You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Sam <j2...@gmail.com> on 2013/08/22 12:53:40 UTC
UsernameToken with password digest (HashPassword) without SSL?
Hi all,
I read in
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html,
which shows
the use of ws-policy for UsernameToken with password digest
(HashPassword) over SSL.
My question is, is it possible to use ws-policy for UsernameToken with
password digest without SSL in CXF?
I am asking as I have been tweaking the WSDL for the usernametoke
tutorial from
http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile, to run
without SSL successfully, now
I am trying to make it support password digest without SSL , and without
luck.
Thanks
Sam
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Sam <j2...@gmail.com>.
Wow, cool. Thanks Colm.
Regards,
Sam
On 24/08/2013 2:34 a.m., Colm O hEigeartaigh wrote:
> Ok I have an answer for you. The problem is that you are using the
> WS-SecurityPolicy 1.1 namespace ("
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"). This version of the
> spec does not define "HashPassword" at all:
>
> http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf
>
> The solution is to use the newer WS-SecurityPolicy 1.2 namespace instead,
> which works fine - "
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702". See here for an
> example (line 215):
>
> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup
>
> Colm.
>
>
> On Fri, Aug 23, 2013 at 12:16 PM, Sam <j2...@gmail.com> wrote:
>
>> Version 2.7.6. The latest I believe.
>>
>> Thanks
>> Sam
>>
>> On 23/08/2013 9:09 p.m., Colm O hEigeartaigh wrote:
>>
>>> What version of CXF are you using?
>>>
>>> Colm.
>>>
>>>
>>> On Thu, Aug 22, 2013 at 10:15 PM, Sam <j2...@gmail.com> wrote:
>>>
>>> Client config below
>>>> cxf.xml
>>>>
>>>> <beans xmlns="http://www.**springfram**ework.org/schema/**beans<http://springframework.org/schema/**beans>
>>>> <http:**//www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
>>>> "
>>>> xmlns:xsi="http://www.w3.org/****2001/XMLSchema-instance<http://www.w3.org/**2001/XMLSchema-instance>
>>>> <http:**//www.w3.org/2001/XMLSchema-**instance<http://www.w3.org/2001/XMLSchema-instance>
>>>> "
>>>> xmlns:jaxws="http://cxf.**apac**he.org/jaxws<http://apache.org/jaxws>
>>>> <http://cxf.**apache.org/jaxws <http://cxf.apache.org/jaxws>>
>>>> "
>>>> xsi:schemaLocation="http://**w**ww.springframework.org/****
>>>> schema/beans <http://www.springframework.org/**schema/beans><http://www.
>>>> **springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
>>>> http://www.springframework.****org/schema/beans/spring-beans.**
>>>> **xsd<http://www.**springframework.org/schema/**beans/spring-beans.xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
>>>> http://cxf.apache.org/jaxws
>>>> http://cxf.apache.org/schemas/****jaxws.xsd<http://cxf.apache.org/schemas/**jaxws.xsd>
>>>> <http://cxf.apache.**org/schemas/jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
>>>> ">
>>>>
>>>> <jaxws:client
>>>> name="{http://www.example.org/****contract/DoubleIt}**DoubleItPort<http://www.example.org/**contract/DoubleIt%7DDoubleItPort>
>>>> <http://www.**example.org/contract/DoubleIt%**7DDoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>>>> **"
>>>> createdFromAPI="true">
>>>> <!-- Uncomment if using WS-SecPolicy method -->
>>>> <jaxws:properties>
>>>> <entry key="ws-security.username" value="joe"/>
>>>> <entry key="ws-security.callback-****handler"
>>>> value-ref="myPasswordCallback"****/>
>>>> </jaxws:properties>
>>>>
>>>> </jaxws:client>
>>>>
>>>> <bean id="myPasswordCallback"
>>>> class="client.****ClientPasswordCallback"/>
>>>>
>>>> </beans>
>>>>
>>>>
>>>> ClientPasswordCallback
>>>>
>>>> public class ClientPasswordCallback implements CallbackHandler {
>>>>
>>>> public void handle(Callback[] callbacks) throws IOException,
>>>> UnsupportedCallbackException {
>>>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>>>
>>>> if ("joe".equals(pc.****getIdentifier())) {
>>>> pc.setPassword("joespassword")****;
>>>> } // else {...} - can add more users, access DB, etc.
>>>> }
>>>> }
>>>>
>>>> Everything works, just that password of request is in clear text and no
>>>> error response.
>>>>
>>>> In case you ask Server config, here it is:
>>>>
>>>> cxf-servlet.xml
>>>>
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <beans xmlns="http://www.**springfram**ework.org/schema/**beans<http://springframework.org/schema/**beans>
>>>> <http:**//www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
>>>> "
>>>> xmlns:xsi="http://www.w3.org/****2001/XMLSchema-instance<http://www.w3.org/**2001/XMLSchema-instance>
>>>> <http:**//www.w3.org/2001/XMLSchema-**instance<http://www.w3.org/2001/XMLSchema-instance>
>>>> "
>>>> xmlns:jaxws="http://cxf.**apac**he.org/jaxws<http://apache.org/jaxws>
>>>> <http://cxf.**apache.org/jaxws <http://cxf.apache.org/jaxws>>
>>>> "
>>>> xsi:schemaLocation="http://**w**ww.springframework.org/****
>>>> schema/beans <http://www.springframework.org/**schema/beans><http://www.
>>>> **springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
>>>> http://www.springframework.****org/schema/beans/spring-beans.**
>>>> **xsd<http://www.**springframework.org/schema/**beans/spring-beans.xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
>>>> http://cxf.apache.org/jaxws
>>>> http://cxf.apache.org/schemas/****jaxws.xsd<http://cxf.apache.org/schemas/**jaxws.xsd>
>>>> <http://cxf.apache.**org/schemas/jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
>>>> ">
>>>>
>>>> <jaxws:endpoint id="doubleit"
>>>> implementor="service.****DoubleItPortTypeImpl"
>>>> address="/doubleit"
>>>> wsdlLocation="WEB-INF/wsdl/****DoubleIt.wsdl">
>>>>
>>>> <!-- Uncomment only if using WS-SecurityPolicy -->
>>>> <jaxws:properties>
>>>> <entry key="ws-security.callback-****handler"
>>>> value-ref="myPasswordCallback"****/>
>>>> </jaxws:properties>
>>>>
>>>> </jaxws:endpoint>
>>>>
>>>> <bean id="myPasswordCallback"
>>>> class="service.****ServerPasswordCallback" />
>>>> </beans>
>>>>
>>>> ServerPasswordCallback
>>>>
>>>> public class ServerPasswordCallback implements CallbackHandler {
>>>>
>>>> public void handle(Callback[] callbacks) throws IOException,
>>>> UnsupportedCallbackException {
>>>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>>>
>>>> if ("joe".equals(pc.****getIdentifier())) {
>>>> pc.setPassword("joespassword")****;
>>>> }
>>>> }
>>>> }
>>>>
>>>> Thanks
>>>> Sam
>>>>
>>>> On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote:
>>>>
>>>> What does your client configuration look like?
