Hi Murtaza, We use UsernameToken with a plain text password exactly for this purpose!
- The *plain text password* is sent in the UsernameToken to the service. - In the callback handler class you can use the same algorithms that AD uses to generate the hash from the password you get from the UsernameToken. - Now you can compare this with the one you have stored in AD ! (This also happens within the callback handler) This is explained here [1] in the section where we talk about USERNAME_TOKEN_UNKNOWN usage of WSPasswordCallback object passed in to the callback handler. Thanks, Ruchith [1] http://www.wso2.net/articles/rampart/java/2006/08/15/usernametoken-auth On 10/25/06, Madraswala, Murtaza <[EMAIL PROTECTED]> wrote:
Ruchith, Thanks very much, I seem to have figured this issue out. My real objective is to perform authentication with the Active Directory. Passwords are never stored in clear text there, and I don't want to use transport layer security mechanisms like SSL. If I generate a digest of the password using UsernameToken there is no way to recover the password from the digest. I can try generating the hash that the AD uses to perform a comparison for user authenticity (just like Windows clients do using Kerberos) at the client side, and send the hash in the SOAP packet to run against AD, but I don't know how that would use WS-Security. (I guess I would have to put the userID/Pwd combination in the SOAP body and encrypt and sign that, then recover it on the server side) Is there no solution that can use the digest, nonce, and username that appears on the server side to perform authentication with AD (Doesn't look likely to me) or specify the token so that the hash required by AD is generated and sent in the SOAP packet (like Windows clients send)? I appreciate all the help and advice you can provide in this regard. Thanks, Murtaza. -----Original Message----- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Friday, October 20, 2006 4:44 AM To: Madraswala, Murtaza Cc: [email protected]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: WSS4J authentication using LDAP The stack trace you posted says that the incoming message does not contain a "Security" header when its expected to contain one. Please re-check your client configuration if the exception was thrown at the server side receiver handler. I see a few approaches to your overall problem : - Use UsernameToken over HTTPS. - Encrypt the UsernameToken using WS-Security mechanisms (specify the UsernameToken element in the encryptionParts) IMHO either case can hide the password from a third party. In both cases you can use a plain text password and can carryout your authentication with the LDAP server in the callback handler you use at the service. On 10/12/06, Madraswala, Murtaza <[EMAIL PROTECTED]> wrote: > > > Hello, > I am fairly new to development using Axis and WSS4J. I am trying to build > a web service that accepts a UserID/Password combination and validates it > against an LDAP database. I have managed to execute the first example given > in the tutorial on the WSS4J site. I find that when I set the passwordType > to "PasswordDigest", a null value is returned when I extract the value in > the PWCallback class on the server side. If I use the "PasswordText" option > then the actual value is returned but the problem here is that the password > is also clearly visible in the SOAP message. I have tried quite a few times > to combine signature and encyption (as explained in the tutorials), having > generated my own keystore for the server and the client as well as the > certificates but to no avail. The latest error message I get at the client > when I try to run this is listed below: > > C:\client>java samples.stock.client.StockServiceClient XXX > Calling service... > Exception in thread "main" AxisFault > faultCode: > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException > faultSubcode: > faultString: WSDoAllReceiver: Request does not contain required Security > header > > faultActor: > faultNode: > faultDetail: > > {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver: > Request does no > t contain required Security header > at > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja > va:175) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg > y.java:32) > at > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127) > at > org.apache.axis.client.Call.invokeEngine(Call.java:2784) > at > org.apache.axis.client.Call.invoke(Call.java:2767) > at > org.apache.axis.client.Call.invoke(Call.java:2443) > at > org.apache.axis.client.Call.invoke(Call.java:2366) > at > org.apache.axis.client.Call.invoke(Call.java:1812) > at > samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa > pBindingStub.java:106) > at > samples.stock.client.StockServiceClient.main(StockServiceClient.java: > 53) > > {http://xml.apache.org/axis/}hostname:MMADRAW3 > > WSDoAllReceiver: Request does not contain required Security header > at > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja > va:175) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg > y.java:32) > at > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127) > at > org.apache.axis.client.Call.invokeEngine(Call.java:2784) > at > org.apache.axis.client.Call.invoke(Call.java:2767) > at > org.apache.axis.client.Call.invoke(Call.java:2443) > at > org.apache.axis.client.Call.invoke(Call.java:2366) > at > org.apache.axis.client.Call.invoke(Call.java:1812) > at > samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa > pBindingStub.java:106) > at > samples.stock.client.StockServiceClient.main(StockServiceClient.java: > 53) > > > If someone could suggest a technique to encypt the whole SOAP message > or atleast the password, then extract it on the server side so that it can > be used to perform a bind against an LDAP server, I would greatly appreciate > it. > > Thanks, > Murtaza. > > s > Murtaza Madraswala > -- www.ruchith.org
-- www.ruchith.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
