You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Ruchith Fernando <ru...@gmail.com> on 2006/10/20 13:44:13 UTC
Re: WSS4J authentication using LDAP
The stack trace you posted says that the incoming message does not
contain a "Security" header when its expected to contain one. Please
re-check your client configuration if the exception was thrown at the
server side receiver handler.
I see a few approaches to your overall problem :
- Use UsernameToken over HTTPS.
- Encrypt the UsernameToken using WS-Security mechanisms (specify the
UsernameToken element in the encryptionParts)
IMHO either case can hide the password from a third party. In both
cases you can use a plain text password and can carryout your
authentication with the LDAP server in the callback handler you use at
the service.
On 10/12/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
>
>
> Hello,
> I am fairly new to development using Axis and WSS4J. I am trying to build
> a web service that accepts a UserID/Password combination and validates it
> against an LDAP database. I have managed to execute the first example given
> in the tutorial on the WSS4J site. I find that when I set the passwordType
> to "PasswordDigest", a null value is returned when I extract the value in
> the PWCallback class on the server side. If I use the "PasswordText" option
> then the actual value is returned but the problem here is that the password
> is also clearly visible in the SOAP message. I have tried quite a few times
> to combine signature and encyption (as explained in the tutorials), having
> generated my own keystore for the server and the client as well as the
> certificates but to no avail. The latest error message I get at the client
> when I try to run this is listed below:
>
> C:\client>java samples.stock.client.StockServiceClient XXX
> Calling service...
> Exception in thread "main" AxisFault
> faultCode:
> {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> faultSubcode:
> faultString: WSDoAllReceiver: Request does not contain required Security
> header
>
> faultActor:
> faultNode:
> faultDetail:
>
> {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver:
> Request does no
> t contain required Security header
> at
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> va:175)
> at
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> y.java:32)
> at
> org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at
> org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at
> org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> at
> org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> at
> org.apache.axis.client.Call.invoke(Call.java:2767)
> at
> org.apache.axis.client.Call.invoke(Call.java:2443)
> at
> org.apache.axis.client.Call.invoke(Call.java:2366)
> at
> org.apache.axis.client.Call.invoke(Call.java:1812)
> at
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> pBindingStub.java:106)
> at
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> 53)
>
> {http://xml.apache.org/axis/}hostname:MMADRAW3
>
> WSDoAllReceiver: Request does not contain required Security header
> at
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> va:175)
> at
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> y.java:32)
> at
> org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at
> org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at
> org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> at
> org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> at
> org.apache.axis.client.Call.invoke(Call.java:2767)
> at
> org.apache.axis.client.Call.invoke(Call.java:2443)
> at
> org.apache.axis.client.Call.invoke(Call.java:2366)
> at
> org.apache.axis.client.Call.invoke(Call.java:1812)
> at
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> pBindingStub.java:106)
> at
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> 53)
>
>
> If someone could suggest a technique to encypt the whole SOAP message
> or atleast the password, then extract it on the server side so that it can
> be used to perform a bind against an LDAP server, I would greatly appreciate
> it.
>
> Thanks,
> Murtaza.
>
> s
> Murtaza Madraswala
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS4J authentication using LDAP
Posted by Ruchith Fernando <ru...@gmail.com>.
Mutaza,
After considering your scenario I feel may be you are looking for a
WS-SecureConversation functionality.
WS-SecureConversation will allow you to first authenticate the user
and set up a security context and then perform crypto operations on
subsequent messages within the established security context.
I'm in the process of adding examples to Rampart. Will add a few on
WS-SecConv as well.
Thanks,
Ruchith
On 10/26/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> Ruchith,
> I knew I could use this approach, its just that UsernameToken and
> plaintext passwords necessitate the use of a point to point transport
> level security mechanism. This is not very helpful if you want to do
> routing of subsequent messages (not to mention the initial request
> itself based on the contents of the SOAP message). The solution I am
> thinking of now is to use UsernameToken + plaintext password over SSL
> just for authentication, then tearing the SSL connection down and
> encrypting the SOAP bodies of all subsequent messages using wss4j. I
> guess the one learning curve here is to figure out a way to get the
> service and client to adopt say a "Timestamp Encrypt Signature" approach
> after first using the "UsernameToken" approach.
> Let me know if you have any thoughts.
> Once again I appreciate all the feedback you send me.
>
> Thanks,
> Murtaza.
