Hi thank you!
So the callback number is 0 (sorry for forgetting
the usage is really 'Username_Token';
Here is the test
if (pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN)
{
try {
throw new Exception("USername_Token");
} catch (Exception e) wicallback number" + i +"Usage is 0");
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
But I was searching all night how to force my callback handler to use
Username_token_Unknown but with no success@
AND last if you of course know
i have to consume my web service from javascript ans I use this soa request.Bu
as you see everyine with just one View Source can see the user and the password
with no problem
Thank you again Robert for your help
var sr = ou s
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soapenv:Envelope " +
"xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"; "
+
"xmlns:nilo=\"http://nilo\";>"+
"<soapenv:Header>"+
'<wsse:Security
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
soapenv:mustUnderstand="1">'+
'<wsse:UsernameToken
xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="123">'+
'<wsse:Username>bobWWW</wsse:Username>'+
'<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password>'+
'</wsse:UsernameToken>'+
'</wsse:Security>'+
"</soapenv:Header>"+
"<soapenv:Body>" +
"<nilo:getdataForChecking>" +
'<nilo:data>'+tranXml+'</nilo:data>' +
' </nilo:getdataForChecking>'+
'</soapenv:Body>' +
'</soapenv:Envelope>';
________________________________
From: robert lazarski <[email protected]>
To: [email protected]; Tania Marinova <[email protected]>
Sent: Thursday, May 9, 2013 6:44 PM
Subject: Re: why WSPasswordCallback.getPassword is null when I try my soap
request is really
On Thu, May 9, 2013 at 12:05 PM, Tania Marinova <[email protected]> wrote:
> I tried your code (insted of System.out.println I throw an exception )
>
>
>
>
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException
> {
>
> for (int i = 0; i < callbacks.length; i++) {
>
>
> WSPasswordCallback pwcb =
> (WSPasswordCallback)callbacks[i];
>
>
>
>
>
> if (pwcb.getUsage()==0)
> {
>
> try {
> throw new Exception("Usage is 0");
>
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> }
>
> else
> {
> try {
> throw new Exception("Usage is: "
> +pwcb.getUsage() );
>
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
>
>
> }
>
>
> if (pwcb.getIdentifier()==null)
> {
>
> pwcb.setPassword("bobPW");
>
> }
>
> else
> {
> try {
> throw new Exception ("found id, could be used to get
> stored passwod" + pwcb.getIdentifier());
>
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
> }
>
>
>
>
>
>
>
>
> }
> }
>
> And here is the response
>
>
>
>
>
>
> java.lang.Exception: Usage is: 2
> at nilo.PWCBHandler.handle(PWCBHandler.java:77)
//haide mac
>
> -----------------------------------------------------------------------------------------
> java.lang.Exception: found id, could be used to get stored passwod: bobWWW
> at nilo.PWCBHandler.handle(PWCBHandler.java:97)
> at
> org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:98)
>
> a------------------------------------------------------------------------------------
>
>
> So usage is : 2 and of course it extract the identifier correctly
Well you removed part of my debugging that informed the Callback index
number in the array, its possible there is a different usage number in
each loop if there is more than one Callback - not sure.
Anyways, usage 2 is USERNAME_TOKEN , which explains the null password.
You seem to want usage USERNAME_TOKEN_UNKNOWN = 5 .
Once you get to that point, you still have the hash and salt stored
separate in different columns, bad idea! Google on rainbow tables to
understand the vulnerability.
- R
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
