Hi Stanislav, > How can I on the > client side configure the type of Password (PasswordDigest or PasswordText) > to be used?
What Rampart fully supports is WS Security Policy 1.1. There is no way to configure the password type using WS SP 1.1. But the good thing is, Rampart now supports WS Security Policy 1.2 but it is not fully tested. Using WS SP 1.2 , you can configure the password type <sp:UsernameToken xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> ( <sp:HashPassword/> | <sp:NoPassword/> ) </wsp:Policy> </sp:UsernameToken> Default behavior is plain text password when nothing is specified. >Does it matter if I use SSL (https) or not (http)? It is always recommended to Username over secure transport. So it is always recommended to use Https. Is there any > implicit relation between transport level security and type of that > password? In WS SP 1.1 , always plaintext password will be used when using Username tokens. But in WS SP 1.2 , you can configure the password type. I have attached a sample policy which uses hashed password with transport level security in Security Policy 1.2. thanks, -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/
<!-- ~ Copyright 2005-2007 WSO2, Inc. (http://wso2.com) ~ ~ Licensed under the Apache License, Version 2.0 (the "License"); ~ you may not use this file except in compliance with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, software ~ distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the License for the specific language governing permissions and ~ limitations under the License. --> <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:HashPassword/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>Alice</ramp:user> <ramp:encryptionUser>Bob</ramp:encryptionUser> <ramp:passwordCallbackClass>org.apache.testing.clients.WSS11Client</ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
