|
|
|
|
Hash password in policy file
Posted:
Oct 29, 2009 10:20 AM
|
|
|
Hello,
I try to implement a policy that uses a hashed password. I read the following pages:
http://weblogs.java.net/blog/2008/11/25/plain-text-username-password-security-metro and
http://blogs.sun.com/ashutosh/entry/hash_password_support_and_token
Even though my policy declares a hash password like Ashutosh stated, I still have a plain password in my soap message. The part of my policy looks like this:
<wsp:ExactlyOne>
<wsp:All>
<wsoma:OptimizedMimeSerialization></wsoma:OptimizedMimeSerialization>
<ns2:SupportingTokens
xmlns:ns2="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
<sp:HashPassword />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</ns2:SupportingTokens>
<sp:Wss11 />
<sc:ValidatorConfiguration wspp:visibility="private">
<sc:Validator name="usernameValidator"
classname="com.ws.handlers.PasswordValidator" />
</sc:ValidatorConfiguration>
</wsp:All>
</wsp:ExactlyOne>
I use Tomcat 6 as web container. When I deploy the web service I get the following warning:
WARNUNG: SP0100: Policy assertion Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'
prefix = 'sp'
local name = 'HashPassword'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
} is not supported under UsernameToken assertion.
This functionality should be implemented since September 08. See:
https://wsit.dev.java.net/issues/show_bug.cgi?id=810
I tried Metro 1.5, 2.0 EA and one nightly build from this week.
Thank you in advance for any help.
Kind regards,
Dieter
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Oct 29, 2009 11:19 AM
in response to: djehle
|
|
|
The <sp:HashPassword /> was introduced in ws-securitypolicy 1.2.
So it is only supported with that version of security policy in Metro:
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702".
You are using the old version with namespace: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
|
|
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Oct 30, 2009 3:31 AM
in response to: jdg6688
|
|
|
Thank you for the advice.
Unfortunately, when I now try to invoke a web service method (with a c# client), an exception is thrown stating that there is no password validator configured:
com.sun.xml.wss.XWSSecurityException: Error: No PasswordValidator Configured for UsernameToken Validation
at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.authenticateUser(DefaultSecurityEnvironmentImpl.java:935)
at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:140)
Invoking the service from a metro client with the changed security policy, there is no security header added at all, and so the service throws an exception when I try to validate the password on the server side.
So it looks like the password callback handlers are no longer recognized.
My service side policy looks like this:
<sc:ValidatorConfiguration wspp:visibility="private">
<sc:Validator name="usernameValidator"
classname="com.webservice.handlers.PasswordValidator" />
</sc:ValidatorConfiguration>
The namespace for "sc" is: "http://schemas.sun.com/2006/03/wss/server"
On the client side, I have the following declaration:
<sc1:CallbackHandlerConfiguration wspp:visibility="private">
<sc1:CallbackHandler name="usernameHandler" classname="com.service.client.helper.ClientCallbackHandler"/>
<sc1:CallbackHandler name="passwordHandler" classname="com.service.client.helper.ClientCallbackHandler"/>
</sc1:CallbackHandlerConfiguration>
The namespace for "sc1" is: "http://schemas.sun.com/2006/03/wss/client"
Kind regards,
Dieter
|
|
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Oct 30, 2009 11:05 AM
in response to: djehle
|
|
|
Check the following:
1. the name space of wsp: xmlns:wsp="http://www.w3.org/ns/ws-policy"
2. the password validatror class should extends com.sun.xml.wss.impl.callback.PasswordValidationCallback.WsitDigestPasswordValidator
See http://fisheye5.cenqua.com/browse/wsit/wsit/test/e2e/testcases/xwss/s17/server/SampleWsitDigestPasswordValidator.java?r=1.1
e.g
<wsp:Policy wsu:Id="IFinancialService_policy" xmlns:wsp="http://www.w3.org/ns/ws-policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sc:ValidatorConfiguration xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
<sc:Validator name="usernameValidator" classname="common.SampleWsitDigestPasswordValidator"/>
</sc:ValidatorConfiguration>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
|
|
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Nov 2, 2009 5:46 AM
in response to: jdg6688
|
|
|
Thank you for the answer. Extending the PasswordValidationCallback.WsitDigestPasswordValidator (I also changed the namespace like suggested) indeed results in a callback of the validator class on the server side.
