You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Ruwan Linton <ru...@gmail.com> on 2008/03/26 01:45:14 UTC
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Jeff,
It seems that the message is not delivered to the rampart-user, I am again
copying the rampart-dev.
Thanks,
Ruwan
On Wed, Mar 26, 2008 at 6:08 AM, Ruwan Linton <ru...@gmail.com>
wrote:
> Hi Jeff,
>
> I think we need to consult our security experts :-) to get the answer for
> this, So I am copying the rampart-user list here.
>
> Rampart guys, Can you please have a look at this policy and tell us what
> is wrong with that?
>
> Thanks,
> Ruwan
>
>
> On Wed, Mar 26, 2008 at 5:13 AM, Jeff Davis <jd...@idalica.com> wrote:
>
> > Hi,
> >
> > I'm attempting to get a WS-Policy XML defined that will support
> > UserNameToken with a password digest. Here's my policy file:
> >
> > <wsp:Policy wsu:Id="UTOverTransport"
> > xmlns:wsu="
> >
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:TransportBinding
> > xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken
> > RequireClientCertificate="false"/>
> > </wsp:Policy>
> > </sp:TransportToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > </wsp:Policy>
> > </sp:TransportBinding>
> > <sp:SignedSupportingTokens
> > xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:UsernameToken
> > sp:IncludeToken="
> >
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> > <sp:HashPassword/>
> > </wsp:Policy>
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SignedSupportingTokens>
> > <ramp:RampartConfig xmlns:ramp="
> > http://ws.apache.org/rampart/policy">
> > <ramp:user>alice</ramp:user>
> > <ramp:encryptionUser>bob</ramp:encryptionUser>
> > <ramp:passwordCallbackClass>samples.userguide.PWCallback
> > </ramp:passwordCallbackClass>
> > </ramp:RampartConfig>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > When I run this, it just brings back the password in the clear, i.e.,:
> > <wsse:Password Type="
> >
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > ">password</wsse:Password>
> >
> > Where as I am expecting something like:
> > <wsse:Password Type="
> >
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
> > ">fwfVj34yd9/LSCWcJVwm6jDNIkQ=</wsse:Password>
> >
> > Now, I suspect it's because I'm using the wrong WS-SecurityPolicy
> > namespace,
> > but when I switch it to the one ending in 200702, I get no UserName
> > returned
> > at all.
> >
> > Any help would be greatly appreciated!
> >
> > jeff
> >
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
--
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Posted by Jeff Davis <jd...@idalica.com>.
Thanks -- I'll be testing it this week. I was able to build everything from
the snapshot, so I'm good to go. I'll let you know how it works.
jeff
On Tue, Mar 25, 2008 at 10:37 PM, Asankha C. Perera <as...@wso2.com>
wrote:
> Jeff
> > Yes, synapse trunk uses the rampart SNAPSHOT, if you build synapse from
> the
> > trunk you will get this support...
> >
> If you are unable to build Synapse from trunk due to any reason, let us
> know and one of us will make a build available to you for testing. We
> moved to using the latest Axis2/Rampart versions (SNAPSHOTS) in
> preparation for our next release, which will have this support built-in.
>
> asankha
>
--
Jeff Davis
Senior Architect
Idalica Corporation
MSN: jeffdavis_ca@hotmail.com
Skype: jeffdavis_ca
Phone: 719-287-8656
Enabling Business Through Open Source Technologies
www.idalica.com
IMPORTANT: This electronic message is for exclusive use by the person(s) to
whom it is addressed, and may contain information that is confidential or
privileged and exempt from disclosure under applicable law. If you are not
an intended recipient, please be aware that any disclosure, dissemination,
distribution or copying of this communication, or the use of its contents,
is prohibited. If you have received this message in error, please
immediately notify the sender of your inadvertent receipt and delete this
message from all data storage systems.
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Posted by "Asankha C. Perera" <as...@wso2.com>.
Jeff
> Yes, synapse trunk uses the rampart SNAPSHOT, if you build synapse from the
> trunk you will get this support...