>>>>> Colm.
>>>>>
>>>>>
>>>>> On Thu, Aug 22, 2013 at 12:34 PM, Sam <j2...@gmail.com> wrote:
>>>>>
>>>>> Hi Colm,
>>>>>
>>>>>> The policy is
>>>>>>
>>>>>> <wsp:Policy wsu:Id="DoubleItBindingPolicy"******>
>>>>>> <wsp:ExactlyOne>
>>>>>> <wsp:All>
>>>>>> <sp:SupportingTokens
>>>>>> xmlns:sp="http://schemas.****xml**soap.org/ws/2005/07/****
>>>>>> securitypolicy <http://xmlsoap.org/ws/2005/**07/**securitypolicy<http://xmlsoap.org/ws/2005/07/**securitypolicy>
>>>>>>> <
>>>>>> http://schemas.**xmlsoap.org/**ws/2005/07/**securitypolicy<http://xmlsoap.org/ws/2005/07/**securitypolicy>
>>>>>> <ht**tp://schemas.xmlsoap.org/ws/**2005/07/securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
>>>>>> ">
>>>>>> <wsp:Policy>
>>>>>> <sp:UsernameToken
>>>>>> sp:IncludeToken="http://****sche**mas.xmlsoap.org/ws/2005/****<http://mas.xmlsoap.org/ws/2005/**>
>>>>>> <http://schemas.xmlsoap.org/**ws/2005/**<http://schemas.xmlsoap.org/ws/2005/**>
>>>>>> 07/securitypolicy/******IncludeToken/****AlwaysToRecipient<http://**
>>>>>> schemas.xmlsoap.org/ws/2005/****07/securitypolicy/**<http://schemas.xmlsoap.org/ws/2005/**07/securitypolicy/**>
>>>>>> IncludeToken/**AlwaysToRecipient<http://**schemas.xmlsoap.org/ws/2005/
>>>>>> **07/securitypolicy/**IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
>>>>>> **>
>>>>>> **>
>>>>>> **">
>>>>>> <wsp:Policy>
>>>>>> <sp:HashPassword/>
>>>>>> <sp:WssUsernameToken11/>
>>>>>> </wsp:Policy>
>>>>>> </sp:UsernameToken>
>>>>>> </wsp:Policy>
>>>>>> </sp:SupportingTokens>
>>>>>> </wsp:All>
>>>>>> </wsp:ExactlyOne>
>>>>>> </wsp:Policy>
>>>>>>
>>>>>> I am not getting any error message and the password in request is still
>>>>>> in
>>>>>> clear text when I run the sample code from Glen's site. Response still
>>>>>> returns OK.
>>>>>> I was expecting CXF to take care of hashing password automatically but
>>>>>> it
>>>>>> still works without returning error message.
>>>>>>
>>>>>> It's like <sp:HashPassword/> is optional. Maybe I am missing something.
>>>>>>
>>>>>> Thanks
>>>>>> Sam
>>>>>>
>>>>>> On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> Yes it is possible. What policy are you using + what is the error you
>>>>>>
>>>>>>> are
>>>>>>> getting?
>>>>>>>
>>>>>>> Colm.
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
>>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I read in http://pic.dhe.ibm.com/********
>>>>>>>> infocenter/wasinfo/v8r5/index.***<http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.*>
>>>>>>>> ***** <http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.**
>>>>>>>> **** <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****>
>>>>>>>>> <
>>>>>>>> http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.******<http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****>
>>>>>>>> <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
>>>>>>>> jsp?topic=%2Fcom.ibm.********websphere.wlp.express.doc%**
>>>>>>>> 2Fae%2Fcwlp_wssec_templates_********scenario1.html<http://pic.**
>>>>>>>> **dhe.<http://pic.dhe.>
>>>>>>>> **
>>>>>>>> ibm.com/infocenter/wasinfo/******v8r5/index.jsp?topic=%2Fcom.****<http://ibm.com/infocenter/wasinfo/****v8r5/index.jsp?topic=%2Fcom.**>
>>>>>>>> <http://ibm.com/infocenter/**wasinfo/**v8r5/index.jsp?**
>>>>>>>> topic=%2Fcom.**<http://ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**>
>>>>>>>> ibm.websphere.wlp.express.doc%******2Fae%2Fcwlp_wssec_**
>>>>>>>> templates_****
>>>>>>>> scenario1.html<http://pic.dhe.****ibm.com/infocenter/wasinfo/****<http://ibm.com/infocenter/wasinfo/**>
>>>>>>>> v8r5/index.jsp?topic=%2Fcom.****ibm.websphere.wlp.express.doc%****
>>>>>>>> 2Fae%2Fcwlp_wssec_templates_****scenario1.html<http://pic.dhe.**
>>>>>>>> ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**
>>>>>>>> ibm.websphere.wlp.express.doc%**2Fae%2Fcwlp_wssec_templates_**
>>>>>>>> scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>
>>>>>>>>> ,
>>>>>>>>>
>>>>>>>>> which shows
>>>>>>>> the use of ws-policy for UsernameToken with password digest
>>>>>>>> (HashPassword)
>>>>>>>> over SSL.
>>>>>>>>
>>>>>>>> My question is, is it possible to use ws-policy for UsernameToken
>>>>>>>> with
>>>>>>>> password digest without SSL in CXF?
