Yoann Guerro created RAMPART-383:
------------------------------------
Summary: sp:HashPassword from WS-SecurityPolicy 1.2 assertion
doesn't work
Key: RAMPART-383
URL: https://issues.apache.org/jira/browse/RAMPART-383
Project: Rampart
Issue Type: Bug
Components: rampart-policy
Affects Versions: 1.6.2
Environment: Windows XP Professional
Java 1.6.0_26
Eclipse 3.5.1
Axis2 1.6.2
Neethi 3.0.2
Reporter: Yoann Guerro
I have a WSDL with the following policy:
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword />
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
According the WS-SecurityPolicy 1.2 which is supported by Rampart 1.6.2 (modulo
the workaround from issue <a
href="https://issues.apache.org/jira/browse/RAMPART-371";>RAMPART-371</a> the
policy grammar is as follows:
<sp:UsernameToken sp:IncludeToken="xs:anyURI"? xmlns:sp="..." ... >
(
<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
<sp:IssuerName>xs:anyURI</sp:IssuerName>
) ?
<wst:Claims Dialect="..."> ... </wst:Claims> ?
<wsp:Policy xmlns:wsp="...">
(
<sp:NoPassword ... /> |
<sp:HashPassword ... />
) ?
(
<sp:RequireDerivedKeys /> |
<sp:RequireImpliedDerivedKeys ... /> |
<sp:RequireExplicitDerivedKeys ... />
) ?
(
<sp:WssUsernameToken10 ... /> |
<sp:WssUsernameToken11 ... />
) ?
...
</wsp:Policy>
...
</sp:UsernameToken>
My policy respect the grammar.
But while launching a client, setting username and password callback, the
output shows the following section:
<wsse:UsernameToken wsu:Id="UsernameToken-1">
<wsse:Username>USER</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>PASSWORD</wsse:Password>
</wsse:UsernameToken>
And debugging the code, the rampart policy does create a UsernameToken with
hashpassword attribute set to false.
I thought it was due to the following <a
href="https://issues.apache.org/jira/browse/NEETHI-3";>neethi issue</a> but
using the same version of neethi with CXF and WSS4J it works (I mean password
digest is sent)
Note that I'm not using a rampart configuration, just engaging the module as
follows:
mProxy._getServiceClient().engageModule("rampart");
// Set Password callback
mProxy._getServiceClient().getOptions().setProperty(WSHandlerConstants.PW_CALLBACK_REF,
new ClientPasswordCallbackHandler());
// Set User name
mProxy._getServiceClient().getOptions().setUserName("USER");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