>
If you are unable to build Synapse from trunk due to any reason, let us
know and one of us will make a build available to you for testing. We
moved to using the latest Axis2/Rampart versions (SNAPSHOTS) in
preparation for our next release, which will have this support built-in.
asankha
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Posted by Ruwan Linton <ru...@gmail.com>.
Hi Jeff and Nandana,
On Wed, Mar 26, 2008 at 9:18 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Jeff,
> as you you have mentioned, if you want to use a hashed password
> you need to use WS Security Policy 1.2 . WS SP 1.2 support was added
> recently so you will need to use Rampart SNAPSHOT. (I think Synapse
> uses Rampart SNAPSHOT).
Yes, synapse trunk uses the rampart SNAPSHOT, if you build synapse from the
trunk you will get this support...
Thanks,
Ruwan
> I tested this scenarios with Rampart and it
> works fine. I have attached the policy and the SOAP message.
>
> The Policy used :
>
> <wsp:Policy wsu:Id="UTOverTransport"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false"/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SignedSupportingTokens
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>XXX</ramp:user>
>
> <ramp:encryptionUser>XXX</ramp:encryptionUser>
> <ramp:passwordCallbackClass>
> org.apache.testing.clients.PasswordCB</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> SOAP Request :
>
> <soapenv:Envelope
> xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
> <soapenv:Header
> xmlns:wsa="http://www.w3.org/2005/08/addressing">
> <wsse:Security
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> soapenv:mustUnderstand="true">
> <wsu:Timestamp
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="Timestamp-14366884">
> <wsu:Created>2008-03-26T03:09:22.257Z
> </wsu:Created>
> <wsu:Expires>2008-03-26T03:14:22.257Z
> </wsu:Expires>
> </wsu:Timestamp>
> <wsse:UsernameToken
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="UsernameToken-4276166">
> <wsse:Username>Alice</wsse:Username>
> <wsse:Password
> Type="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
> ">eG8BrbBoE+Hq5QzzpSF1q7fbgZo=</wsse:Password>
>
> <wsse:Nonce>aNx0o1I6j0gijF/Ci/l7kQ==</wsse:Nonce>
> <wsu:Created>2008-03-26T03:09:22.278Z
> </wsu:Created>
> </wsse:UsernameToken>
> </wsse:Security>
> <wsa:To>https://localhost:1511/services/Test</wsa:To>
> <wsa:ReplyTo>
> <wsa:Address>
> http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
> </wsa:ReplyTo>
>
> <wsa:MessageID>urn:uuid:CEA58E938BD79566381206500956970</wsa:MessageID>
> <wsa:Action>http://xmlsoap.org/Ping</wsa:Action>
> </soapenv:Header>
> <soapenv:Body>
> <ns0:PingRequest
> xmlns:ns0="http://InteropBaseAddress/interop">
> <ns1:Ping
> xmlns:ns1="http://xmlsoap.org/Ping">
> <ns1:scenario>Scenario5</ns1:scenario>
> <ns1:origin>WSO2</ns1:origin>
> <ns1:text>ping</ns1:text>
> </ns1:Ping>
> </ns0:PingRequest>
> </soapenv:Body>
> </soapenv:Envelope>
>
> thanks,
> nandana
>
>
> On Wed, Mar 26, 2008 at 6:15 AM, Ruwan Linton <ru...@gmail.com>
> wrote:
> > Jeff,
> >
> > It seems that the message is not delivered to the rampart-user, I am
> again
> > copying the rampart-dev.
> >
> > Thanks,
> > Ruwan
> >
> > On Wed, Mar 26, 2008 at 6:08 AM, Ruwan Linton <ru...@gmail.com>
> > wrote:
> >
> > > Hi Jeff,
> > >
> > > I think we need to consult our security experts :-) to get the answer
> for
> > > this, So I am copying the rampart-user list here.
> > >
> > > Rampart guys, Can you please have a look at this policy and tell us
> what
> > > is wrong with that?
