You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by daphbou <dv...@yahoo.fr> on 2008/09/17 18:24:40 UTC
WSSE-UsernameToken: accepts all user/password
Hello,
I try to set up a Soap transaction with wss4j 1.5.4 and Axis (1.4 or 1.2)
using a UsernameToken password.
The trouble is that the request is processed even with a bad user or
password in PasswordText mode.
I spent much time changing parameters or jar, reading documentation and
searching the web, but I found nothing.
Can anyone help? I am sure the solution must be quite simple, but it is the
first time I use wss4j ...
Thanks.
Daph
Here is all information about this project.
I did the following tests:
- without soapenv header the request is rejected (WSDoAllReceiver: Request
does not contain required Security header)
- in PasswordDigest mode all requests are rejected, even with correct
user/password (WSSecurityException: The security token could not be
authenticated or authorized)
At first I try to use the PasswordText mode, and here is my
server-config.wsdd file (I changed some namespaces and names):
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/>
<parameter name="attachments.Directory" value="/exec/jonas/v486/webapps"/>
<parameter name="dotNetSoapEncFix" value="true"/>
<parameter name="enableNamespacePrefixOptimization" value="false"/>
<parameter name="sendXMLDeclaration" value="true"/>
<parameter name="attachments.implementation"
value="org.apache.axis.attachments.AttachmentsImpl"/>
<parameter name="sendXsiTypes" value="true"/>
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/>
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/>
</handler>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="passwordCallbackClass"
value="com.myAppli.ws.PWCallback"/>
<parameter name="action" value="UsernameToken"/>
<parameter name="user" value="user"/>
<parameter name="passwordType" value="PasswordDigest"/>
<!--<parameter name="passwordType" value="PasswordText"/>-->
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder"
type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper"
type="java:org.apache.axis.handlers.http.URLMapper"/>
<!-- Services from WSDL -->
<service name="ExternalManagementPort" provider="java:RPC" style="wrapped"
use="literal">
<parameter name="wsdlTargetNamespace" value="uri://myAppli/1.0"/>
<parameter name="wsdlServiceElement"
value="ExternalManagementService"/>
<parameter name="schemaQualified" value="urn:com.serviceconf"/>
<parameter name="schemaUnqualified"
value="uri://myAppli/-xp/types/1.0,uri://myAppli/1.0,uri://myAppli/types/1.0"/>
<parameter name="wsdlServicePort" value="ExternalManagementPort"/>
<parameter name="className"
value="com.myAppli.messages.ExternalManagementSoapBindingSkeleton"/>
<parameter name="wsdlPortType" value="ExternalManagement"/>
<parameter name="typeMappingVersion" value="1.2"/>
<parameter name="allowedMethods" value="*"/>
…
<transport name="http">
<requestFlow>
<handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow>
<parameter name="qs:list"
value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs.list"
value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs.method"
value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs:method"
value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs.wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler"/>
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder"/>
</responseFlow>
</transport>
</deployment>
And the PWCallback class (logs are processed):
package com.myAppli.ws;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.log4j.Logger;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.axis.MessageContext;
import org.apache.axis.message.SOAPEnvelope;
import javax.xml.soap.SOAPMessage;
public class PWCallback implements CallbackHandler {
private static Logger logger =
Logger.getLogger(PWCallback.class.getName());
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
logger.debug("Inside PWCallback.handle");
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
String user = pc.getIdentifer();
pc.setPassword("testpass");
logger.debug("Callback found, usage " + pc.getUsage() + ", user "
+ user);
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized
Callback");
}
}
}
}
The request (sent with soap-ui for testing) looks like:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:gccsca.francetelecom.com.serviceconf">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>SLSd</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testpasstttt</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
The application is deployed through Jonas (v4.8.6 on linux RedHat 5, or
v4.9.2 on Windows XP).
I put also here a list of jar files included in the war. I am not sure of
all versions (except those for wss4j). Maybe it can help …
At first I used Axis 1.2, I tried to update to Axis 1.4, then I added some
other jar files that could be used.
activation.jar - addressing-1.0.jar
axis-1.4.jar - axis-ant-1.4.jar - axis-jaxrpc-1.4.jar - axis-saaj-1.4.jar
bcprov-jdk13-132.jar
classes12.jar
commons-beanutils.jar - commons-codec-1.3.jar - commons-collections.jar -
commons-discovery-0.2.jar - commons-httpclient-3.0-rc2.jar
commons-lang.jar - commons-logging-1.0.4.jar - commons-pool.jar -
commons-validator.jar
dom4j.jar
junit-3.8.1.jar - log4j-1.2.9.jar
mail.jar - opensaml-1.0.1.jar
optional.jar - ostermillerutil.jar - regexp.jar
serializer-2.7.0.jar - wsdl4j-1.5.1.jar - wss4j-1.5.4.jar
xalan-2.7.0.jar - xercesImpl.jar - xml-apis.jar - xmlParserAPIs.jar -
xmlsec-1.4.0.jar
--
View this message in context: http://www.nabble.com/WSSE-UsernameToken%3A-accepts-all-user-password-tp19535971p19535971.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: WSSE-UsernameToken: accepts all user/password
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
Hi Daph,
> The trouble is that the request is processed even with a bad user or
> password in PasswordText mode.
When the password is sent in PasswordText mode, all authentication is
delegated to the callback class. So it's up to your CallbackHandler
implementation below to throw an exception if authentication fails. For
PasswordDigest mode, the CallbackHandler must supply the password, and
the subsequent digesting and authentication is performed in WSS4J.
