Re: WS-Security Policy - Password in Clear Text
Hi, So, does it mean that to use rampart we need to have a header element even though there is no information in the header? Yes, if Rampart is engaged and a security policy is attached to the service, Rampart engine expects a security header to be there in the SOAP Header which IMHO is quite reasonable. Regards, Nandana Thanks, Praveen. - Original Message From: Nandana Mihindukulasooriya [EMAIL PROTECTED] To: axis-user@ws.apache.org Sent: Monday, November 12, 2007 9:58:28 PM Subject: Re: WS-Security Policy - Password in Clear Text Hi Praveen, There are two ways to configure Rampart. 1.) Basic Rampart Configuration Here you define how the messages are secured using InflowSecurity and OutflowSecurity parameters in either axis2.xml (client side) or in services.xml (server side). You can also define these programmatically using InflowConfiguration and OutflowConfiguration. In this configuration, we use item/item element to define what to be done to secure the message (actions) and the order that they need to be done. For example if you want to send only a Username Token then the configuration below will work. Say if you want to sign and encrypt the message then items element will look like itemsSignature Encrypt/items. If you want to change the order of the actions such that you encrypt the message and then sign, all you need to do is change the order of the elements in items itemsEncrypt Signature /items. eg. parameter name=OutflowSecurity action itemsUsernameToken/items userbob/user passwordCallbackClass org.apache.rampart.samples.sample03.PWCBHandler/passwordCallbackClass passwordTypePasswordText/passwordType /action /parameter 2.) Policy based configuration Here you define how the message is secured using the ws - security policy language. ws - security policy language contains set of assertions which allows you to tell how the message is secured, what actions (sign/encrypt) to be carried out, order of them, what supporting tokens must be sent with the message. There are three main security binding assertions , Transport binding, Symmetric binding and Asymmetric binding. You can use other assertions such as protection assertions, token assertions and supporting token assertions to secure the message according to your use case. You can attach policies using services.xml or programatically. You can attach policies to service (in Axis 2 ) policy subject, operation policy subject or message policy subject. eg. wsp:Policy wsu:Id=UserNameOverTransport xmlns:wsu= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd xmlns:wsp= http://schemas.xmlsoap.org/ws/2004/09/policy; xmlns:wsa=http://schemas.xmlsoap.org/ws/2004/08/addressing xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:ExactlyOne wsp:All sp:TransportBinding xmlns:sp= http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:TransportToken wsp:Policy sp:HttpsToken RequireClientCertificate=false / /wsp:Policy /sp:TransportToken sp:AlgorithmSuite wsp:Policy sp:Basic256 / /wsp:Policy /sp:AlgorithmSuite sp:Layout wsp:Policy sp:Lax / /wsp:Policy /sp:Layout /wsp:Policy /sp:TransportBinding sp:SignedSupportingTokens xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy wsp:Policy sp:UsernameToken sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient wsp:Policy sp:WssUsernameToken10 / /wsp:Policy /sp:UsernameToken /wsp:Policy /sp:SignedSupportingTokens /wsp:Policy I tried your policy and it works fine for me. One thing I noticed is that soap response doesn't contain a security header. This caused a NullPointerException in Rampart sometime back but this is fixed. See the jira [1] RAMPART-75. The response I got using the same policy is given below. soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/ soapenv:Header wsse:Security xmlns:wsse= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; soapenv:mustUnderstand=1 / /soapenv:Header soapenv:Body PingResponse xmlns=http://InteropBaseAddress/interop
Re: WS-Security Policy - Password in Clear Text
Hi, The service is a websphere service. I was using a handler(which extends javax.xml.rpc.handler.GenericHandler) handleRequest method to validate the username and password sent by the request in the usernametoken format. I had to override the handleResponse method to add the security header before sending the response back to the client and the client is working fine now. So, does it mean that to use rampart we need to have a header element even though there is no information in the header? Thanks, Praveen. - Original Message From: Nandana Mihindukulasooriya [EMAIL PROTECTED] To: axis-user@ws.apache.org Sent: Monday, November 12, 2007 9:58:28 PM Subject: Re: WS-Security Policy - Password in Clear Text Hi Praveen, There are two ways to configure Rampart. 