> > >
> > > Thanks,
> > > Ruwan
> > >
> > >
> > > On Wed, Mar 26, 2008 at 5:13 AM, Jeff Davis <jd...@idalica.com>
> wrote:
> > >
> > > > Hi,
> > > >
> > > > I'm attempting to get a WS-Policy XML defined that will support
> > > > UserNameToken with a password digest. Here's my policy file:
> > > >
> > > > <wsp:Policy wsu:Id="UTOverTransport"
> > > > xmlns:wsu="
> > > >
> > > >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > > "
> > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > > <wsp:ExactlyOne>
> > > > <wsp:All>
> > > > <sp:TransportBinding
> > > > xmlns:sp="
> > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > <wsp:Policy>
> > > > <sp:TransportToken>
> > > > <wsp:Policy>
> > > > <sp:HttpsToken
> > > > RequireClientCertificate="false"/>
> > > > </wsp:Policy>
> > > > </sp:TransportToken>
> > > > <sp:AlgorithmSuite>
> > > > <wsp:Policy>
> > > > <sp:Basic256/>
> > > > </wsp:Policy>
> > > > </sp:AlgorithmSuite>
> > > > <sp:Layout>
> > > > <wsp:Policy>
> > > > <sp:Lax/>
> > > > </wsp:Policy>
> > > > </sp:Layout>
> > > > <sp:IncludeTimestamp/>
> > > > </wsp:Policy>
> > > > </sp:TransportBinding>
> > > > <sp:SignedSupportingTokens
> > > > xmlns:sp="
> > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > <wsp:Policy>
> > > > <sp:UsernameToken
> > > > sp:IncludeToken="
> > > >
> > > >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > ">
> > > > <wsp:Policy>
> > > > <sp:HashPassword/>
> > > > </wsp:Policy>
> > > > </sp:UsernameToken>
> > > > </wsp:Policy>
> > > > </sp:SignedSupportingTokens>
> > > > <ramp:RampartConfig xmlns:ramp="
> > > > http://ws.apache.org/rampart/policy">
> > > > <ramp:user>alice</ramp:user>
> > > > <ramp:encryptionUser>bob</ramp:encryptionUser>
> > > > <ramp:passwordCallbackClass>
> samples.userguide.PWCallback
> > > > </ramp:passwordCallbackClass>
> > > > </ramp:RampartConfig>
> > > > </wsp:All>
> > > > </wsp:ExactlyOne>
> > > > </wsp:Policy>
> > > >
> > > > When I run this, it just brings back the password in the clear, i.e
> .,:
> > > > <wsse:Password Type="
> > > >
> > > >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > > > ">password</wsse:Password>
> > > >
> > > > Where as I am expecting something like:
> > > > <wsse:Password Type="
> > > >
> > > >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
> > > > ">fwfVj34yd9/LSCWcJVwm6jDNIkQ=</wsse:Password>
> > > >
> > > > Now, I suspect it's because I'm using the wrong WS-SecurityPolicy
> > > > namespace,
> > > > but when I switch it to the one ending in 200702, I get no UserName
> > > > returned
> > > > at all.
> > > >
> > > > Any help would be greatly appreciated!
> > > >
> > > > jeff
> > > >
> > >
> > >
> > >
> > > --
> > > Ruwan Linton
> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
>
--
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Jeff,
as you you have mentioned, if you want to use a hashed password
you need to use WS Security Policy 1.2 . WS SP 1.2 support was added
recently so you will need to use Rampart SNAPSHOT. (I think Synapse
uses Rampart SNAPSHOT). I tested this scenarios with Rampart and it
works fine. I have attached the policy and the SOAP message.
The Policy used :
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>XXX</ramp:user>
<ramp:encryptionUser>XXX</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.testing.clients.PasswordCB</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SOAP Request :
<soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-14366884">
<wsu:Created>2008-03-26T03:09:22.257Z</wsu:Created>
<wsu:Expires>2008-03-26T03:14:22.257Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-4276166">
<wsse:Username>Alice</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">eG8BrbBoE+Hq5QzzpSF1q7fbgZo=</wsse:Password>
<wsse:Nonce>aNx0o1I6j0gijF/Ci/l7kQ==</wsse:Nonce>
<wsu:Created>2008-03-26T03:09:22.278Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>https://localhost:1511/services/Test</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:CEA58E938BD79566381206500956970</wsa:MessageID>
<wsa:Action>http://xmlsoap.org/Ping</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<ns0:PingRequest
xmlns:ns0="http://InteropBaseAddress/interop">
<ns1:Ping
xmlns:ns1="http://xmlsoap.org/Ping">
<ns1:scenario>Scenario5</ns1:scenario>
<ns1:origin>WSO2</ns1:origin>
<ns1:text>ping</ns1:text>
</ns1:Ping>
</ns0:PingRequest>
</soapenv:Body>
</soapenv:Envelope>
thanks,
nandana
On Wed, Mar 26, 2008 at 6:15 AM, Ruwan Linton <ru...@gmail.com> wrote:
> Jeff,
>
> It seems that the message is not delivered to the rampart-user, I am again
> copying the rampart-dev.
