Hi Nathan, IMHO you are correct that the fix should be in PolicyBasedResultsValidator and I believe this is fixed in the latest rampart trunk [1], [2], [3]. Please try the latest rampart trunk. Please do file a bug and provide a patch if these fixes are not sufficient .
In the case of previous releases, I think the password callback handler implementation provided at the server side can check the password type and throw an exception in the case a plain text password is used. Thanks, Ruchith 1. http://svn.apache.org/viewvc?view=revision&revision=1442444 2. http://svn.apache.org/viewvc?view=revision&revision=1440696 3. http://svn.apache.org/viewvc?view=revision&revision=1440633 On Mon, Mar 4, 2013 at 12:08 AM, Nathan Clement <[email protected]> wrote: > Hi, > > I'm new to Rampart and I've been experimenting with UsernameTokens. My > policy file contains the <sp:HashPassword/> assertion. However, when > receiving a wsse:Security header, Rampart is allowing a plain text password. > From the WS-SecurityPolicy 1.2 spec: > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html > > /sp:UsernameToken/wsp:Policy/sp:HashPassword > This optional element is a policy assertion that indicates that the > wsse:Password element MUST be present in the Username token and that the > content of the wsse:Password element MUST contain a hash of the timestamp, > nonce and password as defined in [WSS: Username Token Profile]. > > From this I understand that my policy should mean that request with > UsernameTokens containing plaintext passwords are rejected. Does Rampart > support this policy on the receiving side? > > I see that WSS4J's WSSConfig has a "requiredPasswordType" property. I'm > happy to attempt to write a patch for Rampart that sets this property based > on the policy. Is this the right place to implement this functionality, or > should it be part of PolicyBasedResultsValidator? > > The full policy is: > > <?xml version="1.0" encoding="UTF-8"?> > <wsp:Policy wsu:Id="UTOverTransport" > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256Sha256/> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:TransportBinding> > > <sp:SignedSupportingTokens > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> > <wsp:Policy> > <sp:HashPassword/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > Thanks, > > Nathan > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
