <entry key="action" value="UsernameToken Timestamp"/>
          <entry key="passwordType" value="PasswordText"/>
          <entry key="user" value="myusername"/>
          <entry key="passwordCallbackRef">
            <ref bean="myPasswordCallback"/>
          </entry>
        </map>
      </constructor-arg>
    </bean>
  </jaxws:outInterceptors>

</jaxws:client>

That works quite well. But I did not understand why I have to provide the password via a callback handler instead of just providing it via configuration. The documentation says it is for security reasons, but I don´t see why this should be more secure to have a callback handler that reads it from a property file (or worse has it hard coded in the callback).

So, could somebody explain this to me? Maybe the callback is intended for some magic stuff that I missed..

Thanks Michel

Donal Fellows
  • 133,037
  • 18
  • 149
  • 215
mkraemerx
  • 1,713
  • 2
  • 17
  • 21

2 Answers2

3

The password callback is provided by Apache CXF as a mechanism for the client application to retrieve the credentials for the targeted webservice, which at runtime is likely to be stored in the database, configuration fiels, LDAP or some other store. This callback hook provides the flexibility to the application to retrieve the credentials from application specific configuration.

Biju Kunjummen
  • 49,138
  • 14
  • 112
  • 125
  • 1
    yes, it provides flexibility, but it is not necessarily more secure then. Since security was the argumentation (and there is no alternative to the callback, the password can not be provided as property) I expected there is a _usual way_ how I can use the callback to be more secure than entering the password in a properties file – mkraemerx Feb 28 '11 at 20:58
1

If password is stored in clear text in the configuration then this approach may not give you any extra security.

However having password stored as clear text in some configuration may have some security issues as there can be folks that may need access to this configuration and will be able to hold of password although it may not have been intended to.

Better is to store the encrypted password in the configuration. In this case, you need some code that will decrypt this password before it's use. Password callback will come to rescue in this scenario.

Gladwin Burboz
  • 3,519
  • 16
  • 15
  • 2
    IMHO storing an encrypted pw in config and have the decrypt functionality completely in the code (including the key to decrypt) does not leverage security. And if the key is not in the config, too, or in the code, then the question is where it should be. – mkraemerx Apr 29 '11 at 06:35