Hi Jeff and Nandana, On Wed, Mar 26, 2008 at 9:18 AM, Nandana Mihindukulasooriya < [EMAIL PROTECTED]> wrote:
> Hi Jeff, > as you you have mentioned, if you want to use a hashed password > you need to use WS Security Policy 1.2 . WS SP 1.2 support was added > recently so you will need to use Rampart SNAPSHOT. (I think Synapse > uses Rampart SNAPSHOT). Yes, synapse trunk uses the rampart SNAPSHOT, if you build synapse from the trunk you will get this support... Thanks, Ruwan > I tested this scenarios with Rampart and it > works fine. I have attached the policy and the SOAP message. > > The Policy used : > > <wsp:Policy wsu:Id="UTOverTransport" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken > RequireClientCertificate="false"/> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > </wsp:Policy> > </sp:TransportBinding> > <sp:SignedSupportingTokens > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:UsernameToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:HashPassword/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > <ramp:RampartConfig > xmlns:ramp="http://ws.apache.org/rampart/policy";> > <ramp:user>XXX</ramp:user> > > <ramp:encryptionUser>XXX</ramp:encryptionUser> > <ramp:passwordCallbackClass> > org.apache.testing.clients.PasswordCB</ramp:passwordCallbackClass> > </ramp:RampartConfig> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > SOAP Request : > > <soapenv:Envelope > xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";> > <soapenv:Header > xmlns:wsa="http://www.w3.org/2005/08/addressing";> > <wsse:Security > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > soapenv:mustUnderstand="true"> > <wsu:Timestamp > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="Timestamp-14366884"> > <wsu:Created>2008-03-26T03:09:22.257Z > </wsu:Created> > <wsu:Expires>2008-03-26T03:14:22.257Z > </wsu:Expires> > </wsu:Timestamp> > <wsse:UsernameToken > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="UsernameToken-4276166"> > <wsse:Username>Alice</wsse:Username> > <wsse:Password > Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest > ">eG8BrbBoE+Hq5QzzpSF1q7fbgZo=</wsse:Password> > > <wsse:Nonce>aNx0o1I6j0gijF/Ci/l7kQ==</wsse:Nonce> > <wsu:Created>2008-03-26T03:09:22.278Z > </wsu:Created> > </wsse:UsernameToken> > </wsse:Security> > <wsa:To>https://localhost:1511/services/Test</wsa:To> > <wsa:ReplyTo> > <wsa:Address> > http://www.w3.org/2005/08/addressing/anonymous</wsa:Address> > </wsa:ReplyTo> > > <wsa:MessageID>urn:uuid:CEA58E938BD79566381206500956970</wsa:MessageID> > <wsa:Action>http://xmlsoap.org/Ping</wsa:Action> > </soapenv:Header> > <soapenv:Body> > <ns0:PingRequest > xmlns:ns0="http://InteropBaseAddress/interop";> > <ns1:Ping > xmlns:ns1="http://xmlsoap.org/Ping";> > <ns1:scenario>Scenario5</ns1:scenario> > <ns1:origin>WSO2</ns1:origin> > <ns1:text>ping</ns1:text> > </ns1:Ping> > </ns0:PingRequest> > </soapenv:Body> > </soapenv:Envelope> > > thanks, > nandana > > > On Wed, Mar 26, 2008 at 6:15 AM, Ruwan Linton <[EMAIL PROTECTED]> > wrote: > > Jeff, > > > > It seems that the message is not delivered to the rampart-user, I am > again > > copying the rampart-dev. > > > > Thanks, > > Ruwan > > > > On Wed, Mar 26, 2008 at 6:08 AM, Ruwan Linton <[EMAIL PROTECTED]> > > wrote: > > > > > Hi Jeff, > > > > > > I think we need to consult our security experts :-) to get the answer > for > > > this, So I am copying the rampart-user list here. > > > > > > Rampart guys, Can you please have a look at this policy and tell us > what > > > is wrong with that? > > > > > > Thanks, > > > Ruwan > > > > > > > > > On Wed, Mar 26, 2008 at 5:13 AM, Jeff Davis <[EMAIL PROTECTED]> > wrote: > > > > > > > Hi, > > > > > > > > I'm attempting to get a WS-Policy XML defined that will support > > > > UserNameToken with a password digest. Here's my policy file: > > > > > > > > <wsp:Policy wsu:Id="UTOverTransport" > > > > xmlns:wsu=" > > > > > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > > > " > > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > > > > <wsp:ExactlyOne> > > > > <wsp:All> > > > > <sp:TransportBinding > > > > xmlns:sp=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <wsp:Policy> > > > > <sp:TransportToken> > > > > <wsp:Policy> > > > > <sp:HttpsToken > > > > RequireClientCertificate="false"/> > > > > </wsp:Policy> > > > > </sp:TransportToken> > > > > <sp:AlgorithmSuite> > > > > <wsp:Policy> > > > > <sp:Basic256/> > > > > </wsp:Policy> > > > > </sp:AlgorithmSuite> > > > > <sp:Layout> > > > > <wsp:Policy> > > > > <sp:Lax/> > > > > </wsp:Policy> > > > > </sp:Layout> > > > > <sp:IncludeTimestamp/> > > > > </wsp:Policy> > > > > </sp:TransportBinding> > > > > <sp:SignedSupportingTokens > > > > xmlns:sp=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <wsp:Policy> > > > > <sp:UsernameToken > > > > sp:IncludeToken=" > > > > > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > > > "> > > > > <wsp:Policy> > > > > <sp:HashPassword/> > > > > </wsp:Policy> > > > > </sp:UsernameToken> > > > > </wsp:Policy> > > > > </sp:SignedSupportingTokens> > > > > <ramp:RampartConfig xmlns:ramp=" > > > > http://ws.apache.org/rampart/policy";> > > > > <ramp:user>alice</ramp:user> > > > > <ramp:encryptionUser>bob</ramp:encryptionUser> > > > > <ramp:passwordCallbackClass> > samples.userguide.PWCallback > > > > </ramp:passwordCallbackClass> > > > > </ramp:RampartConfig> > > > > </wsp:All> > > > > </wsp:ExactlyOne> > > > > </wsp:Policy> > > > > > > > > When I run this, it just brings back the password in the clear, i.e > .,: > > > > <wsse:Password Type=" > > > > > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText > > > > ">password</wsse:Password> > > > > > > > > Where as I am expecting something like: > > > > <wsse:Password Type=" > > > > > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest > > > > ">fwfVj34yd9/LSCWcJVwm6jDNIkQ=</wsse:Password> > > > > > > > > Now, I suspect it's because I'm using the wrong WS-SecurityPolicy > > > > namespace, > > > > but when I switch it to the one ending in 200702, I get no UserName > > > > returned > > > > at all. > > > > > > > > Any help would be greatly appreciated! > > > > > > > > jeff > > > > > > > > > > > > > > > > -- > > > Ruwan Linton > > > http://www.wso2.org - "Oxygenating the Web Services Platform" > > > > > > > > > > -- > > Ruwan Linton > > http://www.wso2.org - "Oxygenating the Web Services Platform" > > > -- Ruwan Linton http://www.wso2.org - "Oxygenating the Web Services Platform"
