Re: WS-Security Policy - Password in Clear Text

Mon, 12 Nov 2007 08:53:39 -0800 

your EPR is incorrect!

in your axis2.xml you should have InflowSecurity defined ..here is an example   

 <module ref="rampart"/>
 <parameter name="InflowSecurity">
        <action>
            <items>Signature</items>
            <signaturePropFile>service.properties</signaturePropFile>
        </action>
    </parameter>     

where service.properties should contain these entries

org.apache.ws.security.crypto.provider=SecurityProviderClass
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=PutPassworkHere
org.apache.ws.security.crypto.merlin.file=NameOfJKSFileCreatedByKeyTool

I would start with the provider I would suggest BouncyCastle
http://www.bouncycastle.org/

and work out from there

M--
  ----- Original Message ----- 
  Wrom: OEAIJJPHSCRTNHGSW
  To: axis-user@ws.apache.org 
  Sent: Monday, November 12, 2007 11:07 AM
  Subject: Re: WS-Security Policy - Password in Clear Text


  Hi,
  I was able to resolve the digest password issue by adding the 
transportbinding tag to the policy.xml file. My current policy.xml file is
  <wsp:Policy wsu:Id="UTOverTransport"
      
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
      <wsp:ExactlyOne>
          <wsp:All>
              <sp:TransportBinding
                  
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
                  <wsp:Policy>
                  </wsp:Policy>
              </sp:TransportBinding>
              <sp:SignedSupportingTokens
                  
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
                  <wsp:Policy>
                      <sp:UsernameToken />
                  </wsp:Policy>
              </sp:SignedSupportingTokens>
          </wsp:All>
      </wsp:ExactlyOne>
  </wsp:Policy>

  Using the above policy.xml file I am able to send the password in clear text 
and the server returns successfully but the client throws the below exception:
  Exception in thread "main" java.lang.NullPointerException
      at org.apache.rampart.RampartEngine.process(RampartEngine.java:90)
      at 
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:85)
      at org.apache.axis2.engine.Phase.invoke(Phase.java:292)
      at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212)
      at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132)
      at 
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336)
      at 
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389)
      at 
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
      at 
org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
      at 
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
      at 
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508)
      at 
com.nwa.fcsservicesweb.service.FcsServiceClient.main(FcsServiceClient.java:81)

  The client code and the handler code is below. Can anyone tell me what am I 
doing wrong. 
  public static void main(String[] args) throws Exception {
          ConfigurationContext ctx = ConfigurationContextFactory
                  .createConfigurationContextFromFileSystem(
                          "C:\\Java\\axis2-1.3\\repository", null);

          ServiceClient client = new ServiceClient(ctx, null);
          Options options = new Options();
          options.setAction("\"\"");
          options.setTo(new EndpointReference("Endpoint"));
          
          RampartConfig rc = new RampartConfig();
          rc.setUser("user");       
          rc.setPwCbClass("PWCBHandler");
          Policy policy = loadPolicy("policy.xml");
          policy.addAssertion(rc);
          
          options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
          client.setOptions(options);

          client.engageModule("addressing");
          client.engageModule("rampart");

          OMElement response = client.sendReceive(getPayload("0000101782"));

          System.out.println(response);
      }

      private static Policy loadPolicy(String xmlPath) throws Exception {
          StAXOMBuilder builder = new StAXOMBuilder(xmlPath);
          return PolicyEngine.getPolicy(builder.getDocumentElement());
      }

      private static OMElement getPayload(String value) {
          OMFactory factory = OMAbstractFactory.getOMFactory();
          OMNamespace ns = factory.createOMNamespace(
                  "namespace", "ns1");
          OMElement elem = factory.createOMElement("getPassword", null);
          OMElement childElem = factory.createOMElement("user", null);
          childElem.setText(value);
          elem.addChild(childElem);

          System.out.println(elem);
          return elem;
      }

  public class PWCBHandler implements CallbackHandler {

      public void handle(Callback[] callbacks) throws IOException,
              UnsupportedCallbackException {

          for (int i = 0; i < callbacks.length; i++) {
              WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
              if(pwcb.getIdentifer().equals("user")){
                  pwcb.setPassword("password");
              }else {
                  throw new UnsupportedCallbackException(callbacks[i], "Invalid 
UserId");
              }
          }
      }

  }



  ----- Original Message ----
  Wrom: ZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH
  To: axis-user@ws.apache.org
  Sent: Sunday, November 11, 2007 9:57:24 PM
  Subject: Re: WS-Security Policy - Password in Clear Text

  Hi Praveen,

  Can you post the complete policy ? So we can see that whether your policy is 
configured to send the timestamp.

  Yes, Rampart used to sent password in digest by default and now it is fixed 
and now the Username tokens used 
  as (signed)supporting tokens have the password in plaintext. Username Tokens 
are also encrypted as the password is
  in plain text as described in the web services security policy specification. 
Can you take a check out from latest 
  Rampart trunk [1] and try this.

  Regards,
  Nandana

  [1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java



  On Nov 10, 2007 1:48 AM, Praveen Palwai <[EMAIL PROTECTED]> wrote:

    Hi,
    I am using Axis2 1.3, rampart 1.3 to send username token to a Web Service 
running on websphere. 
    I am using RampartConfig to set the user and the password callback class. 
My question is using this configuration, the security header always has nonce, 
timestamp included and the password is of type digest. What do I need to do so 
that the request doesn't contain nonce, timestamp and the password is sent in 
clear text instead of digest. I have the following policy.xml file

    <?xml version="1.0" encoding="UTF-8"?>
        <wsp:ExactlyOne>
          <wsp:All>
                <wsp:Policy>
                    <sp:UsernameToken/> 
              </wsp:Policy>
            </sp:SignedSupportingTokens>
    </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

    code snippet:
    _serviceClient.engageModule("rampart"); 
    RampartConfig rc = new RampartConfig();
    rc.setUser("patadmin");
    rc.setPwCbClass("PWCBHandler");
    Policy policy = loadPolicy("policy.xml");
    policy.addAssertion(rc);
          
    
_serviceClient.getOptions().setProperty(RampartMessageData.KEY_RAMPART_POLICY,  
 policy);

    Thanks,
    Praveen Palwai.


    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around 
    http://mail.yahoo.com 





  __________________________________________________
  Do You Yahoo!?
  Tired of spam? Yahoo! Mail has the best spam protection around 
  http://mail.yahoo.com

Reply via email to