You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Simon Jongsma (JIRA)" <ji...@apache.org> on 2012/08/03 14:15:02 UTC
[jira] [Created] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Simon Jongsma created RAMPART-385:
-------------------------------------
Summary: Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
Key: RAMPART-385
URL: https://issues.apache.org/jira/browse/RAMPART-385
Project: Rampart
Issue Type: Question
Environment: JBoss 5.1.2
Axis2 1.6.2
Rampart/Rahas 1.6.2
Reporter: Simon Jongsma
A Policy was specified on a web service as such:
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
If the request contains username token + password in security header, I would expect (hope) rampart to ignore
the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
Anyway: rampart will go into the password callback and require us to supply the value.
Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Updated] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Attanayake updated RAMPART-385:
--------------------------------------
Attachment: (was: RAMPART-385.patch)
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Updated] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Attanayake updated RAMPART-385:
--------------------------------------
Attachment: (was: RAMPART-385.patch)
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
> Attachments: RAMPART-385.patch
>
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Updated] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Attanayake updated RAMPART-385:
--------------------------------------
Attachment: RAMPART-385.patch
Attaching a patch for UsernameToken Assertion policy validation.
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
> Attachments: RAMPART-385.patch
>
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Updated] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Attanayake updated RAMPART-385:
--------------------------------------
Attachment: RAMPART-385.patch
Attaching the patch with test cases.
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
> Attachments: RAMPART-385.patch
>
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Commented] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451597#comment-13451597 ]
Suresh Attanayake commented on RAMPART-385:
-------------------------------------------
I could reproduce this issue. This seems to come from Neethi.
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Commented] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451649#comment-13451649 ]
Suresh Attanayake commented on RAMPART-385:
-------------------------------------------
Hi,
This is not a bug. You must have used the WS-SecurityPolicy version 1.1. The <sp:NoPassword../> is not a part of the WS-SecurityPolicy version 1.1. It is defined in the WS-SecurityPolicy version 1.2.
So use policy version 1.2. Rampart handles the NoPassword policy well.
Anyhow I have added done policy validation on this. It is with the patch (RAMPART-385.patch) attached herewith.
Thanks,
-Suresh
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Commented] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Simon Jongsma (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13454760#comment-13454760 ]
Simon Jongsma commented on RAMPART-385:
---------------------------------------
Thanks so far Suresh. I was not aware I could specify the WS-SecurityPolicy version to be used by Rampart.
Could you instruct me as to where I can specify this?
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
> Attachments: RAMPART-385.patch
>
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Updated] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Attanayake updated RAMPART-385:
--------------------------------------
Attachment: RAMPART-385.patch
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
> Attachments: RAMPART-385.patch
>
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] [Updated] (RAMPART-385) Rampart does check username token
password (via callback), even though "NoPassword" was specified in Security
Policy
Posted by "Suresh Attanayake (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Attanayake updated RAMPART-385:
--------------------------------------
Comment: was deleted
(was: I could reproduce this issue. This seems to come from Neethi.)
> Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-385
> URL: https://issues.apache.org/jira/browse/RAMPART-385
> Project: Rampart
> Issue Type: Question
> Environment: JBoss 5.1.2
> Axis2 1.6.2
> Rampart/Rahas 1.6.2
> Reporter: Simon Jongsma
>
> A Policy was specified on a web service as such:
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> If the request contains username token + password in security header, I would expect (hope) rampart to ignore
> the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply the value.
> Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org