>>>>>>>>
>>>>>>>> I am asking as I have been tweaking the WSDL for the usernametoke
>>>>>>>> tutorial
>>>>>>>> from http://www.jroller.com/gmazza/********entry/cxf_usernametoken_*
>>>>>>>> *****<http://www.jroller.com/gmazza/******entry/cxf_usernametoken_****>
>>>>>>>> ** <http://www.jroller.com/**gmazza/****entry/cxf_**
>>>>>>>> usernametoken_****<http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****>
>>>>>>>> profile<http://www.jroller.****com/gmazza/**entry/cxf_**
>>>>>>>> usernametoken_**profile<http:/**/www.jroller.com/gmazza/****
>>>>>>>> entry/cxf_usernametoken_****profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
>>>>>>>> <http://www.jroller.**com/****gmazza/entry/cxf_****
>>>>>>>> usernametoken_profile<http://****www.jroller.com/gmazza/entry/****<http://www.jroller.com/gmazza/entry/**>
>>>>>>>> cxf_usernametoken_profile<http**://www.jroller.com/gmazza/**
>>>>>>>> entry/cxf_usernametoken_**profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>
>>>>>>>>> ,
>>>>>>>>>
>>>>>>>>> to run without SSL successfully, now
>>>>>>>> I am trying to make it support password digest without SSL , and
>>>>>>>> without
>>>>>>>> luck.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Sam
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok I have an answer for you. The problem is that you are using the
WS-SecurityPolicy 1.1 namespace ("
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"). This version of the
spec does not define "HashPassword" at all:
http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf
The solution is to use the newer WS-SecurityPolicy 1.2 namespace instead,
which works fine - "
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702". See here for an
example (line 215):
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup
Colm.
On Fri, Aug 23, 2013 at 12:16 PM, Sam <j2...@gmail.com> wrote:
>
> Version 2.7.6. The latest I believe.
>
> Thanks
> Sam
>
> On 23/08/2013 9:09 p.m., Colm O hEigeartaigh wrote:
>
>> What version of CXF are you using?
>>
>> Colm.
>>
>>
>> On Thu, Aug 22, 2013 at 10:15 PM, Sam <j2...@gmail.com> wrote:
>>
>> Client config below
>>>
>>> cxf.xml
>>>
>>> <beans xmlns="http://www.**springfram**ework.org/schema/**beans<http://springframework.org/schema/**beans>
>>> <http:**//www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
>>> >
>>> "
>>> xmlns:xsi="http://www.w3.org/****2001/XMLSchema-instance<http://www.w3.org/**2001/XMLSchema-instance>
>>> <http:**//www.w3.org/2001/XMLSchema-**instance<http://www.w3.org/2001/XMLSchema-instance>
>>> >
>>> "
>>> xmlns:jaxws="http://cxf.**apac**he.org/jaxws<http://apache.org/jaxws>
>>> <http://cxf.**apache.org/jaxws <http://cxf.apache.org/jaxws>>
>>> "
>>> xsi:schemaLocation="http://**w**ww.springframework.org/****
>>> schema/beans <http://www.springframework.org/**schema/beans><http://www.
>>> **springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
>>> >
>>> http://www.springframework.****org/schema/beans/spring-beans.**
>>> **xsd<http://www.**springframework.org/schema/**beans/spring-beans.xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
>>> >
>>> http://cxf.apache.org/jaxws
>>> http://cxf.apache.org/schemas/****jaxws.xsd<http://cxf.apache.org/schemas/**jaxws.xsd>
>>> <http://cxf.apache.**org/schemas/jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
>>> >
>>> ">
>>>
>>> <jaxws:client
>>> name="{http://www.example.org/****contract/DoubleIt}**DoubleItPort<http://www.example.org/**contract/DoubleIt%7DDoubleItPort>
>>> <http://www.**example.org/contract/DoubleIt%**7DDoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>>> >
>>> **"
>>> createdFromAPI="true">
>>> <!-- Uncomment if using WS-SecPolicy method -->
>>> <jaxws:properties>
>>> <entry key="ws-security.username" value="joe"/>
>>> <entry key="ws-security.callback-****handler"
>>> value-ref="myPasswordCallback"****/>
>>> </jaxws:properties>
>>>
>>> </jaxws:client>
>>>
>>> <bean id="myPasswordCallback"
>>> class="client.****ClientPasswordCallback"/>
>>>
>>> </beans>
>>>
>>>
>>> ClientPasswordCallback
>>>
>>> public class ClientPasswordCallback implements CallbackHandler {
>>>
>>> public void handle(Callback[] callbacks) throws IOException,
>>> UnsupportedCallbackException {
>>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>>
>>> if ("joe".equals(pc.****getIdentifier())) {
>>> pc.setPassword("joespassword")****;
>>> } // else {...} - can add more users, access DB, etc.
>>> }
>>> }
>>>
>>> Everything works, just that password of request is in clear text and no
>>> error response.
>>>
>>> In case you ask Server config, here it is:
>>>
>>> cxf-servlet.xml
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <beans xmlns="http://www.**springfram**ework.org/schema/**beans<http://springframework.org/schema/**beans>
>>> <http:**//www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
>>> >
>>> "
>>> xmlns:xsi="http://www.w3.org/****2001/XMLSchema-instance<http://www.w3.org/**2001/XMLSchema-instance>
>>> <http:**//www.w3.org/2001/XMLSchema-**instance<http://www.w3.org/2001/XMLSchema-instance>
>>> >
>>> "
>>> xmlns:jaxws="http://cxf.**apac**he.org/jaxws<http://apache.org/jaxws>
>>> <http://cxf.**apache.org/jaxws <http://cxf.apache.org/jaxws>>
>>> "
>>> xsi:schemaLocation="http://**w**ww.springframework.org/****
>>> schema/beans <http://www.springframework.org/**schema/beans><http://www.
