[
https://issues.apache.org/jira/browse/RAMPART-294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Balamurali updated RAMPART-294:
-------------------------------
Affects Version/s: 1.4
Environment: Windows XP Professional
Description:
I am using a simple axis2 service and client to play around with rampart
module. As you could see from the policy below, I am using UsernameToken with
digest authentication. Rampart does generate different nonce for each request
in the client. When I replay the same request using TCPMon i.e. using the same
security header, I thought the server (which again engages rampart) would
reject this as the nonce is same as the previous request. But the request goes
through rampart without any issues.
So, my question is, is there any configuration to enable rampart (on the server
side) to check for duplicate nonce values?
Followng is the policy file used by the client:
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Follownig is the service.xml entry:
<service>
<parameter name="ServiceClass"
locked="false">samples.services.SimpleTestService</parameter>
<operation name="add">
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:passwordCallbackClass>samples.services.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
Thank & Regards,
Bala
was:
I am using a simple axis2 service and client to play around with rampart
module. As you could see from the policy below, I am using UsernameToken with
digest authentication. Rampart does generate different nonce for each request
in the client. But when I replay the same request using TCPMon i.e. using the
same security header, I thought the server (which again engages rampart) would
reject this as the nonce is same as the previous request.
So, my question is, is there any configuration to enable rampart (on the server
side) to check for duplicate nonce values?
Followng is the policy file used by the client:
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Follownig is the service.xml entry:
<service>
<parameter name="ServiceClass"
locked="false">samples.services.SimpleTestService</parameter>
<operation name="add">
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:passwordCallbackClass>samples.services.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
> Does Rampart handle replay attacks when using UsernameToken password digest?
> ----------------------------------------------------------------------------
>
> Key: RAMPART-294
> URL: https://issues.apache.org/jira/browse/RAMPART-294
> Project: Rampart
> Issue Type: Question
> Affects Versions: 1.4
> Environment: Windows XP Professional
> Reporter: Balamurali
> Assignee: Ruchith Udayanga Fernando
>
> I am using a simple axis2 service and client to play around with rampart
> module. As you could see from the policy below, I am using UsernameToken with
> digest authentication. Rampart does generate different nonce for each request
> in the client. When I replay the same request using TCPMon i.e. using the
> same security header, I thought the server (which again engages rampart)
> would reject this as the nonce is same as the previous request. But the
> request goes through rampart without any issues.
> So, my question is, is there any configuration to enable rampart (on the
> server side) to check for duplicate nonce values?
> Followng is the policy file used by the client:
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> Follownig is the service.xml entry:
> <service>
> <parameter name="ServiceClass"
> locked="false">samples.services.SimpleTestService</parameter>
> <operation name="add">
> <messageReceiver
> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
> </operation>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="UsernameToken">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:UsernameToken
>
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy";>
>
> <ramp:passwordCallbackClass>samples.services.PWCBHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </service>
> Thank & Regards,
> Bala
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
