Hi, So, does it mean that to use rampart we need to have a header element even > though there is no information in the header? >
Yes, if Rampart is engaged and a security policy is attached to the service, Rampart engine expects a security header to be there in the SOAP Header which IMHO is quite reasonable. Regards, Nandana > > > Thanks, > Praveen. > > ----- Original Message ---- > From: Nandana Mihindukulasooriya <[EMAIL PROTECTED]> > To: axis-user@ws.apache.org > Sent: Monday, November 12, 2007 9:58:28 PM > Subject: Re: WS-Security Policy - Password in Clear Text > > Hi Praveen, > There are two ways to configure Rampart. > > 1.) Basic Rampart Configuration > Here you define how the messages are secured > using "InflowSecurity" and "OutflowSecurity" parameters in either > axis2.xml (client side) or in services.xml (server side). You can also > define these programmatically using InflowConfiguration and > OutflowConfiguration. In this configuration, we use <item></item> element to > define what to be done to secure the message (actions) and the > order that they need to be done. For example if you want to send only a > Username Token then the configuration below will work. Say if you want to > sign and encrypt the message then <items> element > will look like <items>Signature Encrypt</items>. If you want to change the > order of the actions such that you encrypt the message and then sign, all > you need to do is change the order of the elements > in items <items>Encrypt Signature </items>. > > eg. > <parameter name="OutflowSecurity"> > <action> > <items>UsernameToken</items> > <user>bob</user> > <passwordCallbackClass> > org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> > <passwordType>PasswordText</passwordType> > </action> > </parameter> > > 2.) Policy based configuration > Here you define how the message is secured using > the ws - security policy language. ws - security policy language contains > set of assertions which allows you to tell how the message > is secured, what actions (sign/encrypt) to be carried out, order of them, > what supporting tokens must be sent with the message. There are three main > security binding assertions , Transport binding, Symmetric binding and > Asymmetric binding. You can use other assertions such as protection > assertions, token assertions and supporting token assertions to secure the > message according to your use > case. You can attach policies using services.xml or programatically. You > can attach policies to service (in Axis 2 ) policy subject, operation policy > subject or message policy subject. > > eg. > > <wsp:Policy wsu:Id="UserNameOverTransport" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsp=" http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing " > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken > RequireClientCertificate="false" /> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > </wsp:Policy> > </sp:TransportBinding> > <sp:SignedSupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy > "> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssUsernameToken10 /> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > </wsp:Policy> > > I tried your policy and it works fine for me. One thing I > noticed is that soap response doesn't contain a security header. This caused > a NullPointerException in Rampart sometime back but this is fixed. See the > jira [1] RAMPART-75. The response I got using the same policy is given > below. > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > "> > <soapenv:Header> > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > soapenv:mustUnderstand="1" /> > </soapenv:Header> > <soapenv:Body> > <PingResponse xmlns="http://InteropBaseAddress/interop > ">Ping</PingResponse> > </soapenv:Body> > </soapenv:Envelope> > > Do you know how the security is configured in the service. Can you post > the services.xml of the service if you have it. > > Regards, > Nandana > > > [1] - http://issues.apache.org/jira/browse/RAMPART-75 > > > > On Nov 12, 2007 10:46 PM, Praveen Palwai <[EMAIL PROTECTED]> wrote: > > > Hi, > > I am only sending the username and password while sending the request to > > the server. Do I need inflowsecurity even when I don't use encryption? Also > > there is no security information in the response from the server. The > > response is below: > > > > xmlns:soapenc=" > > http://schemas.xmlsoap.org/soap/encoding/"; > > xmlns:xsd=" > > http://www.w3.org/2001/XMLSchema"; > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance > > "> > > <soapenv:Body> > > <getPasswordResponse xmlns=""> > > delmar08'> http://service.fcsservicesweb.nwa.com";>delmar08 > > </getPasswordResponse> > > </soapenv:Body> > > </soapenv:Envelope> > > > > Thanks, > > Praveen Palwai. > > > > > > ----- Original Message ---- > > From: "[EMAIL PROTECTED] " <[EMAIL PROTECTED]> > > To: axis-user@ws.apache.org > > Sent: Sunday, November 12, 2000 10:49:42 AM > > Subject: Re: WS-Security Policy - Password in Clear Text > > > > your EPR is incorrect! > > > > in your axis2.xml you should have InflowSecurity defined ..here is an > > example > > > > <module ref="rampart"/> > > <parameter name="InflowSecurity"> > > <action> > > <items>Signature</items> > > <signaturePropFile>service.properties</signaturePropFile> > > </action> > > </parameter> > > where service.properties should contain these entries > > > > org.apache.ws.security.crypto.provider=SecurityProviderClass > > org.apache.ws.security.crypto.merlin.keystore.type=jks > > org.apache.ws.security.crypto.merlin.keystore.password=PutPassworkHere > > org.apache.ws.security.crypto.merlin.file=NameOfJKSFileCreatedByKeyTool > > > > I would start with the provider I would suggest BouncyCastle > > http://www.bouncycastle.org/ > > > > and work out from there > > > > M-- > > > > ----- Original Message ----- > > *From:* Praveen Palwai <[EMAIL PROTECTED]> > > *To:* axis-user@ws.apache.org > > *Sent:* Monday, November 12, 2007 11:07 AM > > *Subject:* Re: WS-Security Policy - Password in Clear Text > > > > Hi, > > I was able to resolve the digest password issue by adding the > > transportbinding tag to the policy.xml file. My current policy.xml file > > is > > <wsp:Policy