>>> **springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
>>> >
>>> http://www.springframework.****org/schema/beans/spring-beans.**
>>> **xsd<http://www.**springframework.org/schema/**beans/spring-beans.xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
>>> >
>>> http://cxf.apache.org/jaxws
>>> http://cxf.apache.org/schemas/****jaxws.xsd<http://cxf.apache.org/schemas/**jaxws.xsd>
>>> <http://cxf.apache.**org/schemas/jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
>>> >
>>> ">
>>>
>>> <jaxws:endpoint id="doubleit"
>>> implementor="service.****DoubleItPortTypeImpl"
>>> address="/doubleit"
>>> wsdlLocation="WEB-INF/wsdl/****DoubleIt.wsdl">
>>>
>>> <!-- Uncomment only if using WS-SecurityPolicy -->
>>> <jaxws:properties>
>>> <entry key="ws-security.callback-****handler"
>>> value-ref="myPasswordCallback"****/>
>>> </jaxws:properties>
>>>
>>> </jaxws:endpoint>
>>>
>>> <bean id="myPasswordCallback"
>>> class="service.****ServerPasswordCallback" />
>>> </beans>
>>>
>>> ServerPasswordCallback
>>>
>>> public class ServerPasswordCallback implements CallbackHandler {
>>>
>>> public void handle(Callback[] callbacks) throws IOException,
>>> UnsupportedCallbackException {
>>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>>
>>> if ("joe".equals(pc.****getIdentifier())) {
>>> pc.setPassword("joespassword")****;
>>> }
>>> }
>>> }
>>>
>>> Thanks
>>> Sam
>>>
>>> On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote:
>>>
>>> What does your client configuration look like?
>>>>
>>>> Colm.
>>>>
>>>>
>>>> On Thu, Aug 22, 2013 at 12:34 PM, Sam <j2...@gmail.com> wrote:
>>>>
>>>> Hi Colm,
>>>>
>>>>> The policy is
>>>>>
>>>>> <wsp:Policy wsu:Id="DoubleItBindingPolicy"******>
>>>>> <wsp:ExactlyOne>
>>>>> <wsp:All>
>>>>> <sp:SupportingTokens
>>>>> xmlns:sp="http://schemas.****xml**soap.org/ws/2005/07/****
>>>>> securitypolicy <http://xmlsoap.org/ws/2005/**07/**securitypolicy<http://xmlsoap.org/ws/2005/07/**securitypolicy>
>>>>> ><
>>>>> http://schemas.**xmlsoap.org/**ws/2005/07/**securitypolicy<http://xmlsoap.org/ws/2005/07/**securitypolicy>
>>>>> <ht**tp://schemas.xmlsoap.org/ws/**2005/07/securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
>>>>> >
>>>>> ">
>>>>> <wsp:Policy>
>>>>> <sp:UsernameToken
>>>>> sp:IncludeToken="http://****sche**mas.xmlsoap.org/ws/2005/****<http://mas.xmlsoap.org/ws/2005/**>
>>>>> <http://schemas.xmlsoap.org/**ws/2005/**<http://schemas.xmlsoap.org/ws/2005/**>
>>>>> >
>>>>> 07/securitypolicy/******IncludeToken/****AlwaysToRecipient<http://**
>>>>> schemas.xmlsoap.org/ws/2005/****07/securitypolicy/**<http://schemas.xmlsoap.org/ws/2005/**07/securitypolicy/**>
>>>>> IncludeToken/**AlwaysToRecipient<http://**schemas.xmlsoap.org/ws/2005/
>>>>> **07/securitypolicy/**IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
>>>>> **>
>>>>> **>
>>>>> **">
>>>>> <wsp:Policy>
>>>>> <sp:HashPassword/>
>>>>> <sp:WssUsernameToken11/>
>>>>> </wsp:Policy>
>>>>> </sp:UsernameToken>
>>>>> </wsp:Policy>
>>>>> </sp:SupportingTokens>
>>>>> </wsp:All>
>>>>> </wsp:ExactlyOne>
>>>>> </wsp:Policy>
>>>>>
>>>>> I am not getting any error message and the password in request is still
>>>>> in
>>>>> clear text when I run the sample code from Glen's site. Response still
>>>>> returns OK.
>>>>> I was expecting CXF to take care of hashing password automatically but
>>>>> it
>>>>> still works without returning error message.
>>>>>
>>>>> It's like <sp:HashPassword/> is optional. Maybe I am missing something.
>>>>>
>>>>> Thanks
>>>>> Sam
>>>>>
>>>>> On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
>>>>>
>>>>> Yes it is possible. What policy are you using + what is the error you
>>>>>
>>>>>> are
>>>>>> getting?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>>
>>>>>> On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I read in http://pic.dhe.ibm.com/********
>>>>>>> infocenter/wasinfo/v8r5/index.***<http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.*>
>>>>>>> ***** <http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.**
>>>>>>> **** <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****>
>>>>>>> ><
>>>>>>> http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.******<http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****>
>>>>>>> <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
>>>>>>> >
>>>>>>> jsp?topic=%2Fcom.ibm.********websphere.wlp.express.doc%**
>>>>>>> 2Fae%2Fcwlp_wssec_templates_********scenario1.html<http://pic.**
>>>>>>> **dhe.<http://pic.dhe.>
>>>>>>> **
>>>>>>> ibm.com/infocenter/wasinfo/******v8r5/index.jsp?topic=%2Fcom.****<http://ibm.com/infocenter/wasinfo/****v8r5/index.jsp?topic=%2Fcom.**>
>>>>>>> <http://ibm.com/infocenter/**wasinfo/**v8r5/index.jsp?**
>>>>>>> topic=%2Fcom.**<http://ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**>
>>>>>>> >
>>>>>>> ibm.websphere.wlp.express.doc%******2Fae%2Fcwlp_wssec_**
>>>>>>> templates_****
>>>>>>> scenario1.html<http://pic.dhe.****ibm.com/infocenter/wasinfo/****<http://ibm.com/infocenter/wasinfo/**>
>>>>>>> v8r5/index.jsp?topic=%2Fcom.****ibm.websphere.wlp.express.doc%****
>>>>>>> 2Fae%2Fcwlp_wssec_templates_****scenario1.html<http://pic.dhe.**
>>>>>>> ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**
>>>>>>> ibm.websphere.wlp.express.doc%**2Fae%2Fcwlp_wssec_templates_**
>>>>>>> scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>
>>>>>>> >
>>>>>>>
>>>>>>>> ,
>>>>>>>>
>>>>>>>> which shows
>>>>>>> the use of ws-policy for UsernameToken with password digest
>>>>>>> (HashPassword)
>>>>>>> over SSL.
>>>>>>>
>>>>>>> My question is, is it possible to use ws-policy for UsernameToken
>>>>>>> with
>>>>>>> password digest without SSL in CXF?