>
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Tuesday, October 24, 2006 7:23 PM
> To: Madraswala, Murtaza
> Cc: wss4j-dev@ws.apache.org
> Subject: Re: WSS4J authentication using LDAP
>
> Hi Murtaza,
>
> We use UsernameToken with a plain text password exactly for this
> purpose!
>
> - The *plain text password* is sent in the UsernameToken to the service.
> - In the callback handler class you can use the same algorithms that
> AD uses to generate the hash from the password you get from the
> UsernameToken.
> - Now you can compare this with the one you have stored in AD ! (This
> also happens within the callback handler)
>
> This is explained here [1] in the section where we talk about
> USERNAME_TOKEN_UNKNOWN usage of WSPasswordCallback object passed in to
> the callback handler.
>
> Thanks,
> Ruchith
>
> [1]
> http://www.wso2.net/articles/rampart/java/2006/08/15/usernametoken-auth
>
>
> On 10/25/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> > Ruchith,
> > Thanks very much, I seem to have figured this issue out. My real
> > objective is to perform authentication with the Active Directory.
> > Passwords are never stored in clear text there, and I don't want to
> use
> > transport layer security mechanisms like SSL. If I generate a digest
> of
> > the password using UsernameToken there is no way to recover the
> password
> > from the digest. I can try generating the hash that the AD uses to
> > perform a comparison for user authenticity (just like Windows clients
> do
> > using Kerberos) at the client side, and send the hash in the SOAP
> packet
> > to run against AD, but I don't know how that would use WS-Security. (I
> > guess I would have to put the userID/Pwd combination in the SOAP body
> > and encrypt and sign that, then recover it on the server side) Is
> there
> > no solution that can use the digest, nonce, and username that appears
> on
> > the server side to perform authentication with AD (Doesn't look likely
> > to me) or specify the token so that the hash required by AD is
> generated
> > and sent in the SOAP packet (like Windows clients send)?
> > I appreciate all the help and advice you can provide in this
> regard.
> >
> > Thanks,
> > Murtaza.
> >
> > -----Original Message-----
> > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > Sent: Friday, October 20, 2006 4:44 AM
> > To: Madraswala, Murtaza
> > Cc: wss4j-dev@ws.apache.org; werner.dittmann@seimens.com;
> > wss4j-dev-subscribe@ws.apache.org
> > Subject: Re: WSS4J authentication using LDAP
> >
> > The stack trace you posted says that the incoming message does not
> > contain a "Security" header when its expected to contain one. Please
> > re-check your client configuration if the exception was thrown at the
> > server side receiver handler.
> >
> > I see a few approaches to your overall problem :
> >
> > - Use UsernameToken over HTTPS.
> > - Encrypt the UsernameToken using WS-Security mechanisms (specify the
> > UsernameToken element in the encryptionParts)
> >
> > IMHO either case can hide the password from a third party. In both
> > cases you can use a plain text password and can carryout your
> > authentication with the LDAP server in the callback handler you use at
> > the service.
> >
> >
> > On 10/12/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> > >
> > >
> > > Hello,
> > > I am fairly new to development using Axis and WSS4J. I am trying
> to
> > build
> > > a web service that accepts a UserID/Password combination and
> validates
> > it
> > > against an LDAP database. I have managed to execute the first
> example
> > given
> > > in the tutorial on the WSS4J site. I find that when I set the
> > passwordType
> > > to "PasswordDigest", a null value is returned when I extract the
> value
> > in
> > > the PWCallback class on the server side. If I use the "PasswordText"
> > option
> > > then the actual value is returned but the problem here is that the
> > password
> > > is also clearly visible in the SOAP message. I have tried quite a
> few
> > times
> > > to combine signature and encyption (as explained in the tutorials),
> > having
> > > generated my own keystore for the server and the client as well as
> the
> > > certificates but to no avail. The latest error message I get at the
> > client
> > > when I try to run this is listed below:
> > >
> > > C:\client>java samples.stock.client.StockServiceClient XXX
> > > Calling service...
