You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Amila Jayasekara (JIRA)" <ji...@apache.org> on 2010/04/27 12:46:33 UTC
[jira] Commented: (RAMPART-294) Does Rampart handle replay attacks
when using UsernameToken password digest?
[ https://issues.apache.org/jira/browse/RAMPART-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12861355#action_12861355 ]
Amila Jayasekara commented on RAMPART-294:
------------------------------------------
Hi Bala,
Let me bit investigate on this. I will get back to you as soon as i have my findings.
Thank you
> Does Rampart handle replay attacks when using UsernameToken password digest?
> ----------------------------------------------------------------------------
>
> Key: RAMPART-294
> URL: https://issues.apache.org/jira/browse/RAMPART-294
> Project: Rampart
> Issue Type: Question
> Affects Versions: 1.4
> Environment: Windows XP Professional
> Reporter: Balamurali
> Assignee: Ruchith Udayanga Fernando
> Attachments: SimpleTestService.aar
>
>
> I am using a simple axis2 service and client to play around with rampart module. As you could see from the policy below, I am using UsernameToken with digest authentication. Rampart does generate different nonce for each request in the client. When I replay the same request using TCPMon i.e. using the same security header, I thought the server (which again engages rampart) would reject this as the nonce is same as the previous request. But the request goes through rampart without any issues.
> So, my question is, is there any configuration to enable rampart (on the server side) to check for duplicate nonce values?
> Followng is the policy file used by the client:
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> Follownig is the service.xml entry:
> <service>
> <parameter name="ServiceClass" locked="false">samples.services.SimpleTestService</parameter>
> <operation name="add">
> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
> </operation>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:passwordCallbackClass>samples.services.PWCBHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </service>
> Thank & Regards,
> Bala
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.