Your SlideShare is downloading. ×
Ws security with opensource platform
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ws security with opensource platform

1,308
views

Published on

A simple exercise to show and analyse WS-Security via simple/free tools/opensource platform (WS02)

A simple exercise to show and analyse WS-Security via simple/free tools/opensource platform (WS02)

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,308
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. WS-Security (OASIS)Transport Level Security v.s. Message-Level SecurityApache Rampart supports WS-SecurityTransport Level SecurityWith the UsernameToken we can pass “plain text” or “password digest”The policy1 is to have “HashPassword” for “password digest”without HTTPS Transport BindingService’s policy1 (without HTTPS Transport Binding)<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws- securitypolicy/200702"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws- sx/ws- securitypolicy/200702/IncludeToken/AlwaysToRecipi ent"> <wsp:Policy> <sp:HashPassword/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:user>alice</ramp:user> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sa mple00.PWCBHandler</ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne></wsp:Policy>Note: Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )Source: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0Issue: most AAZ will NOT hold clear text password AT ALL!!, only password digest. OnlyYOU & YOU know the clear text password. So, when you lose the password, there is no way
  • 2. to retrieve password (one-way hash function). It means also, AAZ service will not be able toprovide HashPassword verification!!!.But just for demonstration how usernameToken with hashed password, I will need tosomehow assume that the service is able to retrieve “plaintext” password to supply toRampart for SHA-1
  • 3. First, Try UsernameToken with plaintext passwordList all the AXIS serviceshttp://localhost:8080/axis2/services/listServicesWe will use the following AXIS servicehttp://localhost:8080/axis2/services/sample000?wsdlTry1: add security header with user/wrong password
  • 4. Request<soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org"xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"> wrong password </wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WQlg9p+7C4StUZr388OuXw==</wsse:Nonce> <wsu:Created>2011-02-05T11:09:57.031Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>111</sam:args0> </sam:echo> </soapenv:Body></soapenv:Envelope>Reply<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body>
  • 5. <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <faultcode>wsse:InvalidSecurity</faultcode> <faultstring>The security token could not be authenticated or authorized; nested exception is: javax.security.auth.callback.UnsupportedCallbackException: check failed</faultstring> <detail/> </soapenv:Fault> </soapenv:Body></soapenv:Envelope>Tomcat’s log at org.apache.rampart.RampartEngine.process(RampartEngine.java:124) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) ... 19 morepwcb.getUsage()=5pwcb.getPassword()= wrong passwordpwcb.getIdentifer()=aliceUnsupportedCallbackException!!![ERROR] The security token could not be authenticated or authorized; nested exception is: javax.security.auth.callback.UnsupportedCallbackException: check failedorg.apache.axis2.AxisFault: The security token could not be authenticated or authorized; nested exception is: javax.security.auth.callback.UnsupportedCallbackException: check failed at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:166)Try2: using valid user/passwordBut, let find out the password first, just decompile it!  (alice/bobPW)Request<soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org"xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  • 6. <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobPW</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WQlg9p+7C4StUZr388OuXw==</wsse:Nonce> <wsu:Created>2011-02-05T11:09:57.031Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>111</sam:args0> </sam:echo> </soapenv:Body></soapenv:Envelope>Request<soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org"xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobPW</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WQlg9p+7C4StUZr388OuXw==</wsse:Nonce> <wsu:Created>2011-02-05T11:09:57.031Z</wsu:Created> </wsse:UsernameToken> </wsse:Security>
  • 7. </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>Hi it is Seri!!!!</sam:args0> </sam:echo> </soapenv:Body></soapenv:Envelope>The plantext user/password (alice/bobPW) works!!!Consideration: what about “man-in-the-middle attack (MITM)” Scary? there is noTimestamp in security header to prevent replay attack. So, you must change yourcreate date and nonce for each call.
