Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)

Nandana Mihindukulasooriya Tue, 25 Mar 2008 20:49:03 -0700

Hi Jeff,
    as you you have mentioned, if you want to use a hashed password
you need to use WS Security Policy 1.2 . WS SP 1.2 support was added
recently so you will need to use Rampart SNAPSHOT. (I think Synapse
uses Rampart SNAPSHOT).  I tested this scenarios with Rampart and it
works fine. I have attached the policy and the SOAP message.


The Policy used :

<wsp:Policy wsu:Id="UTOverTransport"
            
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens

xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
                <wsp:Policy>
                    <sp:UsernameToken

sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                             <wsp:Policy>
                                <sp:HashPassword/>
                             </wsp:Policy>
                     </sp:UsernameToken>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
            <ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
                                <ramp:user>XXX</ramp:user>
                                <ramp:encryptionUser>XXX</ramp:encryptionUser>  
                                
<ramp:passwordCallbackClass>org.apache.testing.clients.PasswordCB</ramp:passwordCallbackClass>
                        </ramp:RampartConfig>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

SOAP Request :

<soapenv:Envelope
        xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";>
        <soapenv:Header
                xmlns:wsa="http://www.w3.org/2005/08/addressing";>
                <wsse:Security
                        
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
                        soapenv:mustUnderstand="true">
                        <wsu:Timestamp
                                
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
                                wsu:Id="Timestamp-14366884">
                                
<wsu:Created>2008-03-26T03:09:22.257Z</wsu:Created>
                                
<wsu:Expires>2008-03-26T03:14:22.257Z</wsu:Expires>
                        </wsu:Timestamp>
                        <wsse:UsernameToken
                                
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
                                wsu:Id="UsernameToken-4276166">
                                <wsse:Username>Alice</wsse:Username>
                                <wsse:Password
                                        
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>eG8BrbBoE+Hq5QzzpSF1q7fbgZo=</wsse:Password>
                                
<wsse:Nonce>aNx0o1I6j0gijF/Ci/l7kQ==</wsse:Nonce>
                                
<wsu:Created>2008-03-26T03:09:22.278Z</wsu:Created>
                        </wsse:UsernameToken>
                </wsse:Security>
                <wsa:To>https://localhost:1511/services/Test</wsa:To>
                <wsa:ReplyTo>
                        
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
                </wsa:ReplyTo>
                
<wsa:MessageID>urn:uuid:CEA58E938BD79566381206500956970</wsa:MessageID>
                <wsa:Action>http://xmlsoap.org/Ping</wsa:Action>
        </soapenv:Header>
        <soapenv:Body>
                <ns0:PingRequest
                        xmlns:ns0="http://InteropBaseAddress/interop";>
                        <ns1:Ping
                                xmlns:ns1="http://xmlsoap.org/Ping";>
                                <ns1:scenario>Scenario5</ns1:scenario>
                                <ns1:origin>WSO2</ns1:origin>
                                <ns1:text>ping</ns1:text>
                        </ns1:Ping>
                </ns0:PingRequest>
        </soapenv:Body>
</soapenv:Envelope>

thanks,
nandana


On Wed, Mar 26, 2008 at 6:15 AM, Ruwan Linton <[EMAIL PROTECTED]> wrote:
> Jeff,
>
>  It seems that the message is not delivered to the rampart-user, I am again
>  copying the rampart-dev.
>
>  Thanks,
>  Ruwan
>
>  On Wed, Mar 26, 2008 at 6:08 AM, Ruwan Linton <[EMAIL PROTECTED]>
>  wrote:
>
>  > Hi Jeff,
>  >
>  > I think we need to consult our security experts :-) to get the answer for
>  > this, So I am copying the rampart-user list here.
>  >
>  > Rampart guys, Can you please have a look at this policy and tell us what
>  > is wrong with that?
>  >
>  > Thanks,
>  > Ruwan
>  >
>  >
>  > On Wed, Mar 26, 2008 at 5:13 AM, Jeff Davis <[EMAIL PROTECTED]> wrote:
>  >
>  > > Hi,
>  > >
>  > > I'm attempting to get a WS-Policy XML defined that will support
>  > > UserNameToken with a password digest. Here's my policy file:
>  > >
>  > > <wsp:Policy wsu:Id="UTOverTransport"
>  > >    xmlns:wsu="
>  > >
>  > > 
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>  > > "
>  > >    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
>  > >    <wsp:ExactlyOne>
>  > >        <wsp:All>
>  > >            <sp:TransportBinding
>  > >                xmlns:sp="
>  > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>  > >                <wsp:Policy>
>  > >                    <sp:TransportToken>
>  > >                        <wsp:Policy>
>  > >                            <sp:HttpsToken
>  > > RequireClientCertificate="false"/>
>  > >                        </wsp:Policy>
>  > >                    </sp:TransportToken>
>  > >                    <sp:AlgorithmSuite>
>  > >                        <wsp:Policy>
>  > >                            <sp:Basic256/>
>  > >                        </wsp:Policy>
>  > >                    </sp:AlgorithmSuite>
>  > >                    <sp:Layout>
>  > >                        <wsp:Policy>
>  > >                            <sp:Lax/>
>  > >                        </wsp:Policy>
>  > >                    </sp:Layout>
>  > >                    <sp:IncludeTimestamp/>
>  > >                </wsp:Policy>
>  > >            </sp:TransportBinding>
>  > >            <sp:SignedSupportingTokens
>  > >                xmlns:sp="
>  > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>  > >                <wsp:Policy>
>  > >                    <sp:UsernameToken
>  > >                        sp:IncludeToken="
>  > >
>  > > 
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>  > > ">
>  > >                     <wsp:Policy>
>  > >                           <sp:HashPassword/>
>  > >                       </wsp:Policy>
>  > >                    </sp:UsernameToken>
>  > >                </wsp:Policy>
>  > >            </sp:SignedSupportingTokens>
>  > >            <ramp:RampartConfig xmlns:ramp="
>  > > http://ws.apache.org/rampart/policy";>
>  > >                <ramp:user>alice</ramp:user>
>  > >                <ramp:encryptionUser>bob</ramp:encryptionUser>
>  > >                <ramp:passwordCallbackClass>samples.userguide.PWCallback
>  > > </ramp:passwordCallbackClass>
>  > >            </ramp:RampartConfig>
>  > >        </wsp:All>
>  > >    </wsp:ExactlyOne>
>  > > </wsp:Policy>
>  > >
>  > > When I run this, it just brings back the password in the clear, i.e.,:
>  > > <wsse:Password Type="
>  > >
>  > > 
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
>  > > ">password</wsse:Password>
>  > >
>  > > Where as I am expecting something like:
>  > > <wsse:Password Type="
>  > >
>  > > 
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
>  > > ">fwfVj34yd9/LSCWcJVwm6jDNIkQ=</wsse:Password>
>  > >
>  > > Now, I suspect it's because I'm using the wrong WS-SecurityPolicy
>  > > namespace,
>  > > but when I switch it to the one ending in 200702, I get no UserName
>  > > returned
>  > > at all.
>  > >
>  > > Any help would be greatly appreciated!
>  > >
>  > > jeff
>  > >
>  >
>  >
>  >
>  > --
>  > Ruwan Linton
>  > http://www.wso2.org - "Oxygenating the Web Services Platform"
>
>
>
>
>  --
>  Ruwan Linton
>  http://www.wso2.org - "Oxygenating the Web Services Platform"
>

Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)

Reply via email to