axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Clement <nathan.a.clem...@hotmail.com>
Subject RE: Rampart: sp:HashPassword does not require receiving a hashed password
Date Mon, 04 Mar 2013 06:48:37 GMT
Hi Ruchith,

Thanks for your quick response.  I was halfway through writing my own patch to 1.6.2 in that
exact area of the code :)  I have instead applied your changesets to my working copy of the
Rampart source.  However, I'm having a problem with the following code:

    } else if (wssUt.getPassword() == null ||
            !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT)) {
        throw new RampartException("invalidUsernameTokenType");

When a PasswordDigest is used, wssUt.getPassword() returns the hashed password value, and
so this exception is thrown, even though the request is valid according to the policy.  Am
I missing something here, or should this if statement be something like:

    } else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
            !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
        throw new RampartException("invalidUsernameTokenType");

Happy to raise a bug and provide a patch if you concur.

Thanks,

Nathan

> Date: Mon, 4 Mar 2013 01:03:33 -0500
> Subject: Re: Rampart: sp:HashPassword does not require receiving a hashed password
> From: ruchith.fernando@gmail.com
> To: java-dev@axis.apache.org
> 
> Hi Nathan,
> 
> IMHO you are correct that the fix should be in
> PolicyBasedResultsValidator and I believe this is fixed in the latest
> rampart trunk [1], [2], [3]. Please try the latest rampart trunk.
> Please do file a bug and provide a patch if these fixes are not
> sufficient .
> 
> In the case of previous releases, I think the password callback
> handler implementation provided at the server side can check the
> password type and throw an exception in the case a plain text password
> is used.
> 
> Thanks,
> Ruchith
> 
> 1. http://svn.apache.org/viewvc?view=revision&revision=1442444
> 2. http://svn.apache.org/viewvc?view=revision&revision=1440696
> 3. http://svn.apache.org/viewvc?view=revision&revision=1440633
> 
> On Mon, Mar 4, 2013 at 12:08 AM, Nathan Clement
> <nathan.a.clement@hotmail.com> wrote:
> > Hi,
> >
> > I'm new to Rampart and I've been experimenting with UsernameTokens.  My
> > policy file contains the <sp:HashPassword/> assertion.  However, when
> > receiving a wsse:Security header, Rampart is allowing a plain text password.
> > From the WS-SecurityPolicy 1.2 spec:
> >
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
> >
> > /sp:UsernameToken/wsp:Policy/sp:HashPassword
> > This optional element is a policy assertion that indicates that the
> > wsse:Password element MUST be present in the Username token and that the
> > content of the wsse:Password element MUST contain a hash of the timestamp,
> > nonce and password as defined in [WSS: Username Token Profile].
> >
> > From this I understand that my policy should mean that request with
> > UsernameTokens containing plaintext passwords are rejected.  Does Rampart
> > support this policy on the receiving side?
> >
> > I see that WSS4J's WSSConfig has a "requiredPasswordType" property.  I'm
> > happy to attempt to write a patch for Rampart that sets this property based
> > on the policy.  Is this the right place to implement this functionality, or
> > should it be part of PolicyBasedResultsValidator?
> >
> > The full policy is:
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <wsp:Policy wsu:Id="UTOverTransport"
> >
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> >             xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> >   <wsp:ExactlyOne>
> >     <wsp:All>
> >       <sp:TransportBinding
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> >         <wsp:Policy>
> >           <sp:AlgorithmSuite>
> >             <wsp:Policy>
> >               <sp:Basic256Sha256/>
> >             </wsp:Policy>
> >           </sp:AlgorithmSuite>
> >         </wsp:Policy>
> >       </sp:TransportBinding>
> >
> >       <sp:SignedSupportingTokens
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> >         <wsp:Policy>
> >           <sp:UsernameToken
> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> >             <wsp:Policy>
> >               <sp:HashPassword/>
> >             </wsp:Policy>
> >           </sp:UsernameToken>
> >         </wsp:Policy>
> >       </sp:SignedSupportingTokens>
> >     </wsp:All>
> >   </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > Thanks,
> >
> > Nathan
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-dev-help@axis.apache.org
> 
 		 	   		  
Mime
View raw message