You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Praveen Palwai <pr...@yahoo.com> on 2007/11/09 21:18:10 UTC

WS-Security Policy - Password in Clear Text

Hi,I am using Axis2 1.3, rampart 1.3 to send username token to a Web
 Service running on websphere. 
I am using RampartConfig to set the user and the password callback
 class. My question is using this configuration, the security header always
 has nonce, timestamp included and the password is of type digest. What
 do I need to do so that the request doesn't contain nonce, timestamp
 and the password is sent in clear text instead of digest. I have the
 following policy.xml file

<?xml version="1.0" encoding="UTF-8"?>
    <wsp:ExactlyOne>
      <wsp:All>
            <wsp:Policy>
                <sp:UsernameToken/>
          </wsp:Policy>
        </sp:SignedSupportingTokens>
 </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

code snippet:
_serviceClient.engageModule("rampart");
RampartConfig rc = new RampartConfig();
rc.setUser("patadmin");
rc.setPwCbClass("PWCBHandler");
Policy policy = loadPolicy("policy.xml");
policy.addAssertion(rc);
       
_serviceClient.getOptions().setProperty(RampartMessageData.KEY_RAMPART_POLICY,
  policy);

Thanks,
Praveen Palwai.




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: WS-Security Policy - Password in Clear Text

Posted by Nandana Mihindukulasooriya <na...@gmail.com>.

Hi Praveen,

Can you post the complete policy ? So we can see that whether your policy is
configured to send the timestamp.

Yes, Rampart used to sent password in digest by default and now it is fixed
and now the Username tokens used
as (signed)supporting tokens have the password in plaintext. Username Tokens
are also encrypted as the password is
in plain text as described in the web services security policy
specification. Can you take a check out from latest
Rampart trunk [1] and try this.

Regards,
Nandana

[1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java


On Nov 10, 2007 1:48 AM, Praveen Palwai <pr...@yahoo.com> wrote:

> Hi,I am using Axis2 1.3, rampart 1.3 to send username token to a Web
> Service running on websphere.
> I am using RampartConfig to set the user and the password callback class.
> My question is using this configuration, the security header always has
> nonce, timestamp included and the password is of type digest. What do I need
> to do so that the request doesn't contain nonce, timestamp and the password
> is sent in clear text instead of digest. I have the following policy.xmlfile
>
> <?xml version="1.0" encoding="UTF-8"?>
>     <wsp:ExactlyOne>
>       <wsp:All>
>             <wsp:Policy>
>                 <sp:UsernameToken/>
>           </wsp:Policy>
>         </sp:SignedSupportingTokens>
> </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>
>
> code snippet:
> _serviceClient.engageModule("rampart");
> RampartConfig rc = new RampartConfig();
> rc.setUser("patadmin");
> rc.setPwCbClass("PWCBHandler");
> Policy policy = loadPolicy("policy.xml");
> policy.addAssertion(rc);
>
> _serviceClient.getOptions().setProperty(
> RampartMessageData.KEY_RAMPART_POLICY,   policy);
>
> Thanks,
> Praveen Palwai.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>