>>>>>>>
>>>>>>> I am asking as I have been tweaking the WSDL for the usernametoke
>>>>>>> tutorial
>>>>>>> from http://www.jroller.com/gmazza/********entry/cxf_usernametoken_*
>>>>>>> *****<http://www.jroller.com/gmazza/******entry/cxf_usernametoken_****>
>>>>>>> ** <http://www.jroller.com/**gmazza/****entry/cxf_**
>>>>>>> usernametoken_****<http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****>
>>>>>>> >
>>>>>>> profile<http://www.jroller.****com/gmazza/**entry/cxf_**
>>>>>>> usernametoken_**profile<http:/**/www.jroller.com/gmazza/****
>>>>>>> entry/cxf_usernametoken_****profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
>>>>>>> >
>>>>>>> <http://www.jroller.**com/****gmazza/entry/cxf_****
>>>>>>> usernametoken_profile<http://****www.jroller.com/gmazza/entry/****<http://www.jroller.com/gmazza/entry/**>
>>>>>>> cxf_usernametoken_profile<http**://www.jroller.com/gmazza/**
>>>>>>> entry/cxf_usernametoken_**profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>
>>>>>>> >
>>>>>>>
>>>>>>>> ,
>>>>>>>>
>>>>>>>> to run without SSL successfully, now
>>>>>>> I am trying to make it support password digest without SSL , and
>>>>>>> without
>>>>>>> luck.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Sam
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Sam <j2...@gmail.com>.
Version 2.7.6. The latest I believe.
Thanks
Sam
On 23/08/2013 9:09 p.m., Colm O hEigeartaigh wrote:
> What version of CXF are you using?
>
> Colm.
>
>
> On Thu, Aug 22, 2013 at 10:15 PM, Sam <j2...@gmail.com> wrote:
>
>> Client config below
>>
>> cxf.xml
>>
>> <beans xmlns="http://www.**springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
>> "
>> xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
>> "
>> xmlns:jaxws="http://cxf.**apache.org/jaxws<http://cxf.apache.org/jaxws>
>> "
>> xsi:schemaLocation="http://**www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
>> http://www.springframework.**org/schema/beans/spring-beans.**xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
>> http://cxf.apache.org/jaxws
>> http://cxf.apache.org/schemas/**jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
>> ">
>>
>> <jaxws:client
>> name="{http://www.example.org/**contract/DoubleIt}DoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>> **"
>> createdFromAPI="true">
>> <!-- Uncomment if using WS-SecPolicy method -->
>> <jaxws:properties>
>> <entry key="ws-security.username" value="joe"/>
>> <entry key="ws-security.callback-**handler"
>> value-ref="myPasswordCallback"**/>
>> </jaxws:properties>
>>
>> </jaxws:client>
>>
>> <bean id="myPasswordCallback"
>> class="client.**ClientPasswordCallback"/>
>>
>> </beans>
>>
>>
>> ClientPasswordCallback
>>
>> public class ClientPasswordCallback implements CallbackHandler {
>>
>> public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>
>> if ("joe".equals(pc.**getIdentifier())) {
>> pc.setPassword("joespassword")**;
>> } // else {...} - can add more users, access DB, etc.
>> }
>> }
>>
>> Everything works, just that password of request is in clear text and no
>> error response.
>>
>> In case you ask Server config, here it is:
>>
>> cxf-servlet.xml
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <beans xmlns="http://www.**springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
>> "
>> xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
>> "
>> xmlns:jaxws="http://cxf.**apache.org/jaxws<http://cxf.apache.org/jaxws>
>> "
>> xsi:schemaLocation="http://**www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
>> http://www.springframework.**org/schema/beans/spring-beans.**xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
>> http://cxf.apache.org/jaxws
>> http://cxf.apache.org/schemas/**jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
>> ">
>>
>> <jaxws:endpoint id="doubleit"
>> implementor="service.**DoubleItPortTypeImpl"
>> address="/doubleit"
>> wsdlLocation="WEB-INF/wsdl/**DoubleIt.wsdl">
>>
>> <!-- Uncomment only if using WS-SecurityPolicy -->
>> <jaxws:properties>
>> <entry key="ws-security.callback-**handler"
>> value-ref="myPasswordCallback"**/>
>> </jaxws:properties>
>>
>> </jaxws:endpoint>
>>
>> <bean id="myPasswordCallback"
>> class="service.**ServerPasswordCallback" />
>> </beans>
>>
>> ServerPasswordCallback
>>
>> public class ServerPasswordCallback implements CallbackHandler {
>>
>> public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>>
>> if ("joe".equals(pc.**getIdentifier())) {
>> pc.setPassword("joespassword")**;
>> }
>> }
>> }
>>
>> Thanks
>> Sam
>>
>> On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote:
>>
>>> What does your client configuration look like?
>>>
>>> Colm.
>>>
>>>
>>> On Thu, Aug 22, 2013 at 12:34 PM, Sam <j2...@gmail.com> wrote:
>>>
>>> Hi Colm,
>>>> The policy is
>>>>
>>>> <wsp:Policy wsu:Id="DoubleItBindingPolicy"****>
>>>> <wsp:ExactlyOne>
>>>> <wsp:All>
>>>> <sp:SupportingTokens
>>>> xmlns:sp="http://schemas.**xml**soap.org/ws/2005/07/****
>>>> securitypolicy <http://xmlsoap.org/ws/2005/07/**securitypolicy><
>>>> http://schemas.**xmlsoap.org/ws/2005/07/**securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
>>>> ">
>>>> <wsp:Policy>
>>>> <sp:UsernameToken
>>>> sp:IncludeToken="http://**sche**mas.xmlsoap.org/ws/2005/**<http://schemas.xmlsoap.org/ws/2005/**>
>>>> 07/securitypolicy/****IncludeToken/**AlwaysToRecipient<http://**
>>>> schemas.xmlsoap.org/ws/2005/**07/securitypolicy/**
>>>> IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
>>>> **>
>>>> **">
>>>> <wsp:Policy>
>>>> <sp:HashPassword/>
>>>> <sp:WssUsernameToken11/>
>>>> </wsp:Policy>
>>>> </sp:UsernameToken>
>>>> </wsp:Policy>
>>>> </sp:SupportingTokens>
>>>> </wsp:All>
>>>> </wsp:ExactlyOne>
>>>> </wsp:Policy>
>>>>
>>>> I am not getting any error message and the password in request is still
>>>> in
>>>> clear text when I run the sample code from Glen's site. Response still
>>>> returns OK.