> > > Exception in thread "main" AxisFault
> > > faultCode:
> > > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> > > faultSubcode:
> > > faultString: WSDoAllReceiver: Request does not contain required
> > Security
> > > header
> > >
> > > faultActor:
> > > faultNode:
> > > faultDetail:
> > >
> > > {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver:
> > > Request does no
> > > t contain required Security header
> > > at
> > >
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > > va:175)
> > > at
> > >
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > > y.java:32)
> > > at
> > > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > > at
> > > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > > at
> > > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > > at
> > > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2767)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2443)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2366)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:1812)
> > > at
> > >
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > > pBindingStub.java:106)
> > > at
> > >
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > > 53)
> > >
> > > {http://xml.apache.org/axis/}hostname:MMADRAW3
> > >
> > > WSDoAllReceiver: Request does not contain required Security header
> > > at
> > >
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > > va:175)
> > > at
> > >
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > > y.java:32)
> > > at
> > > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > > at
> > > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > > at
> > > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > > at
> > > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2767)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2443)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2366)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:1812)
> > > at
> > >
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > > pBindingStub.java:106)
> > > at
> > >
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > > 53)
> > >
> > >
> > > If someone could suggest a technique to encypt the whole SOAP
> > message
> > > or atleast the password, then extract it on the server side so that
> it
> > can
> > > be used to perform a bind against an LDAP server, I would greatly
> > appreciate
> > > it.
> > >
> > > Thanks,
> > > Murtaza.
> > >
> > > s
> > > Murtaza Madraswala
> > >
> >
> >
> > --
> > www.ruchith.org
> >
> >
> >
>
>
> --
> www.ruchith.org
>
>
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS4J authentication using LDAP
Posted by Ruchith Fernando <ru...@gmail.com>.
Mutaza,
After considering your scenario I feel may be you are looking for a
WS-SecureConversation functionality.
WS-SecureConversation will allow you to first authenticate the user
and set up a security context and then perform crypto operations on
subsequent messages within the established security context.
I'm in the process of adding examples to Rampart. Will add a few on
WS-SecConv as well.
Thanks,
Ruchith
On 10/26/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> Ruchith,
> I knew I could use this approach, its just that UsernameToken and
> plaintext passwords necessitate the use of a point to point transport
> level security mechanism. This is not very helpful if you want to do
> routing of subsequent messages (not to mention the initial request
> itself based on the contents of the SOAP message). The solution I am
> thinking of now is to use UsernameToken + plaintext password over SSL
> just for authentication, then tearing the SSL connection down and
> encrypting the SOAP bodies of all subsequent messages using wss4j. I
> guess the one learning curve here is to figure out a way to get the
> service and client to adopt say a "Timestamp Encrypt Signature" approach
> after first using the "UsernameToken" approach.
> Let me know if you have any thoughts.
> Once again I appreciate all the feedback you send me.
>
> Thanks,
> Murtaza.
>
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Tuesday, October 24, 2006 7:23 PM
> To: Madraswala, Murtaza
> Cc: wss4j-dev@ws.apache.org
> Subject: Re: WSS4J authentication using LDAP
>
> Hi Murtaza,
>
> We use UsernameToken with a plain text password exactly for this
> purpose!
>
> - The *plain text password* is sent in the UsernameToken to the service.
> - In the callback handler class you can use the same algorithms that
> AD uses to generate the hash from the password you get from the
> UsernameToken.
> - Now you can compare this with the one you have stored in AD ! (This
> also happens within the callback handler)
>
> This is explained here [1] in the section where we talk about
> USERNAME_TOKEN_UNKNOWN usage of WSPasswordCallback object passed in to
> the callback handler.
>
> Thanks,
> Ruchith
>
> [1]
> http://www.wso2.net/articles/rampart/java/2006/08/15/usernametoken-auth
>
>
> On 10/25/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> > Ruchith,
> > Thanks very much, I seem to have figured this issue out. My real
> > objective is to perform authentication with the Active Directory.
> > Passwords are never stored in clear text there, and I don't want to
> use
> > transport layer security mechanisms like SSL. If I generate a digest
> of
> > the password using UsernameToken there is no way to recover the
> password
> > from the digest. I can try generating the hash that the AD uses to
> > perform a comparison for user authenticity (just like Windows clients
> do
> > using Kerberos) at the client side, and send the hash in the SOAP
> packet
> > to run against AD, but I don't know how that would use WS-Security. (I
> > guess I would have to put the userID/Pwd combination in the SOAP body
> > and encrypt and sign that, then recover it on the server side) Is
> there
> > no solution that can use the digest, nonce, and username that appears
> on
> > the server side to perform authentication with AD (Doesn't look likely
> > to me) or specify the token so that the hash required by AD is
> generated
> > and sent in the SOAP packet (like Windows clients send)?
> > I appreciate all the help and advice you can provide in this
> regard.
> >
> > Thanks,
> > Murtaza.