>
> Thanks,
> Ruwan
>
> On Wed, Mar 26, 2008 at 6:08 AM, Ruwan Linton <ru...@gmail.com>
> wrote:
>
> > Hi Jeff,
> >
> > I think we need to consult our security experts :-) to get the answer for
> > this, So I am copying the rampart-user list here.
> >
> > Rampart guys, Can you please have a look at this policy and tell us what
> > is wrong with that?
> >
> > Thanks,
> > Ruwan
> >
> >
> > On Wed, Mar 26, 2008 at 5:13 AM, Jeff Davis <jd...@idalica.com> wrote:
> >
> > > Hi,
> > >
> > > I'm attempting to get a WS-Policy XML defined that will support
> > > UserNameToken with a password digest. Here's my policy file:
> > >
> > > <wsp:Policy wsu:Id="UTOverTransport"
> > > xmlns:wsu="
> > >
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > "
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:TransportBinding
> > > xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken
> > > RequireClientCertificate="false"/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > > <sp:Basic256/>
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Lax/>
> > > </wsp:Policy>
> > > </sp:Layout>
> > > <sp:IncludeTimestamp/>
> > > </wsp:Policy>
> > > </sp:TransportBinding>
> > > <sp:SignedSupportingTokens
> > > xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:UsernameToken
> > > sp:IncludeToken="
> > >
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > ">
> > > <wsp:Policy>
> > > <sp:HashPassword/>
> > > </wsp:Policy>
> > > </sp:UsernameToken>
> > > </wsp:Policy>
> > > </sp:SignedSupportingTokens>
> > > <ramp:RampartConfig xmlns:ramp="
> > > http://ws.apache.org/rampart/policy">
> > > <ramp:user>alice</ramp:user>
> > > <ramp:encryptionUser>bob</ramp:encryptionUser>
> > > <ramp:passwordCallbackClass>samples.userguide.PWCallback
> > > </ramp:passwordCallbackClass>
> > > </ramp:RampartConfig>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > When I run this, it just brings back the password in the clear, i.e.,:
> > > <wsse:Password Type="
> > >
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > > ">password</wsse:Password>
> > >
> > > Where as I am expecting something like:
> > > <wsse:Password Type="
> > >
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
> > > ">fwfVj34yd9/LSCWcJVwm6jDNIkQ=</wsse:Password>
> > >
> > > Now, I suspect it's because I'm using the wrong WS-SecurityPolicy
> > > namespace,
> > > but when I switch it to the one ending in 200702, I get no UserName
> > > returned
> > > at all.
> > >
> > > Any help would be greatly appreciated!
> > >
> > > jeff
> > >
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
>
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Jeff,
as you you have mentioned, if you want to use a hashed password
you need to use WS Security Policy 1.2 . WS SP 1.2 support was added
recently so you will need to use Rampart SNAPSHOT. (I think Synapse
uses Rampart SNAPSHOT). I tested this scenarios with Rampart and it
works fine. I have attached the policy and the SOAP message.
