You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Praveen Palwai <pr...@yahoo.com> on 2007/11/09 21:18:10 UTC
WS-Security Policy - Password in Clear Text
Hi,I am using Axis2 1.3, rampart 1.3 to send username token to a Web
Service running on websphere.
I am using RampartConfig to set the user and the password callback
class. My question is using this configuration, the security header always
has nonce, timestamp included and the password is of type digest. What
do I need to do so that the request doesn't contain nonce, timestamp
and the password is sent in clear text instead of digest. I have the
following policy.xml file
<?xml version="1.0" encoding="UTF-8"?>
<wsp:ExactlyOne>
<wsp:All>
<wsp:Policy>
<sp:UsernameToken/>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
code snippet:
_serviceClient.engageModule("rampart");
RampartConfig rc = new RampartConfig();
rc.setUser("patadmin");
rc.setPwCbClass("PWCBHandler");
Policy policy = loadPolicy("policy.xml");
policy.addAssertion(rc);
_serviceClient.getOptions().setProperty(RampartMessageData.KEY_RAMPART_POLICY,
policy);
Thanks,
Praveen Palwai.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: WS-Security Policy - Password in Clear Text
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Praveen,
Can you post the complete policy ? So we can see that whether your policy is
configured to send the timestamp.
Yes, Rampart used to sent password in digest by default and now it is fixed
and now the Username tokens used
as (signed)supporting tokens have the password in plaintext. Username Tokens
are also encrypted as the password is
in plain text as described in the web services security policy
specification. Can you take a check out from latest
Rampart trunk [1] and try this.
Regards,
Nandana
[1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java
On Nov 10, 2007 1:48 AM, Praveen Palwai <pr...@yahoo.com> wrote:
> Hi,I am using Axis2 1.3, rampart 1.3 to send username token to a Web
> Service running on websphere.
> I am using RampartConfig to set the user and the password callback class.
> My question is using this configuration, the security header always has
> nonce, timestamp included and the password is of type digest. What do I need
> to do so that the request doesn't contain nonce, timestamp and the password
> is sent in clear text instead of digest. I have the following policy.xmlfile
>
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:ExactlyOne>
> <wsp:All>
> <wsp:Policy>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> code snippet:
> _serviceClient.engageModule("rampart");
> RampartConfig rc = new RampartConfig();
> rc.setUser("patadmin");
> rc.setPwCbClass("PWCBHandler");
> Policy policy = loadPolicy("policy.xml");
> policy.addAssertion(rc);
>
> _serviceClient.getOptions().setProperty(
> RampartMessageData.KEY_RAMPART_POLICY, policy);
>
> Thanks,
> Praveen Palwai.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>