  • 8. Next, try the hashed version of “bobPW” passwordWe have error, “bobPW” is not a valid password, this is because I deliberately pass clear text password of“bobPW000” to the setPassword() function. Rampart then calculate digest on this.<soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org"xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">O4yOKfrAStHBHOQy/Y7e3tGmV5A=</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ugzWFiShtsERcAekb6HjHA==</wsse:Nonce> <wsu:Created>2011-02-05T12:11:20.578Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>Hi it is Seri!!!!</sam:args0> </sam:echo>
  • 9. </soapenv:Body></soapenv:Envelope>Let calculate the password digest values based on the rule given by OASISPassword_Digest = Base64 ( SHA-1 ( nonce + created + password ) )D:wso2RunSOAPUIProj-wsas4PasswordDigestTest>java -cp .;./wss4j-1.5.8.jar;commons-logging-1.1.1.jarPasswordDigestTest ugzWFiShtsERcAekb6HjHA== 2011-02-05T11:20.578Z bobPW000O4yOKfrAStHBHOQy/Y7e3tGmV5A= O4yOKfrAStHBHOQy/Y7e3tGmV5A=Request with valid user/password (alice/bobPW000)<soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org"xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">79ErE6DrEOuR1j8S2aLIgIq8YXk=</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yp9RrxBTS6SFfQfPgQdy+A==</wsse:Nonce> <wsu:Created>2011-02-05T14:07:51.625Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>Hi it is Seri!!!!</sam:args0> </sam:echo> </soapenv:Body></soapenv:Envelope>D:wso2RunSOAPUIProj-wsas4PasswordDigestTest>java -cp .;./wss4j-1.5.8.jar;commons-logging-1.1.1.jar PasswordDigestTest yp9RrxBTS6SFfQfPgQdy+A== 2011-02-05T14:07:51.625Z bobPW00079ErE6DrEOuR1j8S2aLIgIq8YXk=
  • 10. Question????
  • 11. with HTTPS Transport BindingService’s policy2 (with HTTPS Transport Binding)<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/s ecuritypolicy/ </wsp:Policy> </sp:SignedSupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:passwordCallbackClass>tutorial.rampart.service.PWCBHandler</ramp: passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne ></wsp:Policy>I have tried Tomcat’s web container for HTTPS transport, work fine. However, I lovethe Open source WSO2-Application Server v4, so I will use it HTTP server for this.Default user/password = admin/admin
  • 12. I will use HelloWorld service, notice it has both HTTP and HTTPS Transport.I created a “tester” role with “seri” as a user in it.
  • 13. Just enable the security of the HelloWorld service.
  • 14. Try HTTP Transport first!!! – not secured?<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <faultcode>wsse:InvalidSecurity</faultcode> <faultstring>Expected transport is "https" but incoming transport found :"http"</faultstring> <detail/> </soapenv:Fault> </soapenv:Body></soapenv:Envelope>Try HTTPS Transport – plaintext passwordOopsssssssss! Forgot the Timestamp (very important for replay attack prevention!)
  • 15. Request<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:typ="http://www.wso2.org/types"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsu:Timestamp wsu:Id="Timestamp-6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2011-02-05T14:40:27.296Z</wsu:Created> <wsu:Expires>2011-02-05T14:50:27.296Z</wsu:Expires> </wsu:Timestamp> <wsse:UsernameToken wsu:Id="UsernameToken-5"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>seri</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">TiTus00!</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">l4+XqEgQweYSiUMbiGqr3Q==</wsse:Nonce> <wsu:Created>2011-02-05T14:39:22.078Z</wsu:Created> </wsse:UsernameToken>
  • 16. </wsse:Security> </soapenv:Header> <soapenv:Body> <typ:greet> <!--Optional:--> <name>Hi you are there</name> </typ:greet> </soapenv:Body></soapenv:Envelope>ResponseAfter adding Timestamp!, Oops……… Nonce is used detected!!<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <faultcode>wsse:InvalidSecurity</faultcode> <faultstring>Nonce value : l4+XqEgQweYSiUMbiGqr3Q==, already seenbefore for user name : seri. Possibly this could be a replay attack.</faultstring> <detail/> </soapenv:Fault> </soapenv:Body></soapenv:Envelope>Let fix up the Nonce…and resend… It works!!
  • 17. Try HTTPS Transport – will the WSO2 App server works with the password digest ? ? ?No, why ??? The application does not maintain or have “clear text” password.It is not a common practice to hold “clear text” and so it is not a common serviceto provide “password digest” authentication! (without writing code!!)
