axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Praveen Palwai <praveenpal...@yahoo.com>
Subject Re: WS-Security Policy - Password in Clear Text
Date Mon, 12 Nov 2007 16:07:29 GMT
Hi,
I was able to resolve the digest password issue by adding the transportbinding tag to the
policy.xml file. My current policy.xml file is
<wsp:Policy wsu:Id="UTOverTransport"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding
                xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens
                xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken />
                </wsp:Policy>
            </sp:SignedSupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

Using the above policy.xml file I am able to send the password in clear text and the server
returns successfully but the client throws the below exception:
Exception in thread "main" java.lang.NullPointerException
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:90)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:85)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:292)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132)
    at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508)
    at com.nwa.fcsservicesweb.service.FcsServiceClient.main(FcsServiceClient.java:81)

The client code and the handler code is below. Can anyone tell me what am I doing wrong. 
public static void main(String[] args) throws Exception {
        ConfigurationContext ctx = ConfigurationContextFactory
                .createConfigurationContextFromFileSystem(
                        "C:\\Java\\axis2-1.3\\repository", null);

        ServiceClient client = new ServiceClient(ctx, null);
        Options options = new Options();
        options.setAction("\"\"");
        options.setTo(new EndpointReference("Endpoint"));
        
        RampartConfig rc = new RampartConfig();
        rc.setUser("user");       
        rc.setPwCbClass("PWCBHandler");
        Policy policy = loadPolicy("policy.xml");
        policy.addAssertion(rc);
        
        options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
        client.setOptions(options);

        client.engageModule("addressing");
        client.engageModule("rampart");

        OMElement response = client.sendReceive(getPayload("0000101782"));

        System.out.println(response);
    }

    private static Policy loadPolicy(String xmlPath) throws Exception {
        StAXOMBuilder builder = new StAXOMBuilder(xmlPath);
        return PolicyEngine.getPolicy(builder.getDocumentElement());
    }

    private static OMElement getPayload(String value) {
        OMFactory factory = OMAbstractFactory.getOMFactory();
        OMNamespace ns = factory.createOMNamespace(
                "namespace", "ns1");
        OMElement elem = factory.createOMElement("getPassword", null);
        OMElement childElem = factory.createOMElement("user", null);
        childElem.setText(value);
        elem.addChild(childElem);

        System.out.println(elem);
        return elem;
    }

public class PWCBHandler implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {

        for (int i = 0; i < callbacks.length; i++) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
            if(pwcb.getIdentifer().equals("user")){
                pwcb.setPassword("password");
            }else {
                throw new UnsupportedCallbackException(callbacks[i], "Invalid UserId");
            }
        }
    }

}


----- Original Message ----
From: Nandana Mihindukulasooriya <nandana.cse@gmail.com>
To: axis-user@ws.apache.org
Sent: Sunday, November 11, 2007 9:57:24 PM
Subject: Re: WS-Security Policy - Password in Clear Text


Hi Praveen,

Can you post the complete policy ? So we can see that whether your policy is configured to
send the timestamp.

Yes, Rampart used to sent password in digest by default and now it is fixed and now the Username
tokens used

as (signed)supporting tokens have the password in plaintext. Username Tokens are also encrypted
as the password is
in plain text as described in the web services security policy specification. Can you take
a check out from latest

Rampart trunk [1] and try this.

Regards,
Nandana

[1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java



On Nov 10, 2007 1:48 AM, Praveen Palwai <praveenpalwai@yahoo.com> wrote:

Hi,
I am using Axis2 1.3, rampart 1.3 to send username token to a Web
 Service running on websphere. 
I am using RampartConfig to set the user and the password callback
 class. My question is using this configuration, the security header always
 has nonce, timestamp included and the password is of type digest. What
 do I need to do so that the request doesn't contain nonce, timestamp
 and the password is sent in clear text instead of digest. I have the
 following policy.xml file

<?xml version="1.0" encoding="UTF-8"?>
    <wsp:ExactlyOne>
      <wsp:All>
            <wsp:Policy>
                <sp:UsernameToken/>

          </wsp:Policy>
        </sp:SignedSupportingTokens>
 </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

code snippet:
_serviceClient.engageModule("rampart");

RampartConfig rc = new RampartConfig();
rc.setUser("patadmin");
rc.setPwCbClass("PWCBHandler");
Policy policy = loadPolicy("policy.xml");
policy.addAssertion(rc);
       

_serviceClient.getOptions().setProperty(RampartMessageData.KEY_RAMPART_POLICY,
  policy);

Thanks,
Praveen Palwai.




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

http://mail.yahoo.com 









__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
Mime
View raw message