[jira] Created: (RAMPART-294) Does Rampart handle replay attacks when using UsernameToken password digest?

Tue, 27 Apr 2010 02:01:02 -0700 

Does Rampart handle replay attacks when using UsernameToken password digest?
----------------------------------------------------------------------------

                 Key: RAMPART-294
                 URL: https://issues.apache.org/jira/browse/RAMPART-294
             Project: Rampart
          Issue Type: Question
            Reporter: Balamurali
            Assignee: Ruchith Udayanga Fernando


I am using a simple axis2 service and client to play around with rampart 
module. As you could see from the policy below, I am using UsernameToken with 
digest authentication. Rampart does generate different nonce for each request 
in the client.  But when I replay the same request using TCPMon i.e. using the 
same security header, I thought the server (which again engages rampart) would 
reject this as the nonce is same as the previous request. 

So, my question is, is there any configuration to enable rampart (on the server 
side) to check for duplicate nonce values? 

Followng is the policy file used by the client:

<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
    
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:SupportingTokens
          xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
        <wsp:Policy>
          <sp:UsernameToken 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
            <wsp:Policy>
              <sp:HashPassword/>
            </wsp:Policy>
          </sp:UsernameToken>
        </wsp:Policy>
      </sp:SupportingTokens>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

Follownig is the service.xml entry:

<service>   
    <parameter name="ServiceClass" 
locked="false">samples.services.SimpleTestService</parameter>  
    <operation name="add">
        <messageReceiver 
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
    </operation>
    <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
        
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken">
      <wsp:ExactlyOne>
        <wsp:All>
          <sp:SupportingTokens
              
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
            <wsp:Policy>
              <sp:UsernameToken
                  
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                <wsp:Policy>
                  <sp:HashPassword/>
                </wsp:Policy>
              </sp:UsernameToken>
            </wsp:Policy>
          </sp:SupportingTokens>
          <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
                
<ramp:passwordCallbackClass>samples.services.PWCBHandler</ramp:passwordCallbackClass>
          </ramp:RampartConfig>
        </wsp:All>
      </wsp:ExactlyOne>
    </wsp:Policy>    
</service>



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to