Mutaza,
After considering your scenario I feel may be you are looking for a
WS-SecureConversation functionality.
WS-SecureConversation will allow you to first authenticate the user
and set up a security context and then perform crypto operations on
subsequent messages within the established security context.
I'm in the process of adding examples to Rampart. Will add a few on
WS-SecConv as well.
Thanks,
Ruchith
On 10/26/06, Madraswala, Murtaza <[EMAIL PROTECTED]> wrote:
Ruchith,
I knew I could use this approach, its just that UsernameToken and
plaintext passwords necessitate the use of a point to point transport
level security mechanism. This is not very helpful if you want to do
routing of subsequent messages (not to mention the initial request
itself based on the contents of the SOAP message). The solution I am
thinking of now is to use UsernameToken + plaintext password over SSL
just for authentication, then tearing the SSL connection down and
encrypting the SOAP bodies of all subsequent messages using wss4j. I
guess the one learning curve here is to figure out a way to get the
service and client to adopt say a "Timestamp Encrypt Signature" approach
after first using the "UsernameToken" approach.
Let me know if you have any thoughts.
Once again I appreciate all the feedback you send me.
Thanks,
Murtaza.
-----Original Message-----
From: Ruchith Fernando [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 7:23 PM
To: Madraswala, Murtaza
Cc: [email protected]
Subject: Re: WSS4J authentication using LDAP
Hi Murtaza,
We use UsernameToken with a plain text password exactly for this
purpose!
- The *plain text password* is sent in the UsernameToken to the service.
- In the callback handler class you can use the same algorithms that
AD uses to generate the hash from the password you get from the
UsernameToken.
- Now you can compare this with the one you have stored in AD ! (This
also happens within the callback handler)
This is explained here [1] in the section where we talk about
USERNAME_TOKEN_UNKNOWN usage of WSPasswordCallback object passed in to
the callback handler.
Thanks,
Ruchith
[1]
http://www.wso2.net/articles/rampart/java/2006/08/15/usernametoken-auth
On 10/25/06, Madraswala, Murtaza <[EMAIL PROTECTED]> wrote:
> Ruchith,
> Thanks very much, I seem to have figured this issue out. My real
> objective is to perform authentication with the Active Directory.
> Passwords are never stored in clear text there, and I don't want to
use
> transport layer security mechanisms like SSL. If I generate a digest
of
> the password using UsernameToken there is no way to recover the
password
> from the digest. I can try generating the hash that the AD uses to
> perform a comparison for user authenticity (just like Windows clients
do
> using Kerberos) at the client side, and send the hash in the SOAP
packet
> to run against AD, but I don't know how that would use WS-Security. (I
> guess I would have to put the userID/Pwd combination in the SOAP body
> and encrypt and sign that, then recover it on the server side) Is
there
> no solution that can use the digest, nonce, and username that appears
on
> the server side to perform authentication with AD (Doesn't look likely
> to me) or specify the token so that the hash required by AD is
generated
> and sent in the SOAP packet (like Windows clients send)?
> I appreciate all the help and advice you can provide in this
regard.
>
> Thanks,
> Murtaza.
>
> -----Original Message-----
> From: Ruchith Fernando [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 20, 2006 4:44 AM
> To: Madraswala, Murtaza
> Cc: [email protected]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: Re: WSS4J authentication using LDAP
>
> The stack trace you posted says that the incoming message does not
> contain a "Security" header when its expected to contain one. Please
> re-check your client configuration if the exception was thrown at the
> server side receiver handler.
>
> I see a few approaches to your overall problem :
>
> - Use UsernameToken over HTTPS.
> - Encrypt the UsernameToken using WS-Security mechanisms (specify the
> UsernameToken element in the encryptionParts)
>
> IMHO either case can hide the password from a third party. In both
> cases you can use a plain text password and can carryout your
> authentication with the LDAP server in the callback handler you use at
> the service.
>
>
> On 10/12/06, Madraswala, Murtaza <[EMAIL PROTECTED]> wrote:
> >
> >
> > Hello,
> > I am fairly new to development using Axis and WSS4J. I am trying
to
> build
> > a web service that accepts a UserID/Password combination and
validates
> it
> > against an LDAP database. I have managed to execute the first
example
> given
> > in the tutorial on the WSS4J site. I find that when I set the
> passwordType
> > to "PasswordDigest", a null value is returned when I extract the
value
> in
> > the PWCallback class on the server side. If I use the "PasswordText"
> option
> > then the actual value is returned but the problem here is that the
> password
> > is also clearly visible in the SOAP message. I have tried quite a
few
> times
> > to combine signature and encyption (as explained in the tutorials),
> having
> > generated my own keystore for the server and the client as well as
the
> > certificates but to no avail. The latest error message I get at the
> client
> > when I try to run this is listed below:
> >
> > C:\client>java samples.stock.client.StockServiceClient XXX
> > Calling service...
> > Exception in thread "main" AxisFault
> > faultCode:
> > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> > faultSubcode:
> > faultString: WSDoAllReceiver: Request does not contain required
> Security
> > header
> >
> > faultActor:
> > faultNode:
> > faultDetail:
> >
> > {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver:
> > Request does no
> > t contain required Security header
> > at
> >
org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > va:175)
> > at
> >
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > y.java:32)
> > at
> > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > at
> > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > at
> > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > at
> > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2767)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2443)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2366)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:1812)
> > at
> >
samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > pBindingStub.java:106)
> > at
> >
samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > 53)
> >
> > {http://xml.apache.org/axis/}hostname:MMADRAW3
> >
> > WSDoAllReceiver: Request does not contain required Security header
> > at
> >
org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > va:175)
> > at
> >
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > y.java:32)
> > at
> > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > at
> > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > at
> > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > at
> > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2767)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2443)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:2366)
> > at
> > org.apache.axis.client.Call.invoke(Call.java:1812)
> > at
> >
samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > pBindingStub.java:106)
> > at
> >
samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > 53)
> >
> >
> > If someone could suggest a technique to encypt the whole SOAP
> message
> > or atleast the password, then extract it on the server side so that
it
> can
> > be used to perform a bind against an LDAP server, I would greatly
> appreciate
> > it.
> >
> > Thanks,
> > Murtaza.
> >
> > s
> > Murtaza Madraswala
> >
>
>
> --
> www.ruchith.org
>
>
>
--
www.ruchith.org
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
