Hi Ruchith, Thanks for your quick response. I was halfway through writing my own patch to 1.6.2 in that exact area of the code :) I have instead applied your changesets to my working copy of the Rampart source. However, I'm having a problem with the following code:
} else if (wssUt.getPassword() == null || !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT)) { throw new RampartException("invalidUsernameTokenType"); When a PasswordDigest is used, wssUt.getPassword() returns the hashed password value, and so this exception is thrown, even though the request is valid according to the policy. Am I missing something here, or should this if statement be something like: } else if (!ut.isHashPassword() && (wssUt.getPassword() == null || !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) { throw new RampartException("invalidUsernameTokenType"); Happy to raise a bug and provide a patch if you concur. Thanks, Nathan > Date: Mon, 4 Mar 2013 01:03:33 -0500 > Subject: Re: Rampart: sp:HashPassword does not require receiving a hashed > password > From: ruchith.ferna...@gmail.com > To: java-dev@axis.apache.org > > Hi Nathan, > > IMHO you are correct that the fix should be in > PolicyBasedResultsValidator and I believe this is fixed in the latest > rampart trunk [1], [2], [3]. Please try the latest rampart trunk. > Please do file a bug and provide a patch if these fixes are not > sufficient . > > In the case of previous releases, I think the password callback > handler implementation provided at the server side can check the > password type and throw an exception in the case a plain text password > is used. > > Thanks, > Ruchith > > 1. http://svn.apache.org/viewvc?view=revision&revision=1442444 > 2. http://svn.apache.org/viewvc?view=revision&revision=1440696 > 3. http://svn.apache.org/viewvc?view=revision&revision=1440633 > > On Mon, Mar 4, 2013 at 12:08 AM, Nathan Clement > <nathan.a.clem...@hotmail.com> wrote: > > Hi, > > > > I'm new to Rampart and I've been experimenting with UsernameTokens. My > > policy file contains the <sp:HashPassword/> assertion. However, when > > receiving a wsse:Security header, Rampart is allowing a plain text password. > > From the WS-SecurityPolicy 1.2 spec: > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html > > > > /sp:UsernameToken/wsp:Policy/sp:HashPassword > > This optional element is a policy assertion that indicates that the > > wsse:Password element MUST be present in the Username token and that the > > content of the wsse:Password element MUST contain a hash of the timestamp, > > nonce and password as defined in [WSS: Username Token Profile]. > > > > From this I understand that my policy should mean that request with > > UsernameTokens containing plaintext passwords are rejected. Does Rampart > > support this policy on the receiving side? > > > > I see that WSS4J's WSSConfig has a "requiredPasswordType" property. I'm > > happy to attempt to write a patch for Rampart that sets this property based > > on the policy. Is this the right place to implement this functionality, or > > should it be part of PolicyBasedResultsValidator? > > > > The full policy is: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <wsp:Policy wsu:Id="UTOverTransport" > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:TransportBinding > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > > <wsp:Policy> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic256Sha256/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > </wsp:Policy> > > </sp:TransportBinding> > > > > <sp:SignedSupportingTokens > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > > <wsp:Policy> > > <sp:UsernameToken > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > > <wsp:Policy> > > <sp:HashPassword/> > > </wsp:Policy> > > </sp:UsernameToken> > > </wsp:Policy> > > </sp:SignedSupportingTokens> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > Thanks, > > > > Nathan > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org > For additional commands, e-mail: java-dev-h...@axis.apache.org >