axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Stanchev <Gstanc...@serena.com>
Subject RE: Rampart STS Username service not returning password in callback
Date Wed, 16 Jan 2013 13:56:54 GMT
Brian,

According to the article Martin referred you to, it is possible. You can access it on the
server side via WSPasswordCallback#getPassword() getter, perform your own validation and throw
an UnsupportedCallbackException with a proper message. See the last callback sample code under
[1]

George

[1] http://wso2.org/library/3733

From: Brian Reinhold [mailto:brianreinhold@lampreynetworks.com]
Sent: Wednesday, January 16, 2013 6:50 AM
To: java-dev@axis.apache.org
Subject: RE: Rampart STS Username service not returning password in callback

Well, that's what I am doing for a current work a round. I am performing the hash on the client
side and sending as 'PasswordText'.  However, I hope that this is supported by the WS-Trust
standard so it  will not cause interoperability issues. If it is possible to specify that
the client use a SHA-1 in a clear text password send via WS-Policy and WS-SecurePolicy, then
that will be a solution. I have not checked your blog yet but if I can do that, it will be
a good solution.

Still I think it would have been nice to support the option for the service to obtain the
sent Password. Many simple clients are likely to only a single policy and that tends to be
 the clear text option.

Brian

From: George Stanchev [mailto:Gstanchev@serena.com]
Sent: Wednesday, January 16, 2013 8:38 AM
To: java-dev@axis.apache.org<mailto:java-dev@axis.apache.org>
Subject: RE: Rampart STS Username service not returning password in callback

Hi Brian,

Can you send the password as a digest [1] in the message and then provide the hash instead?
Admitting, this will not work if you're using a different hashing algorithm than SHA-1 for
your stored passwords...

George

[1] http://blog.rampartfaq.com/2009/08/how-to-ask-for-hashed-password-in.html

From: Brian Reinhold [mailto:brianreinhold@lampreynetworks.com]
Sent: Tuesday, January 15, 2013 3:33 PM
To: java-dev@axis.apache.org<mailto:java-dev@axis.apache.org>
Subject: RE: Rampart STS Username service not returning password in callback

Martin,

I looked in the code and it stated that the callback must provide the password. This is not
good for a service that does not store the password but only a password digest (for security
reasons). That means the service does not know the user's password and a hacker cannot obtain
it by hacking into the service's database. The hacker might be able to obtain a single users
password hidden in TLS (unlikely) but that would be only one. The idea would be to get the
password, perform the digest and if it matches the stored digest, it is okay. Set the password,
otherwise err.

Brian

From: Martin Gainty [mailto:mgainty@hotmail.com]
Sent: Tuesday, January 15, 2013 4:26 PM
To: java-dev@axis.apache.org<mailto:java-dev@axis.apache.org>
Subject: RE: Rampart STS Username service not returning password in callback

Hi Brian

assuming rampart implements this configuration:

 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
           <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-12468716">
              <wsu:Created>2008-06-23T13:17:13.841Z</wsu:Created>
              <wsu:Expires>2008-06-23T13:22:13.841Z</wsu:Expires>
           </wsu:Timestamp>
           <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-31571602">
              <wsse:Username>alice</wsse:Username>
              <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobPW</wsse:Password>
           </wsse:UsernameToken>
        </wsse:Security>
        <wsa:To>http://localhost:8081/axis2/services/sample01</wsa:To<http://localhost:8081/axis2/services/sample01%3c/wsa:To>>
        <wsa:MessageID>urn:uuid:AEDBA74A8D1FC94B631214227032877</wsa:MessageID>
        <wsa:Action>urn:echo</wsa:Action>
     </soapenv:Header>
     <soapenv:Body>
        <ns1:echo xmlns:ns1="http://sample01.policy.samples.rampart.apache.org">
           <param0>Hello world</param0>
        </ns1:echo>
     </soapenv:Body>
  </soapenv:Envelope>

public void handle(Callback[] callbacks) throws IOException,UnsupportedCallbackException {

        for (int i = 0; i < callbacks.length; i++) {

            //When the server side need to authenticate the user

            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];

            if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {

                if(pwcb.getIdentifier().equals("bob") && pwcb.getPassword().equals("bobPW"))
{

http://wso2.org/library/3733

HTH.,

Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.



> From: brianreinhold@lampreynetworks.com<mailto:brianreinhold@lampreynetworks.com>
> To: java-dev@axis.apache.org<mailto:java-dev@axis.apache.org>
> Subject: Rampart STS Username service not returning password in callback
> Date: Tue, 15 Jan 2013 15:00:53 -0500
>
> Has anyone else had this problem? I have a simple STS Username token request
> for a SAML token where the username token is as follows:
>
> <wsse:UsernameToken wsu:Id="UsernameToken-ID">
> <wsse:Username>myName</wsse:Username>
> <wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token
> -profile-1.0#PasswordText<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token%0b%3e%20-profile-1.0#PasswordText>">myPassword</wsse:Password>
> </wsse:UsernameToken>
>
>
> On the receive side there is a callback to verify the username token
>
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException
> {
> for(Callback callback: callbacks)
> {
> WSPasswordCallback cb = (WSPasswordCallback)callback;
> int callbackType = cb.getUsage();
> switch(callbackType)
> {
> case WSPasswordCallback.USERNAME_TOKEN:
> try
> {
> if(cb.getType().equals(WSConstants.PASSWORD_TEXT))
> {
> String myPassword = cb.getPassword();
> ...
>
> The returned 'myPassword' is null. Any ideas why?
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org<mailto:java-dev-unsubscribe@axis.apache.org>
> For additional commands, e-mail: java-dev-help@axis.apache.org<mailto:java-dev-help@axis.apache.org>
>
________________________________
No virus found in this message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 2013.0.2890 / Virus Database: 2638/6032 - Release Date: 01/14/13
No virus found in this message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 2013.0.2890 / Virus Database: 2638/6032 - Release Date: 01/14/13
________________________________
No virus found in this message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13
No virus found in this message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 2013.0.2890 / Virus Database: 2638/6037 - Release Date: 01/16/13

Mime
View raw message