axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nandana Mihindukulasooriya" <nandana....@gmail.com>
Subject Re: WS-Security Policy - Password in Clear Text
Date Mon, 12 Nov 2007 03:57:24 GMT
Hi Praveen,

Can you post the complete policy ? So we can see that whether your policy is
configured to send the timestamp.

Yes, Rampart used to sent password in digest by default and now it is fixed
and now the Username tokens used
as (signed)supporting tokens have the password in plaintext. Username Tokens
are also encrypted as the password is
in plain text as described in the web services security policy
specification. Can you take a check out from latest
Rampart trunk [1] and try this.

Regards,
Nandana

[1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java


On Nov 10, 2007 1:48 AM, Praveen Palwai <praveenpalwai@yahoo.com> wrote:

> Hi,I am using Axis2 1.3, rampart 1.3 to send username token to a Web
> Service running on websphere.
> I am using RampartConfig to set the user and the password callback class.
> My question is using this configuration, the security header always has
> nonce, timestamp included and the password is of type digest. What do I need
> to do so that the request doesn't contain nonce, timestamp and the password
> is sent in clear text instead of digest. I have the following policy.xmlfile
>
> <?xml version="1.0" encoding="UTF-8"?>
>     <wsp:ExactlyOne>
>       <wsp:All>
>             <wsp:Policy>
>                 <sp:UsernameToken/>
>           </wsp:Policy>
>         </sp:SignedSupportingTokens>
> </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>
>
> code snippet:
> _serviceClient.engageModule("rampart");
> RampartConfig rc = new RampartConfig();
> rc.setUser("patadmin");
> rc.setPwCbClass("PWCBHandler");
> Policy policy = loadPolicy("policy.xml");
> policy.addAssertion(rc);
>
> _serviceClient.getOptions().setProperty(
> RampartMessageData.KEY_RAMPART_POLICY,   policy);
>
> Thanks,
> Praveen Palwai.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

Mime
View raw message