Axis doc says to secure a service by encrypting passwords can be achieved by
engaging rampart module (i use version 1.4.2 ) cd $AXIS_HOMEcd
.\modules\rampart-samples\basic
org.apache.rampart.samples.sample03.PWCBHandler.java is Password Verification
method for encrypt\decryptsample03.) UsernameToken authentication with a plain
text password where services.xml contains
<service>..................................... <parameter name="InflowSecurity">
<action>
<items>UsernameToken</items>
<passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>
</action>
</parameter>
</service> upload service.aar then run service by...\sample03\ant ant
service.01 client.axis2.xml contains:
<axisconfig name="AxisJava2.0">
<module ref="rampart" />
<parameter name="OutflowSecurity">
<action>
<items>UsernameToken</items>
<user>aggarwal</user>
<passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>
<passwordType>UnencryptedPasswordText</passwordType>
</action>
</parameter>....</axisconfig> run client test ...\sample03\ant ant.client.01
.\sample05\ Encryption services.xml would contain <parameter
name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass>
<decryptionPropFile>service.properties</decryptionPropFile>
</action>
</parameter> service.properties would contain the attributes from security
provider (bouncycastle or in this case oracle)
this must exist on classpath
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=PutPasswordToBeEncryptedHere
org.apache.ws.security.crypto.merlin.file=service.jks .\sample05 ant
ant.service.05
client.axis2.xml would contain callbackHandler and service.properties as seen
here: <parameter name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass>
<decryptionPropFile>service.properties</decryptionPropFile>
</action>
</parameter>
once you verified service.properties params works for you you can use those
attributes in a servlet with startup params which can be accomplished 2 ways
1)load down container startup script with -Dsystem_option=value params for
example:%JAVA_HOME%\bin\java -classpath %CLASSPATH% -DJAVA_OPTS="-server
-Xms256M -Xmx512M
-XX:MaxPermSize=512M"-Dsun.security.ssl.allowUnsafeRenegotiation=true
-Djavax.net.ssl.trustStore=$JRE_HOME/lib/security/cacerts
-DtrustStorePath=$JRE_HOME/lib/security-Djavax.net.ssl.keyStoreType=jks
-Djavax.net.ssl.keyStore=BancoSantander.jks
-Dssl.KeyManagerFactory.algorithm=SunX509
-Djavax.net.ssl.keyStorePassword=PutPasswordToBeEncryptedHere
-Djavax.net.ssl.truststoreFile=cacerts
-Djava.io.tmpdir=$CATALINA_HOME/tmp-Djavax.net.ssl.trustStore=$CATALINA_HOME/conf/jssecacerts
-jar bootstrap.jar 1>tomcat.log
--you can see where one misplaced character can fubar the entire script! 2)the
safer alternative is to put all SSL params from service.properties in your SSL
connector e.g. <Connector port="8443" protocol="HTTP/1.1"
algorithm="SunX509"
connectionTimeout="10000"
connectionLinger="-1"
keyStore="BancoSantander.jks"
keystorePass="PutPasswordToBeEncryptedHere"
keyStoreType="jks"
truststoreFile="cacerts"
truststorePass="TrustStorePasswordForCacerts"
truststoreType="jks"
trustStorePath="$JAVA_HOME/jre/lib/security"
maxKeepAliveRequests="1"
allowUnsafeLegacyRenegotiation="false"
secure="true" SSLEnabled="true" sslProtocol="TLS"
clientAuth="true"
allowUnsafeLegacyRenegotiation="false"/>http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
Steer clear of ciphers..it is a new feature and is still being alpha tested
I have a date with a snow-shovel which I cannot delay..I'll check back at end
of day to see how you're doing
Martin ______________________________________________
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
From: [email protected]
Date: Sun, 10 Mar 2013 17:02:36 +0530
Subject: Encrypting The Admin Passwords used by the Axis Admin Servlet
To: [email protected]
Hi,
We have some web services in our project, where our wsdd
files contain the following lines:
<globalConfiguration>
<parameter name="sendMultiRefs"
value="true"/>
<parameter name="disablePrettyXML"
value="true"/>
<parameter
name="adminPassword" value="admin"/>
<parameter name="dotNetSoapEncFix"
value="true"/>
<parameter
name="enableNamespacePrefixOptimization" value="false"/>
<parameter name="sendXMLDeclaration"
value="true"/>
<parameter name="sendXsiTypes"
value="true"/>
<parameter name="axis.disableServiceList"
value="true"/>
<parameter
name="attachments.implementation"
value="org.apache.axis.attachments.AttachmentsImpl"/>
<requestFlow>
<handler
type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope"
value="session"/>
</handler>
<handler
type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope"
value="request"/>
<parameter name="extension"
value=".jwr"/>
</handler>
</requestFlow>
</globalConfiguration>
I wanted to know the use of the above highlighted element
(adminPassword), and also, is there any way we can introduce our own encryption
mechanism to encrypt this password so that it is not visible in plain text to
anyone?
Thanks and Regards,
Rajat Aggarwal