wsu:Id="UTOverTransport" > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:TransportBinding > > xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <wsp:Policy> > > </wsp:Policy> > > </sp:TransportBinding> > > <sp:SignedSupportingTokens > > xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <wsp:Policy> > > <sp:UsernameToken /> > > </wsp:Policy> > > </sp:SignedSupportingTokens> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > Using the above policy.xml file I am able to send the password in clear > > text and the server returns successfully but the client throws the below > > exception: > > Exception in thread "main" java.lang.NullPointerException > > at org.apache.rampart.RampartEngine.process(RampartEngine.java:90) > > at org.apache.rampart.handler.RampartReceiver.invoke( > > RampartReceiver.java:85) > > at org.apache.axis2.engine.Phase.invoke(Phase.java:292) > > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212) > > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132) > > at > > org.apache.axis2.description.OutInAxisOperationClient.handleResponse( > > OutInAxisOperation.java:336) > > at org.apache.axis2.description.OutInAxisOperationClient.send( > > OutInAxisOperation.java:389) > > at org.apache.axis2.description.OutInAxisOperationClient.executeImpl > > (OutInAxisOperation.java:211) > > at org.apache.axis2.client.OperationClient.execute( > > OperationClient.java:163) > > at org.apache.axis2.client.ServiceClient.sendReceive( > > ServiceClient.java:528) > > at org.apache.axis2.client.ServiceClient.sendReceive( > > ServiceClient.java:508) > > at com.nwa.fcsservicesweb.service.FcsServiceClient.main( > > FcsServiceClient.java:81) > > > > The client code and the handler code is below. Can anyone tell me what > > am I doing wrong. > > public static void main(String[] args) throws Exception { > > ConfigurationContext ctx = ConfigurationContextFactory > > .createConfigurationContextFromFileSystem( > > "C:\\Java\\axis2-1.3\\repository", null); > > > > ServiceClient client = new ServiceClient(ctx, null); > > Options options = new Options(); > > options.setAction("\"\""); > > options.setTo(new EndpointReference("Endpoint")); > > > > RampartConfig rc = new RampartConfig(); > > rc.setUser("user"); > > rc.setPwCbClass("PWCBHandler"); > > Policy policy = loadPolicy("policy.xml"); > > policy.addAssertion(rc); > > > > options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, > > policy); > > client.setOptions(options); > > > > client.engageModule("addressing"); > > client.engageModule("rampart"); > > > > OMElement response = client.sendReceive > > (getPayload("0000101782")); > > > > System.out.println(response); > > } > > > > private static Policy loadPolicy(String xmlPath) throws Exception { > > StAXOMBuilder builder = new StAXOMBuilder(xmlPath); > > return PolicyEngine.getPolicy(builder.getDocumentElement()); > > } > > > > private static OMElement getPayload(String value) { > > OMFactory factory = OMAbstractFactory.getOMFactory(); > > OMNamespace ns = factory.createOMNamespace( > > "namespace", "ns1"); > > OMElement elem = factory.createOMElement("getPassword", null); > > OMElement childElem = factory.createOMElement("user", null); > > childElem.setText(value); > > elem.addChild(childElem); > > > > System.out.println(elem); > > return elem; > > } > > > > public class PWCBHandler implements CallbackHandler { > > > > public void handle(Callback[] callbacks) throws IOException, > > UnsupportedCallbackException { > > > > for (int i = 0; i < callbacks.length; i++) { > > WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i]; > > if(pwcb.getIdentifer().equals("user")){ > > pwcb.setPassword("password"); > > }else { > > throw new UnsupportedCallbackException(callbacks[i], > > "Invalid UserId"); > > } > > } > > } > > > > } > > > > > > ----- Original Message ---- > > From: Nandana Mihindukulasooriya <[EMAIL PROTECTED]> > > To: axis-user@ws.apache.org > > Sent: Sunday, November 11, 2007 9:57:24 PM > > Subject: Re: WS-Security Policy - Password in Clear Text > > > > Hi Praveen, > > > > Can you post the complete policy ? So we can see that whether your > > policy is configured to send the timestamp. > > > > Yes, Rampart used to sent password in digest by default and now it is > > fixed and now the Username tokens used > > as (signed)supporting tokens have the password in plaintext. Username > > Tokens are also encrypted as the password is > > in plain text as described in the web services security policy > > specification. Can you take a check out from latest > > Rampart trunk [1] and try this. > > > > Regards, > > Nandana > > > > [1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java > > > > > > On Nov 10, 2007 1:48 AM, Praveen Palwai <[EMAIL PROTECTED]> wrote: > > > > > Hi, I am using Axis2 1.3, rampart 1.3 to send username token to a Web > > > Service running on websphere. > > > I am using RampartConfig to set the user and the password callback > > > class. My question is using this configuration, the security header always > > > has nonce, timestamp included and the password is of type digest. What do > > > I > > > need to do so that the request doesn't contain nonce, timestamp and the > > > password is sent in clear text instead of digest. I have the following > > > policy.xml file > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <wsp:Policy> > > > <sp:UsernameToken/> > > > </wsp:Policy> > > > </sp:SignedSupportingTokens> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > > > > code snippet: > > > _serviceClient.engageModule("rampart"); > > > RampartConfig rc = new RampartConfig(); > > > rc.setUser("patadmin"); > > > rc.setPwCbClass("PWCBHandler"); > > > Policy policy = loadPolicy("policy.xml"); > > > policy.addAssertion(rc); > > > > > > _serviceClient.getOptions().setProperty( > > > RampartMessageData.KEY_RAMPART_POLICY, policy); > > > > > > Thanks, > > > Praveen Palwai. > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam protection around > > > http://mail.yahoo.com > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > > > ------------------------------ > Get easy, one-click access to your favorites. Make Yahoo! your > homepage.<http://us.rd.yahoo.com/evt=51443/*http://www.yahoo.com/r/hs> >
