Hi, I'm new to Rampart and I've been experimenting with UsernameTokens. My policy file contains the <sp:HashPassword/> assertion. However, when receiving a wsse:Security header, Rampart is allowing a plain text password. From the WS-SecurityPolicy 1.2 spec:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html /sp:UsernameToken/wsp:Policy/sp:HashPassword This optional element is a policy assertion that indicates that the wsse:Password element MUST be present in the Username token and that the content of the wsse:Password element MUST contain a hash of the timestamp, nonce and password as defined in [WSS: Username Token Profile]. >From this I understand that my policy should mean that request with >UsernameTokens containing plaintext passwords are rejected. Does Rampart >support this policy on the receiving side? I see that WSS4J's WSSConfig has a "requiredPasswordType" property. I'm happy to attempt to write a patch for Rampart that sets this property based on the policy. Is this the right place to implement this functionality, or should it be part of PolicyBasedResultsValidator? The full policy is: <?xml version="1.0" encoding="UTF-8"?> <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256Sha256/> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:HashPassword/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> Thanks, Nathan