>>>> I was expecting CXF to take care of hashing password automatically but it
>>>> still works without returning error message.
>>>>
>>>> It's like <sp:HashPassword/> is optional. Maybe I am missing something.
>>>>
>>>> Thanks
>>>> Sam
>>>>
>>>> On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
>>>>
>>>> Yes it is possible. What policy are you using + what is the error you
>>>>> are
>>>>> getting?
>>>>>
>>>>> Colm.
>>>>>
>>>>>
>>>>> On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>>> I read in http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.*
>>>>>> ***** <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****><
>>>>>> http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
>>>>>> jsp?topic=%2Fcom.ibm.******websphere.wlp.express.doc%**
>>>>>> 2Fae%2Fcwlp_wssec_templates_******scenario1.html<http://pic.**dhe.<http://pic.dhe.>
>>>>>> **
>>>>>> ibm.com/infocenter/wasinfo/****v8r5/index.jsp?topic=%2Fcom.**<http://ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**>
>>>>>> ibm.websphere.wlp.express.doc%****2Fae%2Fcwlp_wssec_templates_****
>>>>>> scenario1.html<http://pic.dhe.**ibm.com/infocenter/wasinfo/**
>>>>>> v8r5/index.jsp?topic=%2Fcom.**ibm.websphere.wlp.express.doc%**
>>>>>> 2Fae%2Fcwlp_wssec_templates_**scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>
>>>>>>> ,
>>>>>>>
>>>>>> which shows
>>>>>> the use of ws-policy for UsernameToken with password digest
>>>>>> (HashPassword)
>>>>>> over SSL.
>>>>>>
>>>>>> My question is, is it possible to use ws-policy for UsernameToken with
>>>>>> password digest without SSL in CXF?
>>>>>>
>>>>>> I am asking as I have been tweaking the WSDL for the usernametoke
>>>>>> tutorial
>>>>>> from http://www.jroller.com/gmazza/******entry/cxf_usernametoken_****
>>>>>> ** <http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****>
>>>>>> profile<http://www.jroller.**com/gmazza/**entry/cxf_**
>>>>>> usernametoken_**profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
>>>>>> <http://www.jroller.**com/**gmazza/entry/cxf_****
>>>>>> usernametoken_profile<http://**www.jroller.com/gmazza/entry/**
>>>>>> cxf_usernametoken_profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>
>>>>>>> ,
>>>>>>>
>>>>>> to run without SSL successfully, now
>>>>>> I am trying to make it support password digest without SSL , and
>>>>>> without
>>>>>> luck.
>>>>>>
>>>>>> Thanks
>>>>>> Sam
>>>>>>
>>>>>>
>>>>>>
>
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Colm O hEigeartaigh <co...@apache.org>.
What version of CXF are you using?
Colm.
On Thu, Aug 22, 2013 at 10:15 PM, Sam <j2...@gmail.com> wrote:
>
> Client config below
>
> cxf.xml
>
> <beans xmlns="http://www.**springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
> "
> xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
> "
> xmlns:jaxws="http://cxf.**apache.org/jaxws<http://cxf.apache.org/jaxws>
> "
> xsi:schemaLocation="http://**www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
> http://www.springframework.**org/schema/beans/spring-beans.**xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/**jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
> ">
>
> <jaxws:client
> name="{http://www.example.org/**contract/DoubleIt}DoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
> **"
> createdFromAPI="true">
> <!-- Uncomment if using WS-SecPolicy method -->
> <jaxws:properties>
> <entry key="ws-security.username" value="joe"/>
> <entry key="ws-security.callback-**handler"
> value-ref="myPasswordCallback"**/>
> </jaxws:properties>
>
> </jaxws:client>
>
> <bean id="myPasswordCallback"
> class="client.**ClientPasswordCallback"/>
>
> </beans>
>
>
> ClientPasswordCallback
>
> public class ClientPasswordCallback implements CallbackHandler {
>
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>
> if ("joe".equals(pc.**getIdentifier())) {
> pc.setPassword("joespassword")**;
> } // else {...} - can add more users, access DB, etc.
> }
> }
>
> Everything works, just that password of request is in clear text and no
> error response.
>
> In case you ask Server config, here it is:
>
> cxf-servlet.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.**springframework.org/schema/**beans<http://www.springframework.org/schema/beans>
> "
> xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
> "
> xmlns:jaxws="http://cxf.**apache.org/jaxws<http://cxf.apache.org/jaxws>
> "
> xsi:schemaLocation="http://**www.springframework.org/**schema/beans<http://www.springframework.org/schema/beans>
> http://www.springframework.**org/schema/beans/spring-beans.**xsd<http://www.springframework.org/schema/beans/spring-beans.xsd>
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/**jaxws.xsd<http://cxf.apache.org/schemas/jaxws.xsd>
> ">
>
> <jaxws:endpoint id="doubleit"
> implementor="service.**DoubleItPortTypeImpl"
> address="/doubleit"
> wsdlLocation="WEB-INF/wsdl/**DoubleIt.wsdl">
>
> <!-- Uncomment only if using WS-SecurityPolicy -->
> <jaxws:properties>
> <entry key="ws-security.callback-**handler"
> value-ref="myPasswordCallback"**/>
> </jaxws:properties>
>
> </jaxws:endpoint>
>
> <bean id="myPasswordCallback"
> class="service.**ServerPasswordCallback" />
> </beans>
>
> ServerPasswordCallback
>
> public class ServerPasswordCallback implements CallbackHandler {
>
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
>
> if ("joe".equals(pc.**getIdentifier())) {
> pc.setPassword("joespassword")**;
> }
> }
> }
>
> Thanks
> Sam
>
> On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote:
>
>> What does your client configuration look like?
>>
>> Colm.
