I think I have somewhat confused my query. The question is not about encrypting the authentication tokens in web service calls. My query is that, is there a way by which we can encrypt the Axis' AdminServlets' admin password?
<parameter name="adminPassword" value="admin"/> Thanks and Regards, Rajat Aggarwal (91) 9880 029 826 On Sun, Mar 10, 2013 at 6:08 PM, Martin Gainty <mgai...@hotmail.com> wrote: > Axis doc says to secure a service by encrypting passwords can be achieved > by engaging rampart module (i use version 1.4.2 ) > > cd $AXIS_HOME > cd .\modules\rampart-samples\basic > > org.apache.rampart.samples.sample03.PWCBHandler.java is Password > Verification method for encrypt\decrypt > sample03.) UsernameToken authentication with a plain text password where > services.xml contains > > <service> > ..................................... > <parameter name="InflowSecurity"> > <action> > <items>UsernameToken</items> > > <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> > </action> > </parameter> > </service> > > upload service.aar then run service by.. > .\sample03\ant ant service.01 > > client.axis2.xml contains: > > <axisconfig name="AxisJava2.0"> > <module ref="rampart" /> > <parameter name="OutflowSecurity"> > <action> > <items>UsernameToken</items> > <user>aggarwal</user> > > <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> > <passwordType>UnencryptedPasswordText</passwordType> > </action> > </parameter> > .... > </axisconfig> > > run client test .. > .\sample03\ant ant.client.01 > > .\sample05\ Encryption services.xml would contain > <parameter name="InflowSecurity"> > <action> > <items>Encrypt</items> > > <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass> > <decryptionPropFile>service.properties</decryptionPropFile> > </action> > </parameter> > > service.properties would contain the attributes from security provider > (bouncycastle or in this case oracle) > this must exist on classpath > > > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin > org.apache.ws.security.crypto.merlin.keystore.type=jks > > org.apache.ws.security.crypto.merlin.keystore.password=PutPasswordToBeEncryptedHere > org.apache.ws.security.crypto.merlin.file=service.jks > > .\sample05 ant ant.service.05 > > client.axis2.xml would contain callbackHandler and service.properties as > seen here: > <parameter name="InflowSecurity"> > <action> > <items>Encrypt</items> > > <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass> > <decryptionPropFile>service.properties</decryptionPropFile> > </action> > </parameter> > > once you verified service.properties params works for you you can use > those attributes in a servlet with startup params which can be > accomplished 2 ways > > 1)load down container startup script with -Dsystem_option=value params for > example: > %JAVA_HOME%\bin\java -classpath %CLASSPATH% > -DJAVA_OPTS="-server -Xms256M -Xmx512M -XX:MaxPermSize=512M" > -Dsun.security.ssl.allowUnsafeRenegotiation=true > -Djavax.net.ssl.trustStore=$JRE_HOME/lib/security/cacerts > -DtrustStorePath=$JRE_HOME/lib/security > -Djavax.net.ssl.keyStoreType=jks > -Djavax.net.ssl.keyStore=BancoSantander.jks > -Dssl.KeyManagerFactory.algorithm=SunX509 > -Djavax.net.ssl.keyStorePassword=PutPasswordToBeEncryptedHere > -Djavax.net.ssl.truststoreFile=cacerts > -Djava.io.tmpdir=$CATALINA_HOME/tmp > -Djavax.net.ssl.trustStore=$CATALINA_HOME/conf/jssecacerts > -jar bootstrap.jar 1>tomcat.log > > --you can see where one misplaced character can fubar the entire script! > > 2)the safer alternative is to put all SSL params from > service.properties in your SSL connector e.g. > <Connector port="8443" protocol="HTTP/1.1" > algorithm="SunX509" > connectionTimeout="10000" > connectionLinger="-1" > keyStore="BancoSantander.jks" > keystorePass="PutPasswordToBeEncryptedHere" > keyStoreType="jks" > truststoreFile="cacerts" > truststorePass="TrustStorePasswordForCacerts" > truststoreType="jks" > trustStorePath="$JAVA_HOME/jre/lib/security" > maxKeepAliveRequests="1" > allowUnsafeLegacyRenegotiation="false" > secure="true" > SSLEnabled="true" > sslProtocol="TLS" > clientAuth="true" > allowUnsafeLegacyRenegotiation="false" > /> > http://tomcat.apache.org/tomcat-5.5-doc/config/http.html > > Steer clear of ciphers..it is a new feature and is still being alpha tested > > I have a date with a snow-shovel which I cannot delay..I'll check back at > end of day to see how you're doing > > Martin > ______________________________________________ > Verzicht und Vertraulichkeitanmerkung > > Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene > Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte > Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht > dient lediglich dem Austausch von Informationen und entfaltet keine > rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von > E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > > > ------------------------------ > From: rajat.aggarwa...@gmail.com > Date: Sun, 10 Mar 2013 17:02:36 +0530 > Subject: Encrypting The Admin Passwords used by the Axis Admin Servlet > To: java-user@axis.apache.org > > > Hi, > > We have some web services in our project, where our wsdd files contain the > following lines: > > <globalConfiguration> > <parameter name="sendMultiRefs" value="true"/> > <parameter name="disablePrettyXML" value="true"/> > <parameter name="adminPassword" value="admin"/> > <parameter name="dotNetSoapEncFix" value="true"/> > <parameter name="enableNamespacePrefixOptimization" value="false"/> > <parameter name="sendXMLDeclaration" value="true"/> > <parameter name="sendXsiTypes" value="true"/> > <parameter name="axis.disableServiceList" value="true"/> > <parameter name="attachments.implementation" > value="org.apache.axis.attachments.AttachmentsImpl"/> > <requestFlow> > <handler type="java:org.apache.axis.handlers.JWSHandler"> > <parameter name="scope" value="session"/> > </handler> > <handler type="java:org.apache.axis.handlers.JWSHandler"> > <parameter name="scope" value="request"/> > <parameter name="extension" value=".jwr"/> > </handler> > </requestFlow> > </globalConfiguration> > > > I wanted to know the use of the above highlighted element (adminPassword), > and also, is there any way we can introduce our own encryption mechanism to > encrypt this password so that it is not visible in plain text to anyone? > > > Thanks and Regards, > > Rajat Aggarwal > >
