Just a follow up to this:
It seems that the config is actually working, but I forgot that the
callback handler I got from the sample code was working for both cases
(plaintext AND digest)
// used when plaintext password in message
if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
if (!"client".equals(id) ||
!"apache".equals(pwcb.getPassword())) {
throw new
UnsupportedCallbackException(callbacks[i], "check failed");
}
// when hashed password in message
} else if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
if ("client".equals(id)) {
pwcb.setPassword("apache");
} else {
throw new
UnsupportedCallbackException(callbacks[i], "check failed");
}
}
I just changed the above to fail when plaintext is being sent.
So the only question I have is the one about the PasswordDigest not
being indicated as requried in the WS-Policy part of the WSDL.
Ellecer
On Wed, Oct 28, 2009 at 4:30 PM, Ellecer Valencia <[email protected]> wrote:
> Hi,
>
> I've been able to set up WS-Security using username + Password in
> plaintext using Rampart on one the sample Version webservice. However,
> I've been stuck all day trying to get authentication using Password
> Digest.
>
> Now from the examples I've seen, it seems that the only difference
> between the two kinds of authentication is this bit:
>
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
>
>
> I've tried to configure Password DIgest by adding this to the services.xml:
>
> <service name="Version">
> <description>
> This service is to get the running Axis version
> </description>
> <parameter name="ServiceClass">sample.axisversion.Version</parameter>
> <operation name="getVersion">
> <messageReceiver
> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
> </operation>
>
> <!-- SET MODULE -->
> <module ref="rampart" />
>
> <!-- SET WS-POLICY -->
> <!-- DIGESTED PASSWORD -->
>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="UsernameToken">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <ws:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
>
> </sp:UsernameToken>
>
> </wsp:Policy>
> </sp:SupportingTokens>
>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
>
> <ramp:passwordCallbackClass>sample.axisversion.PWCBHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </service>
>
> However, when I'm running the service, it seems to still be performing
> plaintext authentication! I don't understand what's going on.
>
> I've run the sample by Dennis Sosnoski from the IBM site from this URL:
>
> http://www.ibm.com/developerworks/webservices/library/j-jws4/index.html
>
> And that sample code is performing as it should, using password digest.
>
> The above config is just copied from the fie hash-policy-server.xml in
> his sample code (replaced the callback handler with my own), so I
> can't see where else the config could be wrong.
>
> Also, is all of WS-Policy meant to be displayed in generated WSDL? In
> the generated WSDL it doesn't include the HashPassword bit. The Ws
> Policy shown in the WSDL is this:
>
> <wsp:Policy
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="UsernameToken">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
> </wsp:Policy>
> </sp:SupportingTokens>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> So I guess there are 2 questions here:
>
> 1. Is WS-Policy in the WSDL also meant to indicate that PasswordDigest
> is used instead of just plain text passwords? Would the above
> behaviour indicate an Axis2 bug? I don't understand what other files
> Axis could be looking at.
>
> I haven't actually seen any examples of WSDL files that indicate
> Password Digest is used in the WS Policy. If you've seen any out
> there, send me the URL!
>
> 2. Does anyone have any clues or ideas on what else is wrong with the
> above config, or what else needs to be configured to get WS-Security
> with PasswordDigest working?
>
> Software used:
> Axis 1.5.1
> Rampart 1.4
>
> Thanks very much for any help you can give!
>
>
> Ellecer
>