>>
>>
>> On Thu, Aug 22, 2013 at 12:34 PM, Sam <j2...@gmail.com> wrote:
>>
>> Hi Colm,
>>>
>>> The policy is
>>>
>>> <wsp:Policy wsu:Id="DoubleItBindingPolicy"****>
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:SupportingTokens
>>> xmlns:sp="http://schemas.**xml**soap.org/ws/2005/07/****
>>> securitypolicy <http://xmlsoap.org/ws/2005/07/**securitypolicy><
>>> http://schemas.**xmlsoap.org/ws/2005/07/**securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
>>> >
>>> ">
>>> <wsp:Policy>
>>> <sp:UsernameToken
>>> sp:IncludeToken="http://**sche**mas.xmlsoap.org/ws/2005/**<http://schemas.xmlsoap.org/ws/2005/**>
>>> 07/securitypolicy/****IncludeToken/**AlwaysToRecipient<http://**
>>> schemas.xmlsoap.org/ws/2005/**07/securitypolicy/**
>>> IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
>>> **>
>>> **">
>>> <wsp:Policy>
>>> <sp:HashPassword/>
>>> <sp:WssUsernameToken11/>
>>> </wsp:Policy>
>>> </sp:UsernameToken>
>>> </wsp:Policy>
>>> </sp:SupportingTokens>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> I am not getting any error message and the password in request is still
>>> in
>>> clear text when I run the sample code from Glen's site. Response still
>>> returns OK.
>>> I was expecting CXF to take care of hashing password automatically but it
>>> still works without returning error message.
>>>
>>> It's like <sp:HashPassword/> is optional. Maybe I am missing something.
>>>
>>> Thanks
>>> Sam
>>>
>>> On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
>>>
>>> Yes it is possible. What policy are you using + what is the error you
>>>> are
>>>> getting?
>>>>
>>>> Colm.
>>>>
>>>>
>>>> On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
>>>>
>>>> Hi all,
>>>>
>>>>> I read in http://pic.dhe.ibm.com/******infocenter/wasinfo/v8r5/index.*
>>>>> ***** <http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****><
>>>>> http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
>>>>> >
>>>>> jsp?topic=%2Fcom.ibm.******websphere.wlp.express.doc%**
>>>>> 2Fae%2Fcwlp_wssec_templates_******scenario1.html<http://pic.**dhe.<http://pic.dhe.>
>>>>> **
>>>>> ibm.com/infocenter/wasinfo/****v8r5/index.jsp?topic=%2Fcom.**<http://ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**>
>>>>> ibm.websphere.wlp.express.doc%****2Fae%2Fcwlp_wssec_templates_****
>>>>> scenario1.html<http://pic.dhe.**ibm.com/infocenter/wasinfo/**
>>>>> v8r5/index.jsp?topic=%2Fcom.**ibm.websphere.wlp.express.doc%**
>>>>> 2Fae%2Fcwlp_wssec_templates_**scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>
>>>>> >
>>>>>
>>>>>> ,
>>>>>>
>>>>> which shows
>>>>> the use of ws-policy for UsernameToken with password digest
>>>>> (HashPassword)
>>>>> over SSL.
>>>>>
>>>>> My question is, is it possible to use ws-policy for UsernameToken with
>>>>> password digest without SSL in CXF?
>>>>>
>>>>> I am asking as I have been tweaking the WSDL for the usernametoke
>>>>> tutorial
>>>>> from http://www.jroller.com/gmazza/******entry/cxf_usernametoken_****
>>>>> ** <http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****>
>>>>> profile<http://www.jroller.**com/gmazza/**entry/cxf_**
>>>>> usernametoken_**profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
>>>>> >
>>>>> <http://www.jroller.**com/**gmazza/entry/cxf_****
>>>>> usernametoken_profile<http://**www.jroller.com/gmazza/entry/**
>>>>> cxf_usernametoken_profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>
>>>>> >
>>>>>
>>>>>> ,
>>>>>>
>>>>> to run without SSL successfully, now
>>>>> I am trying to make it support password digest without SSL , and
>>>>> without
>>>>> luck.
>>>>>
>>>>> Thanks
>>>>> Sam
>>>>>
>>>>>
>>>>>
>>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Sam <j2...@gmail.com>.
Client config below
cxf.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItPort"
createdFromAPI="true">
<!-- Uncomment if using WS-SecPolicy method -->
<jaxws:properties>
<entry key="ws-security.username" value="joe"/>
<entry key="ws-security.callback-handler"
value-ref="myPasswordCallback"/>
</jaxws:properties>
</jaxws:client>
<bean id="myPasswordCallback"
class="client.ClientPasswordCallback"/>
</beans>
ClientPasswordCallback
public class ClientPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if ("joe".equals(pc.getIdentifier())) {
pc.setPassword("joespassword");
} // else {...} - can add more users, access DB, etc.
}
}
Everything works, just that password of request is in clear text and no
error response.
In case you ask Server config, here it is:
cxf-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:endpoint id="doubleit"
implementor="service.DoubleItPortTypeImpl"
address="/doubleit"
wsdlLocation="WEB-INF/wsdl/DoubleIt.wsdl">
<!-- Uncomment only if using WS-SecurityPolicy -->
<jaxws:properties>
<entry key="ws-security.callback-handler"
value-ref="myPasswordCallback"/>
</jaxws:properties>
</jaxws:endpoint>
<bean id="myPasswordCallback"
class="service.ServerPasswordCallback" />
</beans>
ServerPasswordCallback
public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
if ("joe".equals(pc.getIdentifier())) {
pc.setPassword("joespassword");
}
}
}
Thanks
Sam
On 23/08/2013 12:47 a.m., Colm O hEigeartaigh wrote:
> What does your client configuration look like?
>
> Colm.
>
>
> On Thu, Aug 22, 2013 at 12:34 PM, Sam <j2...@gmail.com> wrote:
>
>> Hi Colm,
>>
>> The policy is
>>
>> <wsp:Policy wsu:Id="DoubleItBindingPolicy"**>
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:SupportingTokens
>> xmlns:sp="http://schemas.**xmlsoap.org/ws/2005/07/**securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
>> ">
>> <wsp:Policy>
>> <sp:UsernameToken
>> sp:IncludeToken="http://**schemas.xmlsoap.org/ws/2005/**
>> 07/securitypolicy/**IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
>> **">
>> <wsp:Policy>
>> <sp:HashPassword/>
>> <sp:WssUsernameToken11/>
>> </wsp:Policy>
>> </sp:UsernameToken>
>> </wsp:Policy>
>> </sp:SupportingTokens>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>>
>> I am not getting any error message and the password in request is still in
>> clear text when I run the sample code from Glen's site. Response still
>> returns OK.
>> I was expecting CXF to take care of hashing password automatically but it
>> still works without returning error message.
>>
>> It's like <sp:HashPassword/> is optional. Maybe I am missing something.
