You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "gerhard presser (JIRA)" <ji...@apache.org> on 2014/01/30 13:26:09 UTC

[jira] [Commented] (RAMPART-374) Not Able to use custom validator for USERNAME_TOKEN during server side validation

    [ https://issues.apache.org/jira/browse/RAMPART-374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13886528#comment-13886528 ] 

gerhard presser commented on RAMPART-374:
-----------------------------------------

any new information about this issue?
in fact usernametokenauth is not working for nearly two years now (one cannot expect the plain password to be available in real-world-scenarios)

> Not Able to use custom validator for USERNAME_TOKEN during server side validation
> ---------------------------------------------------------------------------------
>
>                 Key: RAMPART-374
>                 URL: https://issues.apache.org/jira/browse/RAMPART-374
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.6.2
>         Environment: Windows 7 Enterprise Service pack 1, jboss-5.1.0.GA, axis2-1.6.2 (exploded war), rampart-1.6.2
>            Reporter: AravindPS
>            Assignee: Amila Jayasekara
>              Labels: axis21.6, rampart1.6.2
>
> Hi,
>  We are upgrading from Axis2 1.5.5/ Rampart 1.5.11 to axis2 1.6.2/Rampart1.6.2. Here we have seen that the USERNAME_TOKEN_UNKNOWN has been deprecated and hence there is no backward compatibility. At this late stage we cannot implement the code to provide passwords at the server password callback class. So we have a problem.
>  The server password callback class is asking for the password. We have designed the services such that for username token authentication we are sending the request to another directory store for authentication.
>  Is there a way to process this without giving the password at server side. Can we configure custom validators to pass the authentication for USERNAME_TOKEN without validating the passwords?
> If yes can you tell us how to write/configure custom validators?
> Also, if there is any other solution do let us know.
> Thanks,
> Aravind



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org

RE: [jira] [Commented] (RAMPART-374) Not Able to use custom validator for USERNAME_TOKEN during server side validation

Posted by Brian Reinhold <br...@lampreynetworks.com>.

Gerhard,

I have implemented a fix for this some time ago which involved messing with both WSS4J and Rampart for my needs but I don't know how robust it is. For security reasons I needed to save only passwords hashes and thus the password would need to be sent in the clear (scrambled by TLS of course).

The main issue was that Rampart (or Axis2) server-side callback implementation that the application could override did NOT provide the password sent by the sender AND that the callback took as a return value the password as a means to confirm or reject the password. What I had to do was mess around in WSS4J (pretty sure it was there) such that the clear-text password would be 'gettable' in the application callback. Then what I did in the callback was to get that password, provide the hash, and if it matched with my stored hash, return the password. If it did not match, I had to return a modified version of the password so Rampart/WSS4J would reject it. So far it has worked well, but I don't know all the possible side effects of what I have done and I don't really like the approach I have taken to reject the password. 

Brian

-----Original Message-----
From: gerhard presser (JIRA) [mailto:jira@apache.org] 
Sent: Thursday, January 30, 2014 7:26 AM
To: java-dev@axis.apache.org
Subject: [jira] [Commented] (RAMPART-374) Not Able to use custom validator for USERNAME_TOKEN during server side validation


    [ https://issues.apache.org/jira/browse/RAMPART-374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13886528#comment-13886528 ] 

gerhard presser commented on RAMPART-374:
-----------------------------------------

any new information about this issue?
in fact usernametokenauth is not working for nearly two years now (one cannot expect the plain password to be available in real-world-scenarios)

> Not Able to use custom validator for USERNAME_TOKEN during server side validation
> ---------------------------------------------------------------------------------
>
>                 Key: RAMPART-374
>                 URL: https://issues.apache.org/jira/browse/RAMPART-374
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.6.2
>         Environment: Windows 7 Enterprise Service pack 1, jboss-5.1.0.GA, axis2-1.6.2 (exploded war), rampart-1.6.2
>            Reporter: AravindPS
>            Assignee: Amila Jayasekara
>              Labels: axis21.6, rampart1.6.2
>
> Hi,
>  We are upgrading from Axis2 1.5.5/ Rampart 1.5.11 to axis2 1.6.2/Rampart1.6.2. Here we have seen that the USERNAME_TOKEN_UNKNOWN has been deprecated and hence there is no backward compatibility. At this late stage we cannot implement the code to provide passwords at the server password callback class. So we have a problem.
>  The server password callback class is asking for the password. We have designed the services such that for username token authentication we are sending the request to another directory store for authentication.
>  Is there a way to process this without giving the password at server side. Can we configure custom validators to pass the authentication for USERNAME_TOKEN without validating the passwords?
> If yes can you tell us how to write/configure custom validators?
> Also, if there is any other solution do let us know.
> Thanks,
> Aravind



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org



-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4259 / Virus Database: 3684/7045 - Release Date: 01/30/14

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4259 / Virus Database: 3684/7045 - Release Date: 01/30/14


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org