1.) Basic Rampart Configuration Here you define how the messages are secured using InflowSecurity and OutflowSecurity parameters in either axis2.xml (client side) or in services.xml (server side). You can also define these programmatically using InflowConfiguration and OutflowConfiguration. In this configuration, we use item/item element to define what to be done to secure the message (actions) and the order that they need to be done. For example if you want to send only a Username Token then the configuration below will work. Say if you want to sign and encrypt the message then items element will look like itemsSignature Encrypt/items. If you want to change the order of the actions such that you encrypt the message and then sign, all you need to do is change the order of the elements in items itemsEncrypt Signature /items. eg. parameter name=OutflowSecurity action itemsUsernameToken/items userbob/user passwordCallbackClassorg.apache.rampart.samples.sample03.PWCBHandler/passwordCallbackClass passwordTypePasswordText/passwordType /action /parameter 2.) Policy based configuration Here you define how the message is secured using the ws - security policy language. ws - security policy language contains set of assertions which allows you to tell how the message is secured, what actions (sign/encrypt) to be carried out, order of them, what supporting tokens must be sent with the message. There are three main security binding assertions , Transport binding, Symmetric binding and Asymmetric binding. You can use other assertions such as protection assertions, token assertions and supporting token assertions to secure the message according to your use case. You can attach policies using services.xml or programatically. You can attach policies to service (in Axis 2 ) policy subject, operation policy subject or message policy subject. eg. wsp:Policy wsu:Id=UserNameOverTransport xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp= http://schemas.xmlsoap.org/ws/2004/09/policy; xmlns:wsa=http://schemas.xmlsoap.org/ws/2004/08/addressing xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:ExactlyOne wsp:All sp:TransportBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:TransportToken wsp:Policy sp:HttpsToken RequireClientCertificate=false / /wsp:Policy /sp:TransportToken sp:AlgorithmSuite wsp:Policy sp:Basic256 / /wsp:Policy /sp:AlgorithmSuite sp:Layout wsp:Policy sp:Lax / /wsp:Policy /sp:Layout /wsp:Policy /sp:TransportBinding sp:SignedSupportingTokens xmlns:sp= http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:UsernameToken sp:IncludeToken= http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssUsernameToken10 / /wsp:Policy /sp:UsernameToken /wsp:Policy /sp:SignedSupportingTokens /wsp:Policy I tried your policy and it works fine for me. One thing I noticed is that soap response doesn't contain a security header. This caused a NullPointerException in Rampart sometime back but this is fixed. See the jira [1] RAMPART-75. The response I got using the same policy is given below. soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/; soapenv:Header wsse:Security xmlns:wsse= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Re: WS-Security Policy - Password in Clear Text
Hi, I was able to resolve the digest password issue by adding the transportbinding tag to the policy.xml file. My current policy.xml file is wsp:Policy wsu:Id=UTOverTransport xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:ExactlyOne wsp:All sp:TransportBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy /wsp:Policy /sp:TransportBinding sp:SignedSupportingTokens xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:UsernameToken / /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy Using the above policy.xml file I am able to send the password in clear text and the server returns successfully but the client throws the below exception: Exception in thread main java.lang.NullPointerException at org.apache.rampart.RampartEngine.process(RampartEngine.java:90) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:85) at org.apache.axis2.engine.Phase.invoke(Phase.java:292) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508) at com.nwa.fcsservicesweb.service.FcsServiceClient.main(FcsServiceClient.java:81) The client code and the handler code is below. Can anyone tell me what am I doing wrong. public static void main(String[] args) throws Exception { ConfigurationContext ctx = ConfigurationContextFactory .createConfigurationContextFromFileSystem( C:\\Java\\axis2-1.3\\repository, null); ServiceClient client = new ServiceClient(ctx, null); Options options = new Options(); options.setAction(\\); options.setTo(new EndpointReference(Endpoint)); RampartConfig rc = new RampartConfig(); rc.setUser(user); rc.setPwCbClass(PWCBHandler); Policy