Re: UsernameToken with password digest (HashPassword) without SSL?

Fri, 23 Aug 2013 04:18:04 -0700 


Version 2.7.6. The latest I believe.

Thanks
Sam

On 23/08/2013 9:09 p.m., Colm O hEigeartaigh wrote:

What version of CXF are you using?

Colm.


On Thu, Aug 22, 2013 at 10:15 PM, Sam <[email protected]> wrote:


Client config below

cxf.xml

    <beans 
xmlns="http://www.**springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
"
        
xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
"
        xmlns:jaxws="http://cxf.**apache.org/jaxws<http://cxf.apache.org/jaxws>
"
    
xsi:schemaLocation="http://**www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
    
http://www.springframework.**org/schema/beans/spring-beans.**xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
             http://cxf.apache.org/jaxws
             
http://cxf.apache.org/schemas/**jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
">

         <jaxws:client
    
name="{http://www.example.org/**contract/DoubleIt}DoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
**"
    createdFromAPI="true">
             <!-- Uncomment if using WS-SecPolicy method -->
             <jaxws:properties>
                 <entry key="ws-security.username" value="joe"/>
                 <entry key="ws-security.callback-**handler"
    value-ref="myPasswordCallback"**/>
             </jaxws:properties>

         </jaxws:client>

         <bean id="myPasswordCallback"
    class="client.**ClientPasswordCallback"/>

    </beans>


ClientPasswordCallback

    public class ClientPasswordCallback implements CallbackHandler {

         public void handle(Callback[] callbacks) throws IOException,
                 UnsupportedCallbackException {
             WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

             if ("joe".equals(pc.**getIdentifier())) {
                 pc.setPassword("joespassword")**;
             } // else {...} - can add more users, access DB, etc.
         }
    }

Everything works, just that password of request is in clear text and no
error response.

In case you ask Server config, here it is:

cxf-servlet.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <beans 
xmlns="http://www.**springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
"
        
xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
"
        xmlns:jaxws="http://cxf.**apache.org/jaxws<http://cxf.apache.org/jaxws>
"
    
xsi:schemaLocation="http://**www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
    
http://www.springframework.**org/schema/beans/spring-beans.**xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
              http://cxf.apache.org/jaxws
              
http://cxf.apache.org/schemas/**jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
">

        <jaxws:endpoint id="doubleit"
           implementor="service.**DoubleItPortTypeImpl"
           address="/doubleit"
           wsdlLocation="WEB-INF/wsdl/**DoubleIt.wsdl">

           <!-- Uncomment only if using WS-SecurityPolicy -->
           <jaxws:properties>
              <entry key="ws-security.callback-**handler"
    value-ref="myPasswordCallback"**/>
           </jaxws:properties>

        </jaxws:endpoint>

        <bean id="myPasswordCallback"
    class="service.**ServerPasswordCallback" />
    </beans>

ServerPasswordCallback

    public class ServerPasswordCallback implements CallbackHandler {

         public void handle(Callback[] callbacks) throws IOException,
                 UnsupportedCallbackException {
             WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

             if ("joe".equals(pc.**getIdentifier())) {
                pc.setPassword("joespassword")**;
             }
         }
    }

Thanks
Sam

On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote:


What does your client configuration look like?

Colm.


On Thu, Aug 22, 2013 at 12:34 PM, Sam <[email protected]> wrote:

  Hi Colm,

The policy is

       <wsp:Policy wsu:Id="DoubleItBindingPolicy"****>
            <wsp:ExactlyOne>
                <wsp:All>
                    <sp:SupportingTokens
     xmlns:sp="http://schemas.**xml**soap.org/ws/2005/07/****
securitypolicy <http://xmlsoap.org/ws/2005/07/**securitypolicy><
http://schemas.**xmlsoap.org/ws/2005/07/**securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
">
                        <wsp:Policy>
                            <sp:UsernameToken
     
sp:IncludeToken="http://**sche**mas.xmlsoap.org/ws/2005/**<http://schemas.xmlsoap.org/ws/2005/**>
07/securitypolicy/****IncludeToken/**AlwaysToRecipient<http://**
schemas.xmlsoap.org/ws/2005/**07/securitypolicy/**
IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
**>
**">
                                <wsp:Policy>
                                    <sp:HashPassword/>
                                    <sp:WssUsernameToken11/>
                                </wsp:Policy>
                            </sp:UsernameToken>
                        </wsp:Policy>
                    </sp:SupportingTokens>
                </wsp:All>
            </wsp:ExactlyOne>
         </wsp:Policy>

I am not getting any error message and the password in request is still
in
clear text when I run the sample code from Glen's site. Response still
returns OK.
I was expecting CXF to take care of hashing password automatically but it
still works without returning error message.

It's like <sp:HashPassword/> is optional. Maybe I am missing something.

Thanks
Sam

On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:

  Yes it is possible. What policy are you using + what is the error you

are
getting?

Colm.


On Thu, Aug 22, 2013 at 11:53 AM, Sam <[email protected]> wrote:

   Hi all,


I read in http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.*
***** <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****><
http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
jsp?topic=%2Fcom.ibm.******websphere.wlp.express.doc%**
2Fae%2Fcwlp_wssec_templates_******scenario1.html<http://pic.**dhe.<http://pic.dhe.>
**
ibm.com/infocenter/wasinfo/****v8r5/index.jsp?topic=%2Fcom.**<http://ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**>
ibm.websphere.wlp.express.doc%****2Fae%2Fcwlp_wssec_templates_****
scenario1.html<http://pic.dhe.**ibm.com/infocenter/wasinfo/**
v8r5/index.jsp?topic=%2Fcom.**ibm.websphere.wlp.express.doc%**
2Fae%2Fcwlp_wssec_templates_**scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>

,


which shows
the use of ws-policy for UsernameToken with password digest
(HashPassword)
over SSL.

My question is, is it possible to use ws-policy  for UsernameToken with
password digest without SSL in CXF?

I am asking as I have been tweaking the WSDL for the usernametoke
tutorial
from http://www.jroller.com/gmazza/******entry/cxf_usernametoken_****
** <http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****>
profile<http://www.jroller.**com/gmazza/**entry/cxf_**
usernametoken_**profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
<http://www.jroller.**com/**gmazza/entry/cxf_****
usernametoken_profile<http://**www.jroller.com/gmazza/entry/**
cxf_usernametoken_profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>

,


to run without SSL successfully, now
I am trying to make it support password digest without SSL , and
without
luck.

Thanks
Sam

Reply via email to