STS Support for digested passwords / (MD5/SHA) check.

Thu, 02 Feb 2012 02:04:56 -0800 

Hi list,

        We are trying to integrate the STS into our solution for SSO but we 
encountered an issue that is hard to solve.

        For the moment, the token validator uses a callback to be able to 
verify the correct username and password to deliver the token.

        The problem appears when you need to store hashed passwords and check. 
There would be needed some mechanism no to set the current password to the 
WSPasswordCallback to be verified directly against the string value of the 
password but to check it agains a hashed value.

        The following code is coming from the PasswordCallbackHandler:

-----------------------------------------------------------------------------------------------------------------------------

        public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
        
        if (getPasswords() == null || getPasswords().size() == 0)
                return;
        
        for (int i = 0; i < callbacks.length; i++) {
            if (callbacks[i] instanceof WSPasswordCallback) { // CXF
                WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
                
                String pw = getPasswords().get(pc.getIdentifier());
                pc.setPassword(pw);
            }
        }
    }

-----------------------------------------------------------------------------------------------------------------------------

        The correct/original password and the one provided is evaluated at the 
UsernameTokenValidator 
(org.apache.ws.security.validate.UsernameTokenValidator). Method: 
verifyDigestPassword (called from the "verifyPlaintextPassword" method).

-----------------------------------------------------------------------------------------------------------------------------

        if (!origPassword.equals(password)) {
                throw new 
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
            }

-----------------------------------------------------------------------------------------------------------------------------


        I could imagine that it could be set a flag to indicate that the 
password should be checked instead of compared and also the algorithm to be 
used for the digest check.

        Any suggestion about how this could/should be done? Any other idea?

        Thanks in advance.

        Fran.

Reply via email to