  • 18. PKI - Asymmetric Key (PubK/PriK)Asymmetric Key (PubK/PriK) vs. Semantic Key (shared/STS)In gereral Sematic Key is very very very very hard!!!! To maintain and trust the key!.Key management is a nightmare!There is no standard adopted or best practice for Semantic key management I will cover Semantic Authentication in the future with SAML (still learning SAML2.0 SAML Assertion Token with WS-Security) Asymmetric Key (PubK/PriK) setup using the HellowService above.Import Client/Service KeystoresPassword for the keystores is “testing”
  • 19. o service.jksD:wso2RunSOAPUIProj-wsas4keystores>keytool -list -keystore service.jks-storepass testingKeystore type: jksKeystore provider: SUNYour keystore contains 2 entriesservice, 5/06/2009, keyEntry,Certificate fingerprint (MD5):D0:A8:F3:25:A8:6D:41:4F:B9:D9:7B:DC:D0:8F:6B:3Eclient, 5/06/2009, trustedCertEntry,Certificate fingerprint (MD5): A2:72:C0:79:CE:74:F7:B0:EB:38:6D:EF:20:01:BF:D4 o client.jksD:wso2RunSOAPUIProj-wsas4keystores>keytool -list -keystore client.jks-storepass testingKeystore type: jksKeystore provider: SUNYour keystore contains 2 entriesservice, 5/06/2009, trustedCertEntry,Certificate fingerprint (MD5):D0:A8:F3:25:A8:6D:41:4F:B9:D9:7B:DC:D0:8F:6B:3Eclient, 5/06/2009, keyEntry,
  • 20. Certificate fingerprint (MD5): A2:72:C0:79:CE:74:F7:B0:EB:38:6D:EF:20:01:BF:D4Protect the HelloWorld service endpoint with PKISOAPUI setup. o Import the keystores both client/service
  • 21. o Setup Outgoing security (request signing) – Timestamp->Sign->Encrypt
  • 22. o Setup Incoming (response signature verification and decryption)
  • 23. Try HelloService (client sign with PrivK and Enc with service Pubk)Request<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:typ="http://www.wso2.org/types"xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <xenc:EncryptedKey Id="EncKeyId-961EF59EAFFC26AC04129692017685915"> <xenc:EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
  • 24. <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>EMAILADDRESS=service@testing.wso2.com,CN=Service,OU=Security,O=WSO2,L=Colombo,ST=Western,C=LK</ds:X509IssuerName> <ds:X509SerialNumber>10590656242952610662</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>GwDUN29FWPaJ9i0j8yvU/Ph6Mz1R6io3Y8U5WSQHXivvpparYB0hbaYlxXX+sTdCnveUejIUJXqY5ZHjnag2EC0UIzGGkfFcuxuzCt7tHST0JTLEYTI8yDDW3lTNkVGOdnzkjgR4S6rfe8MkMi41YJVTYnnyvGgt7jKWFt+USRQ=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncDataId-19"/> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature Id="Signature-17"xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-18"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>0qgK5jOyh/iTSzYnPJn5y6U3F40=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>T2+u8zRGfzzr74xM1BS/HvirK8tDvUh6O8zBUrIzcff/H2XBSqH1J4xVSYpjB5dsNp2Nk7d+FPLEFpO/cYybKUIUCApImkVG4NRQwyuQAy5b7eTIVot6nqo8CTmhLLroaI8eI623loEyEYGuNxPH9Hq8fkGGjkr0Ucyhs7FHdls=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-961EF59EAFFC26AC04129692017671812"> <wsse:SecurityTokenReference wsu:Id="STRId-961EF59EAFFC26AC04129692017671813" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  • 25. <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>EMAILADDRESS=client@testing.wso2.org,CN=Client,OU=Security,O=WSO2,L=Colombo,ST=Western,C=LK</ds:X509IssuerName> <ds:X509SerialNumber>11125750822478120527</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="Timestamp-16" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2011-02-05T15:36:16.578Z</wsu:Created> <wsu:Expires>2011-02-05T15:46:16.578Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="id-18" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <xenc:EncryptedData