You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by Dustin Henson <dh...@sddpc.org> on 2006/03/01 19:28:40 UTC

Validating Passwords

Can anyone explain how WSPasswordCallback.setPassword() works within the Password Callback Handler?

My code below is based on the example for validating a digested password. It loads a bean called 'cred' with the security information for the given user. It then checks the supplied password against the correct password by calling pc.setPassword(cred.password), at least that is my understanding of what setPassword() does.

My confusion happens when the client sends a clear text password instead of a digested one. This code then accepts any password!

I am sure I am missing something basic here. Can anyone explain it to me?

for (int i = 0; i < callbacks.length; i++)
        {
            // Get the login info passed to the WS
            if (callbacks[i] instanceof WSPasswordCallback == false)
            {   throw new UnsupportedCallbackException(callbacks[i], "LOGIN ERROR: Unrecognized Callback. Expected type WSPasswordCallback");
            }            
            WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
            
            String wsLogin = pc.getIdentifer();
            String wsPassword = pc.getPassword();        
            System.out.println("Web Service Login Values:");    
            System.out.println("    wsLogin = " + wsLogin);
            System.out.println("    wsPassword = " + wsPassword);

            // Get the info for this login
            LoginInfo cred;
            try
            {   
                cred = loginTool.getLoginInfo(wsLogin);
                if (cred == null)
                {   throw new IOException("LOGIN ERROR: The login '" + wsLogin + "' and password given did not authenticate.");
                }
            }
            catch (SQLException e)
            {   throw new IOException("LOGIN ERROR: Unable to connect to the security repository. Failed with error message: " + e.getMessage());
            }
            System.out.println("Login '" + wsLogin + "' found in security repository for agency '" + cred.agency + "'.");
            
            // Validate the password given
            System.out.println("    Required Password = " + cred.password);
            System.out.println("    Password Before set = " + pc.getPassword());
            pc.setPassword(cred.password); // For digested password this computes an encrypted value that must equal the value sent
            System.out.println("    Password After set = " + pc.getPassword());
        }




---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Validating Passwords

Posted by Ruchith Fernando <ru...@gmail.com>.

Hi,

Please see the following thread:
http://marc.theaimsgroup.com/?l=wss4j-dev&w=2&r=1&s=Possible+Bug%3F%28about+passwordType%29&q=b

In the case of plain text password you can carryout the authentication
of the UsernameToken at the service and you can get the user name and
password from the message context as shown here:
http://marc.theaimsgroup.com/?l=wss4j-dev&m=114067336429534&w=2

Thanks,
Ruchith

On 3/2/06, Dustin Henson <dh...@sddpc.org> wrote:
> Can anyone explain how WSPasswordCallback.setPassword() works within the Password Callback Handler?
>
> My code below is based on the example for validating a digested password. It loads a bean called 'cred' with the security information for the given user. It then checks the supplied password against the correct password by calling pc.setPassword(cred.password), at least that is my understanding of what setPassword() does.
>
> My confusion happens when the client sends a clear text password instead of a digested one. This code then accepts any password!
>
> I am sure I am missing something basic here. Can anyone explain it to me?
>
> for (int i = 0; i < callbacks.length; i++)
>         {
>             // Get the login info passed to the WS
>             if (callbacks[i] instanceof WSPasswordCallback == false)
>             {   throw new UnsupportedCallbackException(callbacks[i], "LOGIN ERROR: Unrecognized Callback. Expected type WSPasswordCallback");
>             }
>             WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
>
>             String wsLogin = pc.getIdentifer();
>             String wsPassword = pc.getPassword();
>             System.out.println("Web Service Login Values:");
>             System.out.println("    wsLogin = " + wsLogin);
>             System.out.println("    wsPassword = " + wsPassword);
>
>             // Get the info for this login
>             LoginInfo cred;
>             try
>             {
>                 cred = loginTool.getLoginInfo(wsLogin);
>                 if (cred == null)
>                 {   throw new IOException("LOGIN ERROR: The login '" + wsLogin + "' and password given did not authenticate.");
>                 }
>             }
>             catch (SQLException e)
>             {   throw new IOException("LOGIN ERROR: Unable to connect to the security repository. Failed with error message: " + e.getMessage());
>             }
>             System.out.println("Login '" + wsLogin + "' found in security repository for agency '" + cred.agency + "'.");
>
>             // Validate the password given
>             System.out.println("    Required Password = " + cred.password);
>             System.out.println("    Password Before set = " + pc.getPassword());
>             pc.setPassword(cred.password); // For digested password this computes an encrypted value that must equal the value sent
>             System.out.println("    Password After set = " + pc.getPassword());
>         }
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Validating Passwords

Posted by Ruchith Fernando <ru...@gmail.com>.

Hi,

Please see the following thread:
http://marc.theaimsgroup.com/?l=wss4j-dev&w=2&r=1&s=Possible+Bug%3F%28about+passwordType%29&q=b

In the case of plain text password you can carryout the authentication
of the UsernameToken at the service and you can get the user name and
password from the message context as shown here:
http://marc.theaimsgroup.com/?l=wss4j-dev&m=114067336429534&w=2

Thanks,
Ruchith

On 3/2/06, Dustin Henson <dh...@sddpc.org> wrote:
> Can anyone explain how WSPasswordCallback.setPassword() works within the Password Callback Handler?
>
> My code below is based on the example for validating a digested password. It loads a bean called 'cred' with the security information for the given user. It then checks the supplied password against the correct password by calling pc.setPassword(cred.password), at least that is my understanding of what setPassword() does.
>
> My confusion happens when the client sends a clear text password instead of a digested one. This code then accepts any password!
>
> I am sure I am missing something basic here. Can anyone explain it to me?
>
> for (int i = 0; i < callbacks.length; i++)
>         {
>             // Get the login info passed to the WS
>             if (callbacks[i] instanceof WSPasswordCallback == false)
>             {   throw new UnsupportedCallbackException(callbacks[i], "LOGIN ERROR: Unrecognized Callback. Expected type WSPasswordCallback");
>             }
>             WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
>
>             String wsLogin = pc.getIdentifer();
>             String wsPassword = pc.getPassword();
>             System.out.println("Web Service Login Values:");
>             System.out.println("    wsLogin = " + wsLogin);
>             System.out.println("    wsPassword = " + wsPassword);
>
>             // Get the info for this login
>             LoginInfo cred;
>             try
>             {
>                 cred = loginTool.getLoginInfo(wsLogin);
>                 if (cred == null)
>                 {   throw new IOException("LOGIN ERROR: The login '" + wsLogin + "' and password given did not authenticate.");
>                 }
>             }
>             catch (SQLException e)
>             {   throw new IOException("LOGIN ERROR: Unable to connect to the security repository. Failed with error message: " + e.getMessage());
>             }
>             System.out.println("Login '" + wsLogin + "' found in security repository for agency '" + cred.agency + "'.");
>
>             // Validate the password given
>             System.out.println("    Required Password = " + cred.password);
>             System.out.println("    Password Before set = " + pc.getPassword());
>             pc.setPassword(cred.password); // For digested password this computes an encrypted value that must equal the value sent
>             System.out.println("    Password After set = " + pc.getPassword());
>         }
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org