Re: why WSPasswordCallback.getPassword is null when I try my soap request

Fri, 10 May 2013 00:26:48 -0700 

Hi thank you!

So the callback  number is 0 (sorry for forgetting

the usage is really 'Username_Token'; 

Here is the test
   
                  if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN)
                      
                  {
                      try {
                        throw new Exception("USername_Token");
                    } catch (Exception e) wicallback number" + i +"Usage is 0");
                        } catch (Exception e) {
                            // TODO Auto-generated catch block
                            e.printStackTrace();
                        }                     
    
                  }
                  

But I was searching all night how  to force my callback handler to use 
Username_token_Unknown but with no success@ 


AND last if you of course know 

i have to consume my web service from javascript  ans I use this soa request.Bu 
as you see everyine with just one View Source can see the user and the password 
with no problem 

Thank you again Robert for your help

 var sr =  ou s
                "<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
                "<soapenv:Envelope " + 
        
                 "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"; " 
+
                 "xmlns:nilo=\"http://nilo\";>"+
                 
                  "<soapenv:Header>"+
                  
                  '<wsse:Security 
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
 soapenv:mustUnderstand="1">'+
                  '<wsse:UsernameToken 
xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="123">'+
                  '<wsse:Username>bobWWW</wsse:Username>'+
                 '<wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password>'+
                 '</wsse:UsernameToken>'+
                  '</wsse:Security>'+
                  "</soapenv:Header>"+
                  "<soapenv:Body>" +
                  "<nilo:getdataForChecking>" +
                  '<nilo:data>'+tranXml+'</nilo:data>' +
                  ' </nilo:getdataForChecking>'+
                  '</soapenv:Body>' +
                  '</soapenv:Envelope>';










________________________________
 From: robert lazarski <robertlazar...@gmail.com>
To: java-user@axis.apache.org; Tania Marinova <taniamm2...@yahoo.com> 
Sent: Thursday, May 9, 2013 6:44 PM
Subject: Re: why WSPasswordCallback.getPassword is null when I try my soap 
request is really 
 

On Thu, May 9, 2013 at 12:05 PM, Tania Marinova <taniamm2...@yahoo.com> wrote:
> I tried your code (insted of System.out.println I throw an exception )
>
>
>
>
> public void handle(Callback[] callbacks)   throws IOException,
> UnsupportedCallbackException
>   {
>
>               for (int i = 0; i < callbacks.length; i++) {
>
>
>                   WSPasswordCallback pwcb =
> (WSPasswordCallback)callbacks[i];
>
>
>
>
>
>                   if (pwcb.getUsage()==0)
>                   {
>
>                           try {
>                             throw new Exception("Usage is 0");
>
>                         } catch (Exception e) {
>                             // TODO Auto-generated catch block
>                             e.printStackTrace();
>                         }
>
>                   }
>
>                   else
>                   {
>                         try {
>                             throw new Exception("Usage is: "
> +pwcb.getUsage() );
>
>                         } catch (Exception e) {
>                             // TODO Auto-generated catch block
>                             e.printStackTrace();
>                         }
>
>
>
>                   }
>
>
>                   if (pwcb.getIdentifier()==null)
>                   {
>
>                       pwcb.setPassword("bobPW");
>
>                 }
>
>                   else
>                   {
>                       try {
>                         throw new Exception ("found id, could be used to get
> stored passwod" + pwcb.getIdentifier());
>
>                     } catch (Exception e) {
>                         // TODO Auto-generated catch block
>                         e.printStackTrace();
>                     }
>                   }
>
>
>
>
>
>
>
>
>               }
>           }
>
>       And here is the response
>
>
>
>
>
>
> java.lang.Exception: Usage is: 2
>     at nilo.PWCBHandler.handle(PWCBHandler.java:77)

//haide mac
>
> -----------------------------------------------------------------------------------------
> java.lang.Exception: found id, could be used to get stored passwod: bobWWW
>     at nilo.PWCBHandler.handle(PWCBHandler.java:97)
>     at
> org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:98)
>
> a------------------------------------------------------------------------------------
>
>
> So usage is : 2 and of course it extract the identifier correctly

Well you removed part of my debugging that informed the Callback index
number in the array, its possible there is a different usage number in
each loop if there is more than one Callback - not sure.

Anyways, usage 2 is USERNAME_TOKEN , which explains the null password.
You seem to want usage USERNAME_TOKEN_UNKNOWN = 5 .

Once you get to that point, you still have the hash and salt stored
separate in different columns, bad idea! Google on rainbow tables to
understand the vulnerability.

- R

---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org
For additional commands, e-mail: java-user-h...@axis.apache.org

Reply via email to