Problems setting up WS-Security with Rampart and Password Digest
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Problems setting up WS-Security with Rampart and Password Digest
by Ellecer Valencia
::
Rate this Message:
Hi,
I've been able to set up WS-Security using username + Password in plaintext using Rampart on one the sample Version webservice. However, I've been stuck all day trying to get authentication using Password Digest. Now from the examples I've seen, it seems that the only difference between the two kinds of authentication is this bit: <wsp:Policy> <sp:HashPassword/> </wsp:Policy> I've tried to configure Password DIgest by adding this to the services.xml: <service name="Version"> <description> This service is to get the running Axis version </description> <parameter name="ServiceClass">sample.axisversion.Version</parameter> <operation name="getVersion"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" /> </operation> <!-- SET MODULE --> <module ref="rampart" /> <!-- SET WS-POLICY --> <!-- DIGESTED PASSWORD --> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken"> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <ws:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:HashPassword/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:passwordCallbackClass>sample.axisversion.PWCBHandler</ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </service> However, when I'm running the service, it seems to still be performing plaintext authentication! I don't understand what's going on. I've run the sample by Dennis Sosnoski from the IBM site from this URL: http://www.ibm.com/developerworks/webservices/library/j-jws4/index.html And that sample code is performing as it should, using password digest. The above config is just copied from the fie hash-policy-server.xml in his sample code (replaced the callback handler with my own), so I can't see where else the config could be wrong. Also, is all of WS-Policy meant to be displayed in generated WSDL? In the generated WSDL it doesn't include the HashPassword bit. The Ws Policy shown in the WSDL is this: <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken"> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> So I guess there are 2 questions here: 1. Is WS-Policy in the WSDL also meant to indicate that PasswordDigest is used instead of just plain text passwords? Would the above behaviour indicate an Axis2 bug? I don't understand what other files Axis could be looking at. I haven't actually seen any examples of WSDL files that indicate Password Digest is used in the WS Policy. If you've seen any out there, send me the URL! 2. Does anyone have any clues or ideas on what else is wrong with the above config, or what else needs to be configured to get WS-Security with PasswordDigest working? Software used: Axis 1.5.1 Rampart 1.4 Thanks very much for any help you can give! Ellecer |
|
|
Re: Problems setting up WS-Security with Rampart and Password Digest
by Ellecer Valencia
::
Rate this Message:
Just a follow up to this:
It seems that the config is actually working, but I forgot that the callback handler I got from the sample code was working for both cases (plaintext AND digest) // used when plaintext password in message if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) { if (!"client".equals(id) || !"apache".equals(pwcb.getPassword())) { throw new UnsupportedCallbackException(callbacks[i], "check failed"); } // when hashed password in message } else if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN) { if ("client".equals(id)) { pwcb.setPassword("apache"); } else { throw new UnsupportedCallbackException(callbacks[i], "check failed"); } } I just changed the above to fail when plaintext is being sent. So the only question I have is the one about the PasswordDigest not being indicated as requried in the WS-Policy part of the WSDL. Ellecer On Wed, Oct 28, 2009 at 4:30 PM, Ellecer Valencia <ellecer@...> wrote: > Hi, > > I've been able to set up WS-Security using username + Password in > plaintext using Rampart on one the sample Version webservice. However, > I've been stuck all day trying to get authentication using Password > Digest. > > Now from the examples I've seen, it seems that the only difference > between the two kinds of authentication is this bit: > > <wsp:Policy> > <sp:HashPassword/> > </wsp:Policy> > > > I've tried to configure Password DIgest by adding this to the services.xml: > > <service name="Version"> > <description> > This service is to get the running Axis version > </description> > <parameter name="ServiceClass">sample.axisversion.Version</parameter> > <operation name="getVersion"> > <messageReceiver > class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" /> > </operation> > > <!-- SET MODULE --> > <module ref="rampart" /> > > <!-- SET WS-POLICY --> > <!-- DIGESTED PASSWORD --> > > <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="UsernameToken"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SupportingTokens > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > <ws:Policy> > <sp:UsernameToken > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > > <wsp:Policy> > <sp:HashPassword/> > </wsp:Policy> > > </sp:UsernameToken> > > </wsp:Policy> > </sp:SupportingTokens> > > <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> > <ramp:passwordCallbackClass>sample.axisversion.PWCBHandler</ramp:passwordCallbackClass> > </ramp:RampartConfig> > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > </service> > > However, when I'm running the service, it seems to still be performing > plaintext authentication! I don't understand what's going on. > > I've run the sample by Dennis Sosnoski from the IBM site from this URL: > > http://www.ibm.com/developerworks/webservices/library/j-jws4/index.html > > And that sample code is performing as it should, using password digest. > > The above config is just copied from the fie hash-policy-server.xml in > his sample code (replaced the callback handler with my own), so I > can't see where else the config could be wrong. > > Also, is all of WS-Policy meant to be displayed in generated WSDL? In > the generated WSDL it doesn't include the HashPassword bit. The Ws > Policy shown in the WSDL is this: > > <wsp:Policy > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > wsu:Id="UsernameToken"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SupportingTokens > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/> > </wsp:Policy> > </sp:SupportingTokens> > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > So I guess there are 2 questions here: > > 1. Is WS-Policy in the WSDL also meant to indicate that PasswordDigest > is used instead of just plain text passwords? Would the above > behaviour indicate an Axis2 bug? I don't understand what other files > Axis could be looking at. > > I haven't actually seen any examples of WSDL files that indicate > Password Digest is used in the WS Policy. If you've seen any out > there, send me the URL! > > 2. Does anyone have any clues or ideas on what else is wrong with the > above config, or what else needs to be configured to get WS-Security > with PasswordDigest working? > > Software used: > Axis 1.5.1 > Rampart 1.4 > > Thanks very much for any help you can give! > > > Ellecer > |
| Free embeddable forum powered by Nabble | Forum Help |