policy = loadPolicy(policy.xml); policy.addAssertion(rc); options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); client.setOptions(options); client.engageModule(addressing); client.engageModule(rampart); OMElement response = client.sendReceive(getPayload(101782)); System.out.println(response); } private static Policy loadPolicy(String xmlPath) throws Exception { StAXOMBuilder builder = new StAXOMBuilder(xmlPath); return PolicyEngine.getPolicy(builder.getDocumentElement()); } private static OMElement getPayload(String value) { OMFactory factory = OMAbstractFactory.getOMFactory(); OMNamespace ns = factory.createOMNamespace( namespace, ns1); OMElement elem = factory.createOMElement(getPassword, null); OMElement childElem = factory.createOMElement(user, null); childElem.setText(value); elem.addChild(childElem); System.out.println(elem); return elem; } public class PWCBHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i callbacks.length; i++) { WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i]; if(pwcb.getIdentifer().equals(user)){ pwcb.setPassword(password); }else { throw new UnsupportedCallbackException(callbacks[i], Invalid UserId); } } } } - Original Message From: Nandana Mihindukulasooriya [EMAIL PROTECTED] To: axis-user@ws.apache.org Sent: Sunday, November 11, 2007 9:57:24 PM Subject: Re: WS-Security Policy - Password in Clear Text Hi Praveen, Can you post the complete policy ? So we can see that whether your policy is configured to send the timestamp. Yes, Rampart used to sent password in digest by default and now it is fixed and now the Username tokens used as (signed)supporting tokens have the password in plaintext. Username Tokens are also encrypted as the password is in plain text as described in the web services security policy specification. Can you take a check out
Re: WS-Security Policy - Password in Clear Text
your EPR is incorrect! in your axis2.xml you should have InflowSecurity defined ..here is an example module ref=rampart/ parameter name=InflowSecurity action itemsSignature/items signaturePropFileservice.properties/signaturePropFile /action /parameter where service.properties should contain these entries org.apache.ws.security.crypto.provider=SecurityProviderClass org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=PutPassworkHere org.apache.ws.security.crypto.merlin.file=NameOfJKSFileCreatedByKeyTool I would start with the provider I would suggest BouncyCastle http://www.bouncycastle.org/ and work out from there M-- - Original Message - Wrom: OEAIJJPHSCRTNHGSW To: axis-user@ws.apache.org Sent: Monday, November 12, 2007 11:07 AM Subject: Re: WS-Security Policy - Password in Clear Text Hi, I was able to resolve the digest password issue by adding the transportbinding tag to the policy.xml file. My current policy.xml file is wsp:Policy wsu:Id=UTOverTransport xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:ExactlyOne wsp:All sp:TransportBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy /wsp:Policy /sp:TransportBinding sp:SignedSupportingTokens xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:UsernameToken / /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy Using the above policy.xml file I am able to send the password in clear text and the server returns successfully but the client throws the below exception: Exception in thread main java.lang.NullPointerException at org.apache.rampart.RampartEngine.process(RampartEngine.java:90) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:85) at org.apache.axis2.engine.Phase.invoke(Phase.java:292) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508) at com.nwa.fcsservicesweb.service.FcsServiceClient.main(FcsServiceClient.java:81) The client code and the handler code is below. Can anyone tell me what am I doing wrong. public static void main(String[] args) throws Exception { ConfigurationContext ctx = ConfigurationContextFactory .createConfigurationContextFromFileSystem( C:\\Java\\axis2-1.3\\repository, null); ServiceClient client = new ServiceClient(ctx, null); Options options = new Options(); options.setAction(\\); options.setTo(new EndpointReference(Endpoint)); RampartConfig rc = new RampartConfig(); rc.setUser(user); rc.setPwCbClass(PWCBHandler); Policy policy = loadPolicy(policy.xml); policy.addAssertion(rc); options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); client.setOptions(options); client.engageModule(addressing); client.engageModule(rampart); OMElement response = client.sendReceive(getPayload(101782)); System.out.println(response); } private static Policy loadPolicy(String xmlPath) throws Exception { StAXOMBuilder builder = new StAXOMBuilder(xmlPath); return PolicyEngine.getPolicy(builder.getDocumentElement()); } private static OMElement getPayload(String value) { OMFactory factory = OMAbstractFactory.getOMFactory(); OMNamespace ns = factory.createOMNamespace( namespace, ns1); OMElement elem = factory.createOMElement(getPassword, null); OMElement childElem = factory.createOMElement(user, null); childElem.setText(value); elem.addChild(childElem); System.out.println(elem); return elem; } public class PWCBHandler implements CallbackHandler { public void handle(Callback[] callbacks