> >
> > -----Original Message-----
> > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > Sent: Friday, October 20, 2006 4:44 AM
> > To: Madraswala, Murtaza
> > Cc: wss4j-dev@ws.apache.org; werner.dittmann@seimens.com;
> > wss4j-dev-subscribe@ws.apache.org
> > Subject: Re: WSS4J authentication using LDAP
> >
> > The stack trace you posted says that the incoming message does not
> > contain a "Security" header when its expected to contain one. Please
> > re-check your client configuration if the exception was thrown at the
> > server side receiver handler.
> >
> > I see a few approaches to your overall problem :
> >
> > - Use UsernameToken over HTTPS.
> > - Encrypt the UsernameToken using WS-Security mechanisms (specify the
> > UsernameToken element in the encryptionParts)
> >
> > IMHO either case can hide the password from a third party. In both
> > cases you can use a plain text password and can carryout your
> > authentication with the LDAP server in the callback handler you use at
> > the service.
> >
> >
> > On 10/12/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> > >
> > >
> > > Hello,
> > > I am fairly new to development using Axis and WSS4J. I am trying
> to
> > build
> > > a web service that accepts a UserID/Password combination and
> validates
> > it
> > > against an LDAP database. I have managed to execute the first
> example
> > given
> > > in the tutorial on the WSS4J site. I find that when I set the
> > passwordType
> > > to "PasswordDigest", a null value is returned when I extract the
> value
> > in
> > > the PWCallback class on the server side. If I use the "PasswordText"
> > option
> > > then the actual value is returned but the problem here is that the
> > password
> > > is also clearly visible in the SOAP message. I have tried quite a
> few
> > times
> > > to combine signature and encyption (as explained in the tutorials),
> > having
> > > generated my own keystore for the server and the client as well as
> the
> > > certificates but to no avail. The latest error message I get at the
> > client
> > > when I try to run this is listed below:
> > >
> > > C:\client>java samples.stock.client.StockServiceClient XXX
> > > Calling service...
> > > Exception in thread "main" AxisFault
> > > faultCode:
> > > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> > > faultSubcode:
> > > faultString: WSDoAllReceiver: Request does not contain required
> > Security
> > > header
> > >
> > > faultActor:
> > > faultNode:
> > > faultDetail:
> > >
> > > {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver:
> > > Request does no
> > > t contain required Security header
> > > at
> > >
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > > va:175)
> > > at
> > >
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > > y.java:32)
> > > at
> > > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > > at
> > > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > > at
> > > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > > at
> > > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2767)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2443)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2366)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:1812)
> > > at
> > >
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > > pBindingStub.java:106)
> > > at
> > >
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > > 53)
> > >
> > > {http://xml.apache.org/axis/}hostname:MMADRAW3
> > >
> > > WSDoAllReceiver: Request does not contain required Security header
> > > at
> > >
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > > va:175)
> > > at
> > >
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > > y.java:32)
> > > at
> > > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > > at
> > > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > > at
> > > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > > at
> > > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2767)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2443)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2366)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:1812)
> > > at
> > >
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > > pBindingStub.java:106)
> > > at
> > >
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > > 53)
> > >
> > >
> > > If someone could suggest a technique to encypt the whole SOAP
> > message
> > > or atleast the password, then extract it on the server side so that
> it
> > can
> > > be used to perform a bind against an LDAP server, I would greatly
> > appreciate
> > > it.
> > >
> > > Thanks,
> > > Murtaza.
> > >
> > > s
> > > Murtaza Madraswala
> > >
> >
> >
> > --
> > www.ruchith.org
> >
> >
> >
>
>
> --
> www.ruchith.org
>
>
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS4J authentication using LDAP
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Murtaza,
We use UsernameToken with a plain text password exactly for this purpose!
- The *plain text password* is sent in the UsernameToken to the service.
- In the callback handler class you can use the same algorithms that
AD uses to generate the hash from the password you get from the
UsernameToken.
- Now you can compare this with the one you have stored in AD ! (This
also happens within the callback handler)
This is explained here [1] in the section where we talk about
USERNAME_TOKEN_UNKNOWN usage of WSPasswordCallback object passed in to
the callback handler.
Thanks,
Ruchith
[1] http://www.wso2.net/articles/rampart/java/2006/08/15/usernametoken-auth
On 10/25/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> Ruchith,
> Thanks very much, I seem to have figured this issue out. My real
> objective is to perform authentication with the Active Directory.
