your EPR is incorrect! in your axis2.xml you should have InflowSecurity defined ..here is an example
<module ref="rampart"/> <parameter name="InflowSecurity"> <action> <items>Signature</items> <signaturePropFile>service.properties</signaturePropFile> </action> </parameter> where service.properties should contain these entries org.apache.ws.security.crypto.provider=SecurityProviderClass org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=PutPassworkHere org.apache.ws.security.crypto.merlin.file=NameOfJKSFileCreatedByKeyTool I would start with the provider I would suggest BouncyCastle http://www.bouncycastle.org/ and work out from there M-- ----- Original Message ----- Wrom: OEAIJJPHSCRTNHGSW To: axis-user@ws.apache.org Sent: Monday, November 12, 2007 11:07 AM Subject: Re: WS-Security Policy - Password in Clear Text Hi, I was able to resolve the digest password issue by adding the transportbinding tag to the policy.xml file. My current policy.xml file is <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:UsernameToken /> </wsp:Policy> </sp:SignedSupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> Using the above policy.xml file I am able to send the password in clear text and the server returns successfully but the client throws the below exception: Exception in thread "main" java.lang.NullPointerException at org.apache.rampart.RampartEngine.process(RampartEngine.java:90) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:85) at org.apache.axis2.engine.Phase.invoke(Phase.java:292) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508) at com.nwa.fcsservicesweb.service.FcsServiceClient.main(FcsServiceClient.java:81) The client code and the handler code is below. Can anyone tell me what am I doing wrong. public static void main(String[] args) throws Exception { ConfigurationContext ctx = ConfigurationContextFactory .createConfigurationContextFromFileSystem( "C:\\Java\\axis2-1.3\\repository", null); ServiceClient client = new ServiceClient(ctx, null); Options options = new Options(); options.setAction("\"\""); options.setTo(new EndpointReference("Endpoint")); RampartConfig rc = new RampartConfig(); rc.setUser("user"); rc.setPwCbClass("PWCBHandler"); Policy policy = loadPolicy("policy.xml"); policy.addAssertion(rc); options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); client.setOptions(options); client.engageModule("addressing"); client.engageModule("rampart"); OMElement response = client.sendReceive(getPayload("0000101782")); System.out.println(response); } private static Policy loadPolicy(String xmlPath) throws Exception { StAXOMBuilder builder = new StAXOMBuilder(xmlPath); return PolicyEngine.getPolicy(builder.getDocumentElement()); } private static OMElement getPayload(String value) { OMFactory factory = OMAbstractFactory.getOMFactory(); OMNamespace ns = factory.createOMNamespace( "namespace", "ns1"); OMElement elem = factory.createOMElement("getPassword", null); OMElement childElem = factory.createOMElement("user", null); childElem.setText(value); elem.addChild(childElem); System.out.println(elem); return elem; } public class PWCBHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i]; if(pwcb.getIdentifer().equals("user")){ pwcb.setPassword("password"); }else { throw new UnsupportedCallbackException(callbacks[i], "Invalid UserId"); } } } } ----- Original Message ---- Wrom: ZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH To: axis-user@ws.apache.org Sent: Sunday, November 11, 2007 9:57:24 PM Subject: Re: WS-Security Policy - Password in Clear Text Hi Praveen, Can you post the complete policy ? So we can see that whether your policy is configured to send the timestamp. Yes, Rampart used to sent password in digest by default and now it is fixed and now the Username tokens used as (signed)supporting tokens have the password in plaintext. Username Tokens are also encrypted as the password is in plain text as described in the web services security policy specification. Can you take a check out from latest Rampart trunk [1] and try this. Regards, Nandana [1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java On Nov 10, 2007 1:48 AM, Praveen Palwai <[EMAIL PROTECTED]> wrote: Hi, I am using Axis2 1.3, rampart 1.3 to send username token to a Web Service running on websphere. I am using RampartConfig to set the user and the password callback class. My question is using this configuration, the security header always has nonce, timestamp included and the password is of type digest. What do I need to do so that the request doesn't contain nonce, timestamp and the password is sent in clear text instead of digest. I have the following policy.xml file <?xml version="1.0" encoding="UTF-8"?> <wsp:ExactlyOne> <wsp:All> <wsp:Policy> <sp:UsernameToken/> </wsp:Policy> </sp:SignedSupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> code snippet: _serviceClient.engageModule("rampart"); RampartConfig rc = new RampartConfig(); rc.setUser("patadmin"); rc.setPwCbClass("PWCBHandler"); Policy policy = loadPolicy("policy.xml"); policy.addAssertion(rc); _serviceClient.getOptions().setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); Thanks, Praveen Palwai. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com