Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-383

sp:HashPassword from WS-SecurityPolicy 1.2 assertion doesn't work

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Invalid
    • 1.6.2
    • 1.6.2
    • rampart-policy
    • Windows XP Professional
      Java 1.6.0_26
      Eclipse 3.5.1
      Axis2 1.6.2
      Neethi 3.0.2

    Description

      I have a WSDL with the following policy:

      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:HashPassword />
      <sp:WssUsernameToken11 />
      </wsp:Policy>
      </sp:UsernameToken>

      According the WS-SecurityPolicy 1.2 which is supported by Rampart 1.6.2 (modulo the workaround from issue <a href="https://issues.apache.org/jira/browse/RAMPART-371">RAMPART-371</a> the policy grammar is as follows:

      <sp:UsernameToken sp:IncludeToken="xs:anyURI"? xmlns:sp="..." ... >
      (
      <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
      <sp:IssuerName>xs:anyURI</sp:IssuerName>
      ) ?
      <wst:Claims Dialect="..."> ... </wst:Claims> ?
      <wsp:Policy xmlns:wsp="...">
      (
      <sp:NoPassword ... /> |
      <sp:HashPassword ... />
      ) ?
      (
      <sp:RequireDerivedKeys /> |
      <sp:RequireImpliedDerivedKeys ... /> |
      <sp:RequireExplicitDerivedKeys ... />
      ) ?
      (
      <sp:WssUsernameToken10 ... /> |
      <sp:WssUsernameToken11 ... />
      ) ?
      ...
      </wsp:Policy>
      ...
      </sp:UsernameToken>

      My policy respect the grammar.

      But while launching a client, setting username and password callback, the output shows the following section:

      <wsse:UsernameToken wsu:Id="UsernameToken-1">
      <wsse:Username>USER</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
      </wsse:UsernameToken>

      And debugging the code, the rampart policy does create a UsernameToken with hashpassword attribute set to false.

      I thought it was due to the following <a href="https://issues.apache.org/jira/browse/NEETHI-3">neethi issue</a> but using the same version of neethi with CXF and WSS4J it works (I mean password digest is sent)

      Note that I'm not using a rampart configuration, just engaging the module as follows:

      mProxy._getServiceClient().engageModule("rampart");
      // Set Password callback
      mProxy._getServiceClient().getOptions().setProperty(WSHandlerConstants.PW_CALLBACK_REF, new ClientPasswordCallbackHandler());
      // Set User name
      mProxy._getServiceClient().getOptions().setUserName("USER");

      Attachments

        Activity

          People

            Unassigned Unassigned
            yguerro Yoann Guerro
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified