Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)

[Ruwan Linton]

Hi Jeff,

I think we need to consult our security experts :-) to get the answer for
this, So I am copying the rampart-user list here.

Rampart guys, Can you please have a look at this policy and tell us what is
wrong with that?

Thanks,
Ruwan

On Wed, Mar 26, 2008 at 5:13 AM, Jeff Davis <[EMAIL PROTECTED]> wrote:

> Hi,
>
> I'm attempting to get a WS-Policy XML defined that will support
> UserNameToken with a password digest. Here's my policy file:
>
> <wsp:Policy wsu:Id="UTOverTransport"
>    xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
>    <wsp:ExactlyOne>
>        <wsp:All>
>            <sp:TransportBinding
>                xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>                <wsp:Policy>
>                    <sp:TransportToken>
>                        <wsp:Policy>
>                            <sp:HttpsToken
> RequireClientCertificate="false"/>
>                        </wsp:Policy>
>                    </sp:TransportToken>
>                    <sp:AlgorithmSuite>
>                        <wsp:Policy>
>                            <sp:Basic256/>
>                        </wsp:Policy>
>                    </sp:AlgorithmSuite>
>                    <sp:Layout>
>                        <wsp:Policy>
>                            <sp:Lax/>
>                        </wsp:Policy>
>                    </sp:Layout>
>                    <sp:IncludeTimestamp/>
>                </wsp:Policy>
>            </sp:TransportBinding>
>            <sp:SignedSupportingTokens
>                xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>                <wsp:Policy>
>                    <sp:UsernameToken
>                        sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
>                     <wsp:Policy>
>                           <sp:HashPassword/>
>                       </wsp:Policy>
>                    </sp:UsernameToken>
>                </wsp:Policy>
>            </sp:SignedSupportingTokens>
>            <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy";>
>                <ramp:user>alice</ramp:user>
>                <ramp:encryptionUser>bob</ramp:encryptionUser>
>                <ramp:passwordCallbackClass>samples.userguide.PWCallback
> </ramp:passwordCallbackClass>
>            </ramp:RampartConfig>
>        </wsp:All>
>    </wsp:ExactlyOne>
> </wsp:Policy>
>
> When I run this, it just brings back the password in the clear, i.e.,:
> <wsse:Password Type="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">password</wsse:Password>
>
> Where as I am expecting something like:
> <wsse:Password Type="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
> ">fwfVj34yd9/LSCWcJVwm6jDNIkQ=</wsse:Password>
>
> Now, I suspect it's because I'm using the wrong WS-SecurityPolicy
> namespace,
> but when I switch it to the one ending in 200702, I get no UserName
> returned
> at all.
>
> Any help would be greatly appreciated!
>
> jeff
>



-- 
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"