axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Reinhold" <brianreinh...@lampreynetworks.com>
Subject RE: Rampart STS Username service not returning password in callback
Date Wed, 16 Jan 2013 22:51:19 GMT
Having a nonce is no good. Recall the service has a digested password. If
there is a nonce one must know the REAL password to move forward.

 

From: Martin Gainty [mailto:mgainty@hotmail.com] 
Sent: Wednesday, January 16, 2013 5:14 PM
To: java-dev@axis.apache.org
Subject: RE: Rampart STS Username service not returning password in callback

 

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.
0.xsd
 
i think I found an element we can use  

(where both noonce and Password would be child elements of
wsc:DerivedKeyToken) so here is the TestCase
 
 org.apache.rampart.handler.config.OutflowConfiguration ofc = new
org.apache.rampart.handler.config.OutflowConfiguration();
  
  ofc.setActionItems("UsernameToken Encrypt");
  ofc.setUser("Mohammed");
  ofc.setAddUTElements("Nonce Created");  //Noonce
  ofc.setEncryptionParts("{Element}{" + WSSE_NS + "}UsernameToken");
  ofc.setEncryptionUser("osama");
  ofc.setEncryptionPropFile("interop.properties");
  ofc.setPasswordCallbackClass("org.apache.axis2.security.PWCallback");
  ofc.setEncryptionSymAlgorithm(WSConstants.TRIPLE_DES);  //change this to
MD5 or SHA-1
  ofc.setPasswordType(WSConstants.PW_TEXT);
  ofc.setEncryptionKeyIdentifier(WSSHandlerConstants.SKI_KEY_IDENTIFIER);
  
//so here is the new OutFlowConfiguration Element
   ofc.setPassword("YadaYadaYada");

  return ofc;

//org.apache.rampart.handler.config.OutflowConfiguration change
 public void setPassword(String passwordType) {
  this.actionList[this.currentAction].put(
    WSHandlerConstants.PASSWORD, password);
 }
//org.apache.ws.security.dom.handler.WSHandlerConstants add this element
public static final String PASSWORD = "password"

//correct ...why touch WSS4J for one minor update to a constant ..(maybe
using constant "password" is better)

//org.apache.rampart.handler.config.OutflowConfiguration change with
constant
public void setPassword(String passwordType) {
this.actionList[this.currentAction].put(
    "password", password);
}

reference
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.
0.xsd

WDYT?
Martin
></xsd:

  _____  

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13


Mime
View raw message