>>
>> Thanks
>> Sam
>>
>> On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
>>
>>> Yes it is possible. What policy are you using + what is the error you are
>>> getting?
>>>
>>> Colm.
>>>
>>>
>>> On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
>>>
>>> Hi all,
>>>> I read in http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
>>>> jsp?topic=%2Fcom.ibm.****websphere.wlp.express.doc%**
>>>> 2Fae%2Fcwlp_wssec_templates_****scenario1.html<http://pic.dhe.**
>>>> ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**
>>>> ibm.websphere.wlp.express.doc%**2Fae%2Fcwlp_wssec_templates_**
>>>> scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>
>>>>> ,
>>>> which shows
>>>> the use of ws-policy for UsernameToken with password digest
>>>> (HashPassword)
>>>> over SSL.
>>>>
>>>> My question is, is it possible to use ws-policy for UsernameToken with
>>>> password digest without SSL in CXF?
>>>>
>>>> I am asking as I have been tweaking the WSDL for the usernametoke
>>>> tutorial
>>>> from http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****
>>>> profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
>>>> <http://www.jroller.**com/gmazza/entry/cxf_**usernametoken_profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>
>>>>> ,
>>>> to run without SSL successfully, now
>>>> I am trying to make it support password digest without SSL , and without
>>>> luck.
>>>>
>>>> Thanks
>>>> Sam
>>>>
>>>>
>>>
>
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Colm O hEigeartaigh <co...@apache.org>.
What does your client configuration look like?
Colm.
On Thu, Aug 22, 2013 at 12:34 PM, Sam <j2...@gmail.com> wrote:
> Hi Colm,
>
> The policy is
>
> <wsp:Policy wsu:Id="DoubleItBindingPolicy"**>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://schemas.**xmlsoap.org/ws/2005/07/**securitypolicy<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>
> ">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://**schemas.xmlsoap.org/ws/2005/**
> 07/securitypolicy/**IncludeToken/AlwaysToRecipient<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>
> **">
> <wsp:Policy>
> <sp:HashPassword/>
> <sp:WssUsernameToken11/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> I am not getting any error message and the password in request is still in
> clear text when I run the sample code from Glen's site. Response still
> returns OK.
> I was expecting CXF to take care of hashing password automatically but it
> still works without returning error message.
>
> It's like <sp:HashPassword/> is optional. Maybe I am missing something.
>
> Thanks
> Sam
>
> On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
>
>> Yes it is possible. What policy are you using + what is the error you are
>> getting?
>>
>> Colm.
>>
>>
>> On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
>>
>> Hi all,
>>>
>>> I read in http://pic.dhe.ibm.com/****infocenter/wasinfo/v8r5/index.****<http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**>
>>> jsp?topic=%2Fcom.ibm.****websphere.wlp.express.doc%**
>>> 2Fae%2Fcwlp_wssec_templates_****scenario1.html<http://pic.dhe.**
>>> ibm.com/infocenter/wasinfo/**v8r5/index.jsp?topic=%2Fcom.**
>>> ibm.websphere.wlp.express.doc%**2Fae%2Fcwlp_wssec_templates_**
>>> scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>
>>> >,
>>> which shows
>>> the use of ws-policy for UsernameToken with password digest
>>> (HashPassword)
>>> over SSL.
>>>
>>> My question is, is it possible to use ws-policy for UsernameToken with
>>> password digest without SSL in CXF?
>>>
>>> I am asking as I have been tweaking the WSDL for the usernametoke
>>> tutorial
>>> from http://www.jroller.com/gmazza/****entry/cxf_usernametoken_****
>>> profile<http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile>
>>> <http://www.jroller.**com/gmazza/entry/cxf_**usernametoken_profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>
>>> >,
>>> to run without SSL successfully, now
>>> I am trying to make it support password digest without SSL , and without
>>> luck.
>>>
>>> Thanks
>>> Sam
>>>
>>>
>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Sam <j2...@gmail.com>.
Hi Colm,
The policy is
<wsp:Policy wsu:Id="DoubleItBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I am not getting any error message and the password in request is still
in clear text when I run the sample code from Glen's site. Response
still returns OK.
I was expecting CXF to take care of hashing password automatically but
it still works without returning error message.
It's like <sp:HashPassword/> is optional. Maybe I am missing something.
Thanks
Sam
On 22/08/2013 11:08 p.m., Colm O hEigeartaigh wrote:
> Yes it is possible. What policy are you using + what is the error you are
> getting?
>
> Colm.
>
>
> On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
>
>> Hi all,
>>
>> I read in http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**
>> jsp?topic=%2Fcom.ibm.**websphere.wlp.express.doc%**
>> 2Fae%2Fcwlp_wssec_templates_**scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>,
>> which shows
>> the use of ws-policy for UsernameToken with password digest (HashPassword)
>> over SSL.
>>
>> My question is, is it possible to use ws-policy for UsernameToken with
>> password digest without SSL in CXF?
>>
>> I am asking as I have been tweaking the WSDL for the usernametoke tutorial
>> from http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>,
>> to run without SSL successfully, now
>> I am trying to make it support password digest without SSL , and without
>> luck.
>>
>> Thanks
>> Sam
>>
>
>
Re: UsernameToken with password digest (HashPassword) without SSL?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes it is possible. What policy are you using + what is the error you are
getting?
Colm.
On Thu, Aug 22, 2013 at 11:53 AM, Sam <j2...@gmail.com> wrote:
> Hi all,
>
> I read in http://pic.dhe.ibm.com/**infocenter/wasinfo/v8r5/index.**
> jsp?topic=%2Fcom.ibm.**websphere.wlp.express.doc%**
> 2Fae%2Fcwlp_wssec_templates_**scenario1.html<http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.express.doc%2Fae%2Fcwlp_wssec_templates_scenario1.html>,
> which shows
> the use of ws-policy for UsernameToken with password digest (HashPassword)
> over SSL.
>
> My question is, is it possible to use ws-policy for UsernameToken with
> password digest without SSL in CXF?
>
> I am asking as I have been tweaking the WSDL for the usernametoke tutorial
> from http://www.jroller.com/gmazza/**entry/cxf_usernametoken_**profile<http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile>,
> to run without SSL successfully, now
> I am trying to make it support password digest without SSL , and without
> luck.
>
> Thanks
> Sam
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com