Re: WS-Security Policy - Password in Clear Text
Hi, I am only sending the username and password while sending the request to the server. Do I need inflowsecurity even when I don't use encryption? Also there is no security information in the response from the server. The response is below: xmlns:soapenc=http://schemas.xmlsoap.org/soap/encoding/; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; soapenv:Body getPasswordResponse xmlns= delmar08'http://service.fcsservicesweb.nwa.com;delmar08 /getPasswordResponse /soapenv:Body /soapenv:Envelope Thanks, Praveen Palwai. - Original Message From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: axis-user@ws.apache.org Sent: Sunday, November 12, 2000 10:49:42 AM Subject: Re: WS-Security Policy - Password in Clear Text DIV { MARGIN:0px;} your EPR is incorrect! in your axis2.xml you should have InflowSecurity defined ..here is an example module ref=rampart/ parameter name=InflowSecurity action itemsSignature/items signaturePropFileservice.properties/signaturePropFile /action /parameter where service.properties should contain these entries org.apache.ws.security.crypto.provider=SecurityProviderClass org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=PutPassworkHere org.apache.ws.security.crypto.merlin.file=NameOfJKSFileCreatedByKeyTool I would start with the provider I would suggest BouncyCastle http://www.bouncycastle.org/ and work out from there M-- - Original Message - From: Praveen Palwai To: axis-user@ws.apache.org Sent: Monday, November 12, 2007 11:07 AM Subject: Re: WS-Security Policy - Password in Clear Text Hi, I was able to resolve the digest password issue by adding the transportbinding tag to the policy.xml file. My current policy.xml file is wsp:Policy wsu:Id=UTOverTransport xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:ExactlyOne wsp:All sp:TransportBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy /wsp:Policy /sp:TransportBinding sp:SignedSupportingTokens xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:UsernameToken / /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy Using the above policy.xml file I am able to send the password in clear text and the server returns successfully but the client throws the below exception: Exception in thread main java.lang.NullPointerException at org.apache.rampart.RampartEngine.process(RampartEngine.java:90) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:85) at org.apache.axis2.engine.Phase.invoke(Phase.java:292) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:336) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:389) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528) at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:508) at com.nwa.fcsservicesweb.service.FcsServiceClient.main(FcsServiceClient.java:81) The client code and the handler code is below. Can anyone tell me what am I doing wrong. public static void main(String[] args) throws Exception { ConfigurationContext ctx = ConfigurationContextFactory .createConfigurationContextFromFileSystem( C:\\Java\\axis2-1.3\\repository, null); ServiceClient client = new ServiceClient(ctx, null); Options options = new Options(); options.setAction(\\); options.setTo(new EndpointReference(Endpoint)); RampartConfig rc = new RampartConfig(); rc.setUser(user); rc.setPwCbClass(PWCBHandler); Policy policy = loadPolicy(policy.xml); policy.addAssertion(rc); options.setProperty
Re: WS-Security Policy - Password in Clear Text
/; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi= http://www.w3.org/2001/XMLSchema-instance; soapenv:Body getPasswordResponse xmlns= delmar08'http://service.fcsservicesweb.nwa.com;delmar08 /getPasswordResponse /soapenv:Body /soapenv:Envelope Thanks, Praveen Palwai. - Original Message From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: axis-user@ws.apache.org Sent: Sunday, November 12, 2000 10:49:42 AM Subject: Re: WS-Security Policy - Password in Clear Text your EPR is incorrect! in your axis2.xml you should have InflowSecurity defined ..here is an example module ref=rampart/ parameter name=InflowSecurity action itemsSignature/items signaturePropFileservice.properties/signaturePropFile /action /parameter where service.properties should contain these entries org.apache.ws.security.crypto.provider=SecurityProviderClass