The Policy used :
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>XXX</ramp:user>
<ramp:encryptionUser>XXX</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.testing.clients.PasswordCB</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SOAP Request :
<soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-14366884">
<wsu:Created>2008-03-26T03:09:22.257Z</wsu:Created>
<wsu:Expires>2008-03-26T03:14:22.257Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-4276166">
<wsse:Username>Alice</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">eG8BrbBoE+Hq5QzzpSF1q7fbgZo=</wsse:Password>
<wsse:Nonce>aNx0o1I6j0gijF/Ci/l7kQ==</wsse:Nonce>
<wsu:Created>2008-03-26T03:09:22.278Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<wsa:To>https://localhost:1511/services/Test</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:CEA58E938BD79566381206500956970</wsa:MessageID>
<wsa:Action>http://xmlsoap.org/Ping</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<ns0:PingRequest
xmlns:ns0="http://InteropBaseAddress/interop">
<ns1:Ping
xmlns:ns1="http://xmlsoap.org/Ping">
<ns1:scenario>Scenario5</ns1:scenario>
<ns1:origin>WSO2</ns1:origin>
<ns1:text>ping</ns1:text>
</ns1:Ping>
</ns0:PingRequest>
</soapenv:Body>
</soapenv:Envelope>
thanks,
nandana
On Wed, Mar 26, 2008 at 6:15 AM, Ruwan Linton <ru...@gmail.com> wrote:
> Jeff,
>
> It seems that the message is not delivered to the rampart-user, I am again
> copying the rampart-dev.
>
> Thanks,
> Ruwan
>
> On Wed, Mar 26, 2008 at 6:08 AM, Ruwan Linton <ru...@gmail.com>
> wrote:
>
> > Hi Jeff,
> >
> > I think we need to consult our security experts :-) to get the answer for
> > this, So I am copying the rampart-user list here.
> >
> > Rampart guys, Can you please have a look at this policy and tell us what
> > is wrong with that?
> >
> > Thanks,
> > Ruwan
> >
> >
> > On Wed, Mar 26, 2008 at 5:13 AM, Jeff Davis <jd...@idalica.com> wrote:
> >
> > > Hi,
> > >
> > > I'm attempting to get a WS-Policy XML defined that will support
> > > UserNameToken with a password digest. Here's my policy file:
> > >
> > > <wsp:Policy wsu:Id="UTOverTransport"
> > > xmlns:wsu="
> > >
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > "
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:TransportBinding
> > > xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken
> > > RequireClientCertificate="false"/>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > > <sp:Basic256/>
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Lax/>
> > > </wsp:Policy>
> > > </sp:Layout>
> > > <sp:IncludeTimestamp/>
> > > </wsp:Policy>
> > > </sp:TransportBinding>
> > > <sp:SignedSupportingTokens
> > > xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:UsernameToken
> > > sp:IncludeToken="
> > >
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > ">
> > > <wsp:Policy>
> > > <sp:HashPassword/>
> > > </wsp:Policy>
> > > </sp:UsernameToken>
> > > </wsp:Policy>
> > > </sp:SignedSupportingTokens>
> > > <ramp:RampartConfig xmlns:ramp="
> > > http://ws.apache.org/rampart/policy">
> > > <ramp:user>alice</ramp:user>
> > > <ramp:encryptionUser>bob</ramp:encryptionUser>
> > > <ramp:passwordCallbackClass>samples.userguide.PWCallback
> > > </ramp:passwordCallbackClass>
> > > </ramp:RampartConfig>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > When I run this, it just brings back the password in the clear, i.e.,:
> > > <wsse:Password Type="
> > >
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > > ">password</wsse:Password>
> > >
> > > Where as I am expecting something like:
> > > <wsse:Password Type="
> > >
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
> > > ">fwfVj34yd9/LSCWcJVwm6jDNIkQ=</wsse:Password>
> > >
> > > Now, I suspect it's because I'm using the wrong WS-SecurityPolicy
> > > namespace,
> > > but when I switch it to the one ending in 200702, I get no UserName
> > > returned
> > > at all.
> > >
> > > Any help would be greatly appreciated!
> > >
> > > jeff
> > >
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
>
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Posted by Ruchith Fernando <ru...@apache.org>.
Ruwan Linton wrote:
> Jeff,
>
> It seems that the message is not delivered to the rampart-user, I am again
> copying the rampart-dev.
We do not have a rampart-user@ list.
Thanks,
Ruchith
Re: WS-SecurityPolicy 1.2 support (UsernameToken PasswordDigest)
Posted by Ruchith Fernando <ru...@apache.org>.
Ruwan Linton wrote:
> Jeff,
>
> It seems that the message is not delivered to the rampart-user, I am again
> copying the rampart-dev.
We do not have a rampart-user@ list.
Thanks,
Ruchith