This whole area will hopefully get completely rewritten for the 2.0
release, as it's caused a huge amount of confusion to users.
Colm.
-----Original Message-----
From: daphbou [mailto:dvrignaul-forum@yahoo.fr]
Sent: 17 September 2008 17:25
To: wss4j-dev@ws.apache.org
Subject: WSSE-UsernameToken: accepts all user/password
Hello,
I try to set up a Soap transaction with wss4j 1.5.4 and Axis (1.4 or
1.2)
using a UsernameToken password.
The trouble is that the request is processed even with a bad user or
password in PasswordText mode.
I spent much time changing parameters or jar, reading documentation and
searching the web, but I found nothing.
Can anyone help? I am sure the solution must be quite simple, but it is
the
first time I use wss4j ...
Thanks.
Daph
Here is all information about this project.
I did the following tests:
- without soapenv header the request is rejected (WSDoAllReceiver:
Request
does not contain required Security header)
- in PasswordDigest mode all requests are rejected, even with
correct
user/password (WSSecurityException: The security token could not be
authenticated or authorized)
At first I try to use the PasswordText mode, and here is my
server-config.wsdd file (I changed some namespaces and names):
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/>
<parameter name="attachments.Directory"
value="/exec/jonas/v486/webapps"/>
<parameter name="dotNetSoapEncFix" value="true"/>
<parameter name="enableNamespacePrefixOptimization" value="false"/>
<parameter name="sendXMLDeclaration" value="true"/>
<parameter name="attachments.implementation"
value="org.apache.axis.attachments.AttachmentsImpl"/>
<parameter name="sendXsiTypes" value="true"/>
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/>
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/>
</handler>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="passwordCallbackClass"
value="com.myAppli.ws.PWCallback"/>
<parameter name="action" value="UsernameToken"/>
<parameter name="user" value="user"/>
<parameter name="passwordType" value="PasswordDigest"/>
<!--<parameter name="passwordType" value="PasswordText"/>-->
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder"
type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper"
type="java:org.apache.axis.handlers.http.URLMapper"/>
<!-- Services from WSDL -->
<service name="ExternalManagementPort" provider="java:RPC"
style="wrapped"
use="literal">
<parameter name="wsdlTargetNamespace" value="uri://myAppli/1.0"/>
<parameter name="wsdlServiceElement"
value="ExternalManagementService"/>
<parameter name="schemaQualified" value="urn:com.serviceconf"/>
<parameter name="schemaUnqualified"
value="uri://myAppli/-xp/types/1.0,uri://myAppli/1.0,uri://myAppli/types
/1.0"/>
<parameter name="wsdlServicePort" value="ExternalManagementPort"/>
<parameter name="className"
value="com.myAppli.messages.ExternalManagementSoapBindingSkeleton"/>
<parameter name="wsdlPortType" value="ExternalManagement"/>
<parameter name="typeMappingVersion" value="1.2"/>
<parameter name="allowedMethods" value="*"/>
...
<transport name="http">
<requestFlow>
<handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow>
<parameter name="qs:list"
value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs.list"
value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs.method"
value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs:method"
value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs.wsdl"
value="org.apache.axis.transport.http.QSWSDLHandler"/>
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder"/>
</responseFlow>
</transport>
</deployment>
And the PWCallback class (logs are processed):
package com.myAppli.ws;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.log4j.Logger;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.axis.MessageContext;
import org.apache.axis.message.SOAPEnvelope;
import javax.xml.soap.SOAPMessage;
public class PWCallback implements CallbackHandler {
private static Logger logger =
Logger.getLogger(PWCallback.class.getName());
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
logger.debug("Inside PWCallback.handle");
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)
callbacks[i];
String user = pc.getIdentifer();
pc.setPassword("testpass");
logger.debug("Callback found, usage " +
pc.getUsage() + ", user "
+ user);
} else {
throw new
UnsupportedCallbackException(callbacks[i], "Unrecognized
Callback");
}
}
}
}
The request (sent with soap-ui for testing) looks like:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:gccsca.francetelecom.com.serviceconf">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>SLSd</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-t
oken-profile-1.0#PasswordText">testpasstttt</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
The application is deployed through Jonas (v4.8.6 on linux RedHat 5, or
v4.9.2 on Windows XP).
I put also here a list of jar files included in the war. I am not sure
of
all versions (except those for wss4j). Maybe it can help ...
At first I used Axis 1.2, I tried to update to Axis 1.4, then I added
some
other jar files that could be used.
activation.jar - addressing-1.0.jar
axis-1.4.jar - axis-ant-1.4.jar - axis-jaxrpc-1.4.jar -
axis-saaj-1.4.jar
bcprov-jdk13-132.jar
classes12.jar
commons-beanutils.jar - commons-codec-1.3.jar - commons-collections.jar
-
commons-discovery-0.2.jar - commons-httpclient-3.0-rc2.jar
commons-lang.jar - commons-logging-1.0.4.jar - commons-pool.jar -
commons-validator.jar
dom4j.jar
junit-3.8.1.jar - log4j-1.2.9.jar
mail.jar - opensaml-1.0.1.jar
optional.jar - ostermillerutil.jar - regexp.jar
serializer-2.7.0.jar - wsdl4j-1.5.1.jar - wss4j-1.5.4.jar
xalan-2.7.0.jar - xercesImpl.jar - xml-apis.jar - xmlParserAPIs.jar -
xmlsec-1.4.0.jar
--
View this message in context:
http://www.nabble.com/WSSE-UsernameToken%3A-accepts-all-user-password-tp
19535971p19535971.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org