A few more questions (I don't know if I should open a new thread):
- How can I actually validate the password on the server side? Setting the password at this point (on the server side with the WsitDigestPasswordValidator.setPassword() ) does not make sense I think. There is the possibility to override the validate() method, but the request object provided does not contain the password, only the digest value. Do I have to / can I convert the value at this place? Or am I barking up the wrong tree?
- How do I provide username and password on the client side? The class I currently use implements javax.security.auth.callback.CallbackHandler, and is not called by metro. Extending WsitDigestPasswordValidator with this class leads to an error message: "ClientCallbackHandler cannot be cast to javax.security.auth.callback.CallbackHandler".
|
|
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Nov 2, 2009 12:29 PM
in response to: djehle
|
|
|
>
> A few more questions (I don't know if I should open a
> new thread):
> - How can I actually validate the password on the
> server side? Setting the password at this point (on
> the server side with the
> WsitDigestPasswordValidator.setPassword() ) does not
> make sense I think. There is the possibility to
> override the validate() method, but the request
> object provided does not contain the password, only
> the digest value. Do I have to / can I convert the
> value at this place? Or am I barking up the wrong
> tree?
This how it works roughly:
on the client side, you get the username, password and compute the
digest with nonce, timestamp, ect.
The the token with username and the digest, etc is sent to the server.
On the server side, you get the username from the message and then corresponding
password in your user data store and then compute the digest independently to compare to the one in the message. So that is why you just need to
provide the password for the user in the custom validator and the digest is computed internally to compare. You can get the user name by calling request.getUsername()
to get the username and then find the password for it in you system.
> - How do I provide username and password on the
> client side? The class I currently use implements
> javax.security.auth.callback.CallbackHandler, and is
> not called by metro. Extending
> WsitDigestPasswordValidator with this class leads to
> an error message: "ClientCallbackHandler cannot be
> cast to javax.security.auth.callback.CallbackHandler".
It should be from the call back handler configured on the client side if configured correctly.
|
|
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Nov 3, 2009 3:22 AM
in response to: jdg6688
|
|
|
> On the server side, you get the username from the message and the
> corresponding
> password in your user data store and then compute the digest independently
> to compare to the one in the message. So that is why you just need to
> provide the password for the user in the custom validator and the digest is
> computed internally to compare. You can get the user name by calling
> request.getUsername()
> to get the username and then find the password for it in you system.
I try to write in code the way I understood your answer:
public void setPassword(Request request) {
PasswordValidationCallback.DigestPasswordRequest req =
(PasswordValidationCallback.DigestPasswordRequest)request;
String username = req.getUsername();
req.setPassword(MyUsers.getUser(username).getPassword);
}
The actual validation is done by the base class in validate().
I implemented it that way, and it works very well.
However, invoking a ws method now causes an error:
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier verifyPolicy
SEVERE: Policy is null
> It should be from the call back handler configured on the client side if
> configured correctly.
In the base situation (my first posting), the callback handler class was invoked. But changing the namespace for "sp" from "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" to "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" - required if I want to use the <sp:HashPassword /> tag as you mentioned - causes the callback handler to no longer be invoked.
There is no difference in the behaviour for both wsp namespace "http://www.w3.org/ns/ws-policy" or "http://schemas.xmlsoap.org/ws/2004/09/policy"
Kind regards,
Dieter
|
|
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Nov 3, 2009 2:19 PM
in response to: djehle
|
|
|
>
> However, invoking a ws method now causes an error:
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVeri
> fier verifyPolicy
> SEVERE: Policy is null
Never see this. Can you provide a test case?
>
>
> > It should be from the call back handler configured
> on the client side if
> > configured correctly.
>
> In the base situation (my first posting), the
> callback handler class was invoked. But changing the
> namespace for "sp" from
> "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> to
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
> 0702" - required if I want to use the
> <sp:HashPassword /> tag as you mentioned - causes the
> callback handler to no longer be invoked.
> There is no difference in the behaviour for both wsp
> namespace "http://www.w3.org/ns/ws-policy" or
> "http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> Kind regards,
> Dieter
|
|
|
|
|
|
|
|
|
Re: Hash password in policy file
Posted:
Nov 2, 2009 6:37 AM
in response to: jdg6688
|
|
|
Addition to my previous reply: Setting a correct dummy password in setPassword() of the password validator on the server side, the web service call delivers a soap fault: Policy is null.
|
|
|
|
|
java.net RSS
