axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mgai...@hotmail.com
Subject Re: WS-Security Policy - Password in Clear Text
Date Sun, 12 Nov 2000 16:49:42 GMT
your EPR is incorrect!

in your axis2.xml you should have InflowSecurity defined ..here is an example   

 <module ref="rampart"/>
 <parameter name="InflowSecurity">
        <action>
            <items>Signature</items>
            <signaturePropFile>service.properties</signaturePropFile>
        </action>
    </parameter>     

where service.properties should contain these entries

org.apache.ws.security.crypto.provider=SecurityProviderClass
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=PutPassworkHere
org.apache.ws.security.crypto.merlin.file=NameOfJKSFileCreatedByKeyTool

I would start with the provider I would suggest BouncyCastle
http://www.bouncycastle.org/

and work out from there

M--
  ----- Original Message ----- 
  Wrom: OEAIJJPHSCRTNHGSW
  To: axis-user@ws.apache.org 
  Sent: Monday, November 12, 2007 11:07 AM
  Subject: Re: WS-Security Policy - Password in Clear Text


  Hi,
  I was able to resolve the digest password issue by adding the transportbinding tag to the
policy.xml file. My current policy.xml file is
  <wsp:Policy wsu:Id="UTOverTransport"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:ExactlyOne>
          <wsp:All>
              <sp:TransportBinding
                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                  <wsp:Policy>
                  </wsp:Policy>
              </sp:TransportBinding>
              <sp:SignedSupportingTokens
                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                  <wsp:Policy>
                      <sp:UsernameToken />
                  </wsp:Policy>
              </sp:SignedSupportingTokens>
          </wsp:All>
      </wsp:ExactlyOne>
  </wsp:Policy>

  Using the above policy.xml file I am able to send the password in clear text and the server
returns successfully but the client throws the below exception:
  Exception in thread "main" java.lang.NullPointerException
      at org.apache.rampart.RampartEngine.process(RampartEngine.java:90)
      at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:85)
      at org.apache.axis2.engine.Phase.invoke(Phase.java:292)
      at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212)
      at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132)
      at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336)
      at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
      at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
      at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
      at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
      at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508)
      at com.nwa.fcsservicesweb.service.FcsServiceClient.main(FcsServiceClient.java:81)

  The client code and the handler code is below. Can anyone tell me what am I doing wrong.

  public static void main(String[] args) throws Exception {
          ConfigurationContext ctx = ConfigurationContextFactory
                  .createConfigurationContextFromFileSystem(
                          "C:\\Java\\axis2-1.3\\repository", null);

          ServiceClient client = new ServiceClient(ctx, null);
          Options options = new Options();
          options.setAction("\"\"");
          options.setTo(new EndpointReference("Endpoint"));
          
          RampartConfig rc = new RampartConfig();
          rc.setUser("user");       
          rc.setPwCbClass("PWCBHandler");
          Policy policy = loadPolicy("policy.xml");
          policy.addAssertion(rc);
          
          options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
          client.setOptions(options);

          client.engageModule("addressing");
          client.engageModule("rampart");

          OMElement response = client.sendReceive(getPayload("0000101782"));

          System.out.println(response);
      }

      private static Policy loadPolicy(String xmlPath) throws Exception {
          StAXOMBuilder builder = new StAXOMBuilder(xmlPath);
          return PolicyEngine.getPolicy(builder.getDocumentElement());
      }

      private static OMElement getPayload(String value) {
          OMFactory factory = OMAbstractFactory.getOMFactory();
          OMNamespace ns = factory.createOMNamespace(
                  "namespace", "ns1");
          OMElement elem = factory.createOMElement("getPassword", null);
          OMElement childElem = factory.createOMElement("user", null);
          childElem.setText(value);
          elem.addChild(childElem);

          System.out.println(elem);
          return elem;
      }

  public class PWCBHandler implements CallbackHandler {

      public void handle(Callback[] callbacks) throws IOException,
              UnsupportedCallbackException {

          for (int i = 0; i < callbacks.length; i++) {
              WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
              if(pwcb.getIdentifer().equals("user")){
                  pwcb.setPassword("password");
              }else {
                  throw new UnsupportedCallbackException(callbacks[i], "Invalid UserId");
              }
          }
      }

  }



  ----- Original Message ----
  Wrom: ZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH
  To: axis-user@ws.apache.org
  Sent: Sunday, November 11, 2007 9:57:24 PM
  Subject: Re: WS-Security Policy - Password in Clear Text

  Hi Praveen,

  Can you post the complete policy ? So we can see that whether your policy is configured
to send the timestamp.

  Yes, Rampart used to sent password in digest by default and now it is fixed and now the
Username tokens used 
  as (signed)supporting tokens have the password in plaintext. Username Tokens are also encrypted
as the password is
  in plain text as described in the web services security policy specification. Can you take
a check out from latest 
  Rampart trunk [1] and try this.

  Regards,
  Nandana

  [1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java



  On Nov 10, 2007 1:48 AM, Praveen Palwai <praveenpalwai@yahoo.com> wrote:

    Hi,
    I am using Axis2 1.3, rampart 1.3 to send username token to a Web Service running on websphere.

    I am using RampartConfig to set the user and the password callback class. My question
is using this configuration, the security header always has nonce, timestamp included and
the password is of type digest. What do I need to do so that the request doesn't contain nonce,
timestamp and the password is sent in clear text instead of digest. I have the following policy.xml
file

    <?xml version="1.0" encoding="UTF-8"?>
        <wsp:ExactlyOne>
          <wsp:All>
                <wsp:Policy>
                    <sp:UsernameToken/> 
              </wsp:Policy>
            </sp:SignedSupportingTokens>
    </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

    code snippet:
    _serviceClient.engageModule("rampart"); 
    RampartConfig rc = new RampartConfig();
    rc.setUser("patadmin");
    rc.setPwCbClass("PWCBHandler");
    Policy policy = loadPolicy("policy.xml");
    policy.addAssertion(rc);
          
    _serviceClient.getOptions().setProperty(RampartMessageData.KEY_RAMPART_POLICY,   policy);

    Thanks,
    Praveen Palwai.


    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around 
    http://mail.yahoo.com 





  __________________________________________________
  Do You Yahoo!?
  Tired of spam? Yahoo! Mail has the best spam protection around 
  http://mail.yahoo.com 
Mime
View raw message