org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=PutPassworkHere org.apache.ws.security.crypto.merlin.file=NameOfJKSFileCreatedByKeyTool I would start with the provider I would suggest BouncyCastle http://www.bouncycastle.org/ and work out from there M-- - Original Message - *From:* Praveen Palwai [EMAIL PROTECTED] *To:* axis-user@ws.apache.org *Sent:* Monday, November 12, 2007 11:07 AM *Subject:* Re: WS-Security Policy - Password in Clear Text Hi, I was able to resolve the digest password issue by adding the transportbinding tag to the policy.xml file. My current policy.xml file is wsp:Policy wsu:Id=UTOverTransport xmlns:wsu= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:ExactlyOne wsp:All sp:TransportBinding xmlns:sp= http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy /wsp:Policy /sp:TransportBinding sp:SignedSupportingTokens xmlns:sp= http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:UsernameToken / /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy Using the above policy.xml file I am able to send the password in clear text and the server returns successfully but the client throws the below exception: Exception in thread main java.lang.NullPointerException at org.apache.rampart.RampartEngine.process(RampartEngine.java:90) at org.apache.rampart.handler.RampartReceiver.invoke( RampartReceiver.java:85) at org.apache.axis2.engine.Phase.invoke(Phase.java:292) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:132) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( OutInAxisOperation.java:336) at org.apache.axis2.description.OutInAxisOperationClient.send( OutInAxisOperation.java:389) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl( OutInAxisOperation.java:211) at org.apache.axis2.client.OperationClient.execute( OperationClient.java:163) at org.apache.axis2.client.ServiceClient.sendReceive( ServiceClient.java:528) at org.apache.axis2.client.ServiceClient.sendReceive( ServiceClient.java:508) at com.nwa.fcsservicesweb.service.FcsServiceClient.main( FcsServiceClient.java:81) The client code and the handler code is below. Can anyone tell me what am I doing wrong. public static void main(String[] args) throws Exception { ConfigurationContext ctx = ConfigurationContextFactory .createConfigurationContextFromFileSystem( C:\\Java\\axis2-1.3\\repository, null); ServiceClient client = new ServiceClient(ctx, null); Options options = new Options(); options.setAction(\\); options.setTo(new EndpointReference(Endpoint)); RampartConfig rc = new RampartConfig(); rc.setUser(user); rc.setPwCbClass(PWCBHandler); Policy policy = loadPolicy(policy.xml); policy.addAssertion(rc); options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); client.setOptions(options); client.engageModule(addressing); client.engageModule(rampart); OMElement response = client.sendReceive(getPayload(101782)); System.out.println(response); } private static Policy loadPolicy(String xmlPath) throws Exception { StAXOMBuilder builder = new StAXOMBuilder(xmlPath); return PolicyEngine.getPolicy(builder.getDocumentElement()); } private static OMElement getPayload(String value
Re: WS-Security Policy - Password in Clear Text
Hi Praveen, Can you post the complete policy ? So we can see that whether your policy is configured to send the timestamp. Yes, Rampart used to sent password in digest by default and now it is fixed and now the Username tokens used as (signed)supporting tokens have the password in plaintext. Username Tokens are also encrypted as the password is in plain text as described in the web services security policy specification. Can you take a check out from latest Rampart trunk [1] and try this. Regards, Nandana [1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java On Nov 10, 2007 1:48 AM, Praveen Palwai [EMAIL PROTECTED] wrote: Hi,I am using Axis2 1.3, rampart 1.3 to send username token to a Web Service running on websphere. I am using RampartConfig to set the user and the password callback class. My question is using this configuration, the security header always has nonce, timestamp included and the password is of type digest. What do I need to do so that the request doesn't contain nonce, timestamp and the password is sent in clear text instead of digest. I have the following policy.xmlfile ?xml version=1.0 encoding=UTF-8? wsp:ExactlyOne wsp:All wsp:Policy sp:UsernameToken/ /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy code snippet: _serviceClient.engageModule(rampart); RampartConfig rc = new RampartConfig(); rc.setUser(patadmin); rc.setPwCbClass(PWCBHandler); Policy policy = loadPolicy(policy.xml); policy.addAssertion(rc); _serviceClient.getOptions().setProperty( RampartMessageData.KEY_RAMPART_POLICY, policy); Thanks, Praveen Palwai. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com