Martin, I looked in the code and it stated that the callback must provide the password. MG>yep..the next snippet of code that I sent you ..the next line is setPassword(password) This is not good for a service that does not store the password but only a password digest (for security reasons). MG>agreed
That means the service does not know the user’s password and a hacker cannot obtain it by hacking into the service’s database. MG>agreed..Im a bit surprised I havent seen this on a CVE yet The hacker might be able to obtain a single users password hidden in TLS (unlikely) MG>if there is no encryption or decryption at transport layer.. but that would be only one. The idea would be to get the password, perform the digest and if it matches the stored digest, it is okay. Set the password, otherwise err. MG>so the idea is when rampart puts a password on the wire the only thing the sniffer sees is the MD5 MG>can we can fit MD5 into UsernameTokenType?<xsd:complexType name="UsernameTokenType"><xsd:annotation><xsd:documentation>This type represents a username token per Section 4.1</xsd:documentation></xsd:annotation><xsd:sequence><xsd:element type="wsse:AttributedString" name="Username"/><xsd:any processContents="lax" maxOccurs="unbounded" minOccurs="0"/></xsd:sequence><xsd:attribute ref="wsu:Id"/><xsd:anyAttribute namespace="##other" processContents="lax"/></xsd:complexType> MG>the second child element of UTT is a lax unbounded element ..can we toss the MD5 in there? http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd MG>What do others think? MG>This is a great idea for tightening Rampart Security Brian... I think we should push for a patch!MG From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Tuesday, January 15, 2013 4:26 PM To: java-dev@axis.apache.org Subject: RE: Rampart STS Username service not returning password in callback Hi Brian assuming rampart implements this configuration: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing";> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-12468716"> <wsu:Created>2008-06-23T13:17:13.841Z</wsu:Created> <wsu:Expires>2008-06-23T13:22:13.841Z</wsu:Expires> </wsu:Timestamp> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="UsernameToken-31571602"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password> </wsse:UsernameToken> </wsse:Security> <wsa:To>http://localhost:8081/axis2/services/sample01</wsa:To> <wsa:MessageID>urn:uuid:AEDBA74A8D1FC94B631214227032877</wsa:MessageID> <wsa:Action>urn:echo</wsa:Action> </soapenv:Header> <soapenv:Body> <ns1:echo xmlns:ns1="http://sample01.policy.samples.rampart.apache.org";> <param0>Hello world</param0> </ns1:echo> </soapenv:Body> </soapenv:Envelope> public void handle(Callback[] callbacks) throws IOException,UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { //When the server side need to authenticate the user WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i]; if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) { if(pwcb.getIdentifier().equals("bob") && pwcb.getPassword().equals("bobPW")) { http://wso2.org/library/3733 HTH., Martin Gainty ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > From: brianreinh...@lampreynetworks.com > To: java-dev@axis.apache.org > Subject: Rampart STS Username service not returning password in callback > Date: Tue, 15 Jan 2013 15:00:53 -0500 > > Has anyone else had this problem? I have a simple STS Username token request > for a SAML token where the username token is as follows: > > <wsse:UsernameToken wsu:Id="UsernameToken-ID"> > <wsse:Username>myName</wsse:Username> > <wsse:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token > -profile-1.0#PasswordText">myPassword</wsse:Password> > </wsse:UsernameToken> > > > On the receive side there is a callback to verify the username token > > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException > { > for(Callback callback: callbacks) > { > WSPasswordCallback cb = (WSPasswordCallback)callback; > int callbackType = cb.getUsage(); > switch(callbackType) > { > case WSPasswordCallback.USERNAME_TOKEN: > try > { > if(cb.getType().equals(WSConstants.PASSWORD_TEXT)) > { > String myPassword = cb.getPassword(); > ... > > The returned 'myPassword' is null. Any ideas why? > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org > For additional commands, e-mail: java-dev-h...@axis.apache.org > No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2890 / Virus Database: 2638/6032 - Release Date: 01/14/13No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2890 / Virus Database: 2638/6032 - Release Date: 01/14/13
