axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Liviu Florin Copot <liviu.co...@gmail.com>
Subject Re: RAMPART - How to: UsernameToken Digest Password
Date Thu, 30 May 2013 15:14:51 GMT
Brian,

I used  (cb.getType().equals(WSConstants.PASSWORD_DIGEST)  to limit the
access to only digested passwords. Thank you!

However, I still feel I am doing the job of the application server's
authentication provider, since I need to have access to users and their
passwords.

In a standard (using adnotations not axis2) webservice, I only need to add
the policy and Weblogic is implementing the username token validation, even
if the password is arriving digested.

I feel that rampart should somehow integrate with the Weblogic
Authentication Providers in order to validate the username token. Am I
missing something?

Can anybody share some experience about running axis2+rampart on weblogic?

Thank you,

Liviu








On Thu, May 30, 2013 at 1:34 PM, Brian Reinhold <
brianreinhold@lampreynetworks.com> wrote:

> Liviu,****
>
> ** **
>
> I *did* something like this in my PasswordCallback when I was using
> digested passwords from the client:****
>
> ** **
>
>                 // Get clear text password from the server database****
>
>                     if(password != null)****
>
>                     {****
>
>
>         if(cb.getType().equals(WSConstants.PASSWORD_DIGEST))****
>
>                         {****
>
>                             cb.setPassword(password);****
>
>                             break;****
>
>                         }****
>
>                         else****
>
>                         {****
>
>                             error = "No Password digest";****
>
>                         }****
>
>     }****
>
> ** **
>
> In this case one must have on the receiving end the clear-text password
> stored somewhere as that is the only way one can verify that the digest is
> correct. This worked and clear-text passwords would fail by definition.***
> *
>
> ** **
>
> I considered that more dangerous than sending a clear text password using
> TLS so I do not do this anymore. If you are using digested passwords from
> the client you must have the clear text passwords stored on the server. If
> someone hacks your server all those passwords are compromised. If someone
> hacks the TLS send of the clear-text password and you store the passwords
> digested on the server side, one password is compromised but all the others
> are safe. Of course the server side will never know the user’s password so
> if the user forgets the user must create a new password.****
>
> ** **
>
> Brian Reinhold****
>
> ** **
>
> *From:* Liviu Florin Copot [mailto:liviu.copot@gmail.com]
> *Sent:* Thursday, May 30, 2013 7:09 AM
> *To:* java-dev@axis.apache.org
> *Subject:* RAMPART - How to: UsernameToken Digest Password****
>
> ** **
>
> Dears,****
>
> ** **
>
> I want to limit the access to an axis2 web service to allow only calls
> that use UsernameToken with a Digest Password.****
>
> ** **
>
> Following rampart sample01 I am able to enable rampart module and call the
> webservice by providing "bobPW" as the password, in digested form. ****
>
> I call the service from SOAPUI. ****
>
> ** **
>
> Problems I see so far, that prevent me from considering this as a
> production solution:****
>
> 1. PWCBHandler needs to use clear text passwords. ****
>
> 2. The call is successfull even if the password is not digested, but in
> clear text.****
>
> ** **
>
> I looked arround trying to understand the usage of
> javax.security.auth.callback.CallbackHandler but without much success so
> far.****
>
> Is there any way to delegate the authentication of the user to the
> application server (Weblogic) ?****
>
> ** **
>
> Any suggestion about enforcing the password to be in digest form?****
>
> ** **
>
> Thank you,****
>
> ** **
>
> Liviu****
>
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2013.0.3343 / Virus Database: 3184/6367 - Release Date: 05/29/13*
> ***
> ------------------------------
>
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2013.0.3343 / Virus Database: 3184/6367 - Release Date: 05/29/13*
> ***
>

Mime
View raw message