axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruchith Fernando <ruchith.ferna...@gmail.com>
Subject Re: Rampart: sp:HashPassword does not require receiving a hashed password
Date Mon, 04 Mar 2013 06:03:33 GMT
Hi Nathan,

IMHO you are correct that the fix should be in
PolicyBasedResultsValidator and I believe this is fixed in the latest
rampart trunk [1], [2], [3]. Please try the latest rampart trunk.
Please do file a bug and provide a patch if these fixes are not
sufficient .

In the case of previous releases, I think the password callback
handler implementation provided at the server side can check the
password type and throw an exception in the case a plain text password
is used.

Thanks,
Ruchith

1. http://svn.apache.org/viewvc?view=revision&revision=1442444
2. http://svn.apache.org/viewvc?view=revision&revision=1440696
3. http://svn.apache.org/viewvc?view=revision&revision=1440633

On Mon, Mar 4, 2013 at 12:08 AM, Nathan Clement
<nathan.a.clement@hotmail.com> wrote:
> Hi,
>
> I'm new to Rampart and I've been experimenting with UsernameTokens.  My
> policy file contains the <sp:HashPassword/> assertion.  However, when
> receiving a wsse:Security header, Rampart is allowing a plain text password.
> From the WS-SecurityPolicy 1.2 spec:
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
>
> /sp:UsernameToken/wsp:Policy/sp:HashPassword
> This optional element is a policy assertion that indicates that the
> wsse:Password element MUST be present in the Username token and that the
> content of the wsse:Password element MUST contain a hash of the timestamp,
> nonce and password as defined in [WSS: Username Token Profile].
>
> From this I understand that my policy should mean that request with
> UsernameTokens containing plaintext passwords are rejected.  Does Rampart
> support this policy on the receiving side?
>
> I see that WSS4J's WSSConfig has a "requiredPasswordType" property.  I'm
> happy to attempt to write a patch for Rampart that sets this property based
> on the policy.  Is this the right place to implement this functionality, or
> should it be part of PolicyBasedResultsValidator?
>
> The full policy is:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:Policy wsu:Id="UTOverTransport"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>             xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>   <wsp:ExactlyOne>
>     <wsp:All>
>       <sp:TransportBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>         <wsp:Policy>
>           <sp:AlgorithmSuite>
>             <wsp:Policy>
>               <sp:Basic256Sha256/>
>             </wsp:Policy>
>           </sp:AlgorithmSuite>
>         </wsp:Policy>
>       </sp:TransportBinding>
>
>       <sp:SignedSupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>         <wsp:Policy>
>           <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>             <wsp:Policy>
>               <sp:HashPassword/>
>             </wsp:Policy>
>           </sp:UsernameToken>
>         </wsp:Policy>
>       </sp:SignedSupportingTokens>
>     </wsp:All>
>   </wsp:ExactlyOne>
> </wsp:Policy>
>
> Thanks,
>
> Nathan
>

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message