Id="EncDataId-19"Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Reference URI="#EncKeyId-961EF59EAFFC26AC04129692017685915"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>qdxZzZpr6+/FjxEVL3gqycf6cGI+rN17bGUkD/StD/eKaMtUIlPmMNfb/nSH1i7v7pGf/j2XAENA+Bk2k/8J/nO/uULT9JBw9ES76VbggTEvrI9yRCPeDUAZUUuRbpOcTrUpOnMG3SzA3floZYxu6Rw8jAOgmWuJTeUkHJxMKIOEcrNORE1im9dgJZ/FDuNQk9OpUXH4/O1owKa6Ph+F8s5R+5TwlgOJ+rlC4rIkkS6FGnB614MGD1Gn9Cv8YXbYQ/9+BG5srvNYFmhU4FEDHF12XJW3VFZV9gnrqigWMW/Opk08sn9D9aTtMpAwz53485e3WxjUVEwJq2AusefS2T/vmxsFmQWkG1ETYY6d0Dsp1dKierVlKF1zGmnBN3DvhWL2Z3JfWUeRVVmb85Lv/dKis8ECZTSGCTT8zMNQ3SPB1Jgi5Kp5aWGSoHKZNmyP2Vl4whaJzaRmVoOEXv+q1Vq1MEKCu1+eR90cSf8xHHl4jpJ2VeNAxl+/CUk/2GkK</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body>
  • 26. </soapenv:Envelope>A better way is to set the security requirement in the Auth tab (without having toApply manually above) o Call it 
  • 27. • Sun Feb 06 02:47:03 EST 2011:ERROR:org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key sizeJava Key size restriction is now over!! The US court cannot dictate the world forkey strength restriction for 128 bits or less. The policy for this security is“basic256”. That is it wants the client to secure message with 256 bits!! So, SOAPUI’s JRE security needs to be upgraded. Why would SOAPUI has its own JRE!!(what on earth ?)Go to C:Program FileseviwaresoapUI-3.0.1jrelibsecurity and replacelocal_policy.jar and US_export_policy.jar with the unlimited versions
  • 28. Try again! This should fix it.. (3 am..time to go to bed..Seri!!)
  • 29. Response (decrypted->signature verified)<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsu:Timestamp wsu:Id="Timestamp-34" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2011-02-05T16:01:13.171Z</wsu:Created> <wsu:Expires>2011-02-05T16:06:13.171Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-
  • 30. 1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"wsu:Id="A3F6B416F375E7E35A129692167332844"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIDjTCCAvagAwIBAgIJAJpmm20hUYZPMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzENMAsGA1UEChMEV1NPMjERMA8GA1UECxMIU2VjdXJpdHkxDzANBgNVBAMTBkNsaWVudDEmMCQGCSqGSIb3DQEJARYXY2xpZW50QHRlc3Rpbmcud3NvMi5vcmcwHhcNMDkwNjA0MTU1NDQ2WhcNMTkwNjAyMTU1NDQ2WjCBjDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxETAPBgNVBAsTCFNlY3VyaXR5MQ8wDQYDVQQDEwZDbGllbnQxJjAkBgkqhkiG9w0BCQEWF2NsaWVudEB0ZXN0aW5nLndzbzIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfVUF1ZoijyQ4Eg4MW9T2RKF/zgGuNiVaFWCAnb9iYtjb5Y08YBtYgzfnVNJrPJbNwc1q3eJ+4VxVBUNXmboZahAPUx77Asheo7rR8g6hZh/VkjF8XrQm2Sd6HOX0f2syy/nunWOpsFcW+G21cMfPvx1wFMuU4yVEe2OtntyJkYwIDAQABo4H0MIHxMB0GA1UdDgQWBBRWgHakeCsgzoqsLatPoOfYpqMaBjCBwQYDVR0jBIG5MIG2gBRWgHakeCsgzoqsLatPoOfYpqMaBqGBkqSBjzCBjDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxETAPBgNVBAsTCFNlY3VyaXR5MQ8wDQYDVQQDEwZDbGllbnQxJjAkBgkqhkiG9w0BCQEWF2NsaWVudEB0ZXN0aW5nLndzbzIub3JnggkAmmabbSFRhk8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDSHfaNHkDhX/mJTV3ProEAtN0d5vwVrJliqh3/rH8rMLZaj+fTxRKT0ke0Ngj+V0QXebF5BWEXy2NJpzuUy81OECvCp4U7ZvtBKNFImzDof9kiTTxpI20QiNiySvYeINiRJu6jp0rj2WcL61kdMrefIRFyFEbtUXvwTBI4XVmSqg==</wsse:BinarySecurityToken> <xenc:EncryptedKey Id="EncKeyId-A3F6B416F375E7E35A129692167332845"> <xenc:EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#A3F6B416F375E7E35A129692167332844"ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData>