> Passwords are never stored in clear text there, and I don't want to use
> transport layer security mechanisms like SSL. If I generate a digest of
> the password using UsernameToken there is no way to recover the password
> from the digest. I can try generating the hash that the AD uses to
> perform a comparison for user authenticity (just like Windows clients do
> using Kerberos) at the client side, and send the hash in the SOAP packet
> to run against AD, but I don't know how that would use WS-Security. (I
> guess I would have to put the userID/Pwd combination in the SOAP body
> and encrypt and sign that, then recover it on the server side) Is there
> no solution that can use the digest, nonce, and username that appears on
> the server side to perform authentication with AD (Doesn't look likely
> to me) or specify the token so that the hash required by AD is generated
> and sent in the SOAP packet (like Windows clients send)?
> I appreciate all the help and advice you can provide in this regard.
>
> Thanks,
> Murtaza.
>
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Friday, October 20, 2006 4:44 AM
> To: Madraswala, Murtaza
> Cc: wss4j-dev@ws.apache.org; werner.dittmann@seimens.com;
> wss4j-dev-subscribe@ws.apache.org
> Subject: Re: WSS4J authentication using LDAP
>
> The stack trace you posted says that the incoming message does not
> contain a "Security" header when its expected to contain one. Please
> re-check your client configuration if the exception was thrown at the
> server side receiver handler.
>
> I see a few approaches to your overall problem :
>
> - Use UsernameToken over HTTPS.
> - Encrypt the UsernameToken using WS-Security mechanisms (specify the
> UsernameToken element in the encryptionParts)
>
> IMHO either case can hide the password from a third party. In both
> cases you can use a plain text password and can carryout your
> authentication with the LDAP server in the callback handler you use at
> the service.
>
>
> On 10/12/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> >
> >
> > Hello,
> > I am fairly new to development using Axis and WSS4J. I am trying to
> build
> > a web service that accepts a UserID/Password combination and validates
> it
> > against an LDAP database. I have managed to execute the first example
> given
> > in the tutorial on the WSS4J site. I find that when I set the
> passwordType
> > to "PasswordDigest", a null value is returned when I extract the value
> in
> > the PWCallback class on the server side. If I use the "PasswordText"
> option
> > then the actual value is returned but the problem here is that the
> password
> > is also clearly visible in the SOAP message. I have tried quite a few
> times
> > to combine signature and encyption (as explained in the tutorials),
> having
> > generated my own keystore for the server and the client as well as the
> > certificates but to no avail. The latest error message I get at the
> client
> > when I try to run this is listed below:
> >
> > C:\client>java samples.stock.client.StockServiceClient XXX
> > Calling service...
> > Exception in thread "main" AxisFault
> > faultCode:
> > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> > faultSubcode:
> > faultString: WSDoAllReceiver: Request does not contain required
> Security
> > header
> >
> > faultActor:
> > faultNode:
> > faultDetail:
> >
> > {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver:
> > Request does no
> > t contain required Security header
> > at
> > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > va:175)
> > at
> > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > y.java:32)
> > at
> > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > at
> > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > at
> > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > at
> > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2767)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2443)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2366)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:1812)
> > at
> > samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > pBindingStub.java:106)
> > at
> > samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > 53)
> >
> > {http://xml.apache.org/axis/}hostname:MMADRAW3
> >
> > WSDoAllReceiver: Request does not contain required Security header
> > at
> > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > va:175)
> > at
> > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > y.java:32)
> > at
> > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > at
> > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > at
> > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > at
> > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2767)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2443)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2366)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:1812)
> > at
> > samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > pBindingStub.java:106)
> > at
> > samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > 53)
> >
> >
> > If someone could suggest a technique to encypt the whole SOAP
> message
> > or atleast the password, then extract it on the server side so that it
> can
> > be used to perform a bind against an LDAP server, I would greatly
> appreciate
> > it.
> >
> > Thanks,
> > Murtaza.
> >
> > s
> > Murtaza Madraswala
> >
>
>
> --
> www.ruchith.org
>
>
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS4J authentication using LDAP
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Murtaza,
We use UsernameToken with a plain text password exactly for this purpose!
- The *plain text password* is sent in the UsernameToken to the service.
- In the callback handler class you can use the same algorithms that
AD uses to generate the hash from the password you get from the
UsernameToken.
- Now you can compare this with the one you have stored in AD ! (This
also happens within the callback handler)
This is explained here [1] in the section where we talk about
USERNAME_TOKEN_UNKNOWN usage of WSPasswordCallback object passed in to
the callback handler.
Thanks,
Ruchith
[1] http://www.wso2.net/articles/rampart/java/2006/08/15/usernametoken-auth
On 10/25/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> Ruchith,
> Thanks very much, I seem to have figured this issue out. My real
> objective is to perform authentication with the Active Directory.
> Passwords are never stored in clear text there, and I don't want to use
> transport layer security mechanisms like SSL. If I generate a digest of
> the password using UsernameToken there is no way to recover the password
> from the digest. I can try generating the hash that the AD uses to
> perform a comparison for user authenticity (just like Windows clients do
> using Kerberos) at the client side, and send the hash in the SOAP packet
> to run against AD, but I don't know how that would use WS-Security. (I
> guess I would have to put the userID/Pwd combination in the SOAP body
> and encrypt and sign that, then recover it on the server side) Is there
> no solution that can use the digest, nonce, and username that appears on
> the server side to perform authentication with AD (Doesn't look likely
> to me) or specify the token so that the hash required by AD is generated
> and sent in the SOAP packet (like Windows clients send)?
> I appreciate all the help and advice you can provide in this regard.
>
> Thanks,
> Murtaza.
>
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Friday, October 20, 2006 4:44 AM
> To: Madraswala, Murtaza
> Cc: wss4j-dev@ws.apache.org; werner.dittmann@seimens.com;
> wss4j-dev-subscribe@ws.apache.org
> Subject: Re: WSS4J authentication using LDAP
>
> The stack trace you posted says that the incoming message does not
> contain a "Security" header when its expected to contain one. Please
> re-check your client configuration if the exception was thrown at the
> server side receiver handler.
>
> I see a few approaches to your overall problem :
>
> - Use UsernameToken over HTTPS.
> - Encrypt the UsernameToken using WS-Security mechanisms (specify the
> UsernameToken element in the encryptionParts)
>
> IMHO either case can hide the password from a third party. In both
> cases you can use a plain text password and can carryout your
> authentication with the LDAP server in the callback handler you use at
> the service.
>
>
> On 10/12/06, Madraswala, Murtaza <Mu...@nike.com> wrote:
> >
> >
> > Hello,
> > I am fairly new to development using Axis and WSS4J. I am trying to
> build
> > a web service that accepts a UserID/Password combination and validates
> it
> > against an LDAP database. I have managed to execute the first example
> given
> > in the tutorial on the WSS4J site. I find that when I set the
> passwordType
> > to "PasswordDigest", a null value is returned when I extract the value
> in
> > the PWCallback class on the server side. If I use the "PasswordText"
> option
> > then the actual value is returned but the problem here is that the
> password
> > is also clearly visible in the SOAP message. I have tried quite a few
> times
> > to combine signature and encyption (as explained in the tutorials),
> having
> > generated my own keystore for the server and the client as well as the
> > certificates but to no avail. The latest error message I get at the
> client
> > when I try to run this is listed below:
> >
> > C:\client>java samples.stock.client.StockServiceClient XXX
> > Calling service...
> > Exception in thread "main" AxisFault
> > faultCode:
> > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> > faultSubcode:
> > faultString: WSDoAllReceiver: Request does not contain required
> Security
> > header
> >
> > faultActor:
> > faultNode:
> > faultDetail:
> >
> > {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver:
> > Request does no
> > t contain required Security header
> > at
> > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > va:175)
> > at
> > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > y.java:32)
> > at
> > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > at
> > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > at
> > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > at
> > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2767)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2443)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2366)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:1812)
> > at
> > samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > pBindingStub.java:106)
> > at
> > samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > 53)
> >
> > {http://xml.apache.org/axis/}hostname:MMADRAW3
> >
> > WSDoAllReceiver: Request does not contain required Security header
> > at
> > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > va:175)
> > at
> > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > y.java:32)
> > at
> > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > at
> > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > at
> > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > at
> > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2767)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2443)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2366)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:1812)
> > at
> > samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > pBindingStub.java:106)
> > at
> > samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > 53)
> >
> >
> > If someone could suggest a technique to encypt the whole SOAP
> message
> > or atleast the password, then extract it on the server side so that it
> can
> > be used to perform a bind against an LDAP server, I would greatly
> appreciate
> > it.
> >
> > Thanks,
> > Murtaza.
> >
> > s
> > Murtaza Madraswala
> >
>
>
> --
> www.ruchith.org
>
>
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org