  • 31. <xenc:CipherValue>U8yHOWFCtglXN1KWDBg6daTvnL9BpyHhLpmErG94UaUofG53qZ0LeJGlcwtgscUVuq6zzUIJn/65Xe+8jLs9KDfIY2mFQtezoORQ7Sz8qNL0FveEtkLJB6ZuAk63jqw6V+QU3/YF4MlzOva/+GOIt8TX04N+LAN4vF6qWw/QIwQ=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncDataId-37"/> </xenc:ReferenceList> </xenc:EncryptedKey> <wsse11:SignatureConfirmationValue="BWH4NKLjTIgrE7KnHCmW11VoDcBsKjaZcwdYMLQS9lw54OlhftgnyCPoxBObvOq++zLucpE8Qt4iO+DTmpevDFpjajk4EvOoNT41AvNKBfbshG9L/eQdIKUPlAp1W2LY1mBYAHTndUjhYukaVYzdRd4n1R2p7KBGKeEA1dDpp2Q="wsu:Id="SigConf-35" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/> <ds:Signature Id="Signature-36"xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Id-19879731"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LtvmS+tz7d9ntpRrxS65VSB+z7A=</ds:DigestValue>
  • 32. </ds:Reference> <ds:Reference URI="#Timestamp-34"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>dyvypfnQ8P8yUNwps8pALyY7t3g=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#SigConf-35"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>oVuLvqBsFJpk+HzzamPuQ6/bX14=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>bISYDi/Q89WoAOvnb8vzK8FRA+BDPScmaMqShBrFxC99IzN9DGm4Ot5o8OILyVlcEIob9cyCd0qjpl3ikrQq83e3mX3EQD3mw+3nOQkr2CX7WQmpJzCGjywWkY3+TdVOoVxftWIFF8OwpNQ8KgMmhWaY8BeOvdL8fL4zAetopd4=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-A3F6B416F375E7E35A129692167326542"> <wsse:SecurityTokenReference wsu:Id="STRId-A3F6B416F375E7E35A129692167326543" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  • 33. <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">urp3hTi9z3xoBJ0W6PLxtgq5gF0=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="Id-19879731" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <ns:greetResponse xmlns:ns="http://www.wso2.org/types"> <return>Hello World, Hi TS_Client_Sign_Service_Enc !!!</return> </ns:greetResponse> </soapenv:Body></soapenv:Envelope>SOAPUI attempt to Decrypt -> Verify Signature (the reversed of the requestsecurity order (ie. Sign -> Encrypt)That is why we can see the clear text on the message replied by the service!
  • 34. • {signed-element-ids=[Timestamp-34, SigConf-35, Id-19879731], signature- value=[B@312737, principal=EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK, x509-certificate=[ [ Version: V3 Subject: EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142787805887320168542756913024439565736989257239165007008662260 193547498928736096603124059603215869018576688878929314609149290 485371788007153295892396211768440847822078708792134872328877577 461616678984794572805792551131582166323949869010712947644117382 585954355741145836197196574350626777457965611383098455857 public exponent: 65537 Validity: [From: Fri Jun 05 01:50:54 EST 2009, To: Mon Jun 03 01:50:54 EST 2019] Issuer: EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK SerialNumber: [ 92f991bd c376a366] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 2A 92 B8 8F EB 5B FF FA B2 9F AE 3B B6 8F 30 F9 *....[.....;..0. 0010: AB 04 11 2F .../ ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 2A 92 B8 8F EB 5B FF FA B2 9F AE 3B B6 8F 30 F9 *....[.....;..0. 0010: AB 04 11 2F .../ ] [EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK] SerialNumber: [ 92f991bd c376a366] ] [3]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] ] Algorithm: [SHA1withRSA] Signature: 0000: AD C7 FA 2A CA 4D C5 FC 28 08 7C 60 77 8C D7 F4 ...*.M..(..`w... 0010: 99 A1 77 1A 8E 9D 95 4C 40 A2 47 BE 10 76 26 82 ..w....L@.G..v&. 0020: EF 42 C1 B5 79 E8 CD 4B 60 D7 72 5B BD 66 88 24 .B..y..K`.r[.f.$ 0030: 5C 64 D1 F8 BD 06 C3 AE 01 EC 61 D8 03 0F E6 4C d........a....L 0040: 77 ED 3D D9 D0 EB 6C 38 3F AF 11 E3 10 23 F6 D9 w.=...l8?....#.. 0050: 5A 35 8F 2F 1A 7C BC E6 A8 76 D6 47 70 D1 E6 CD Z5./.....v.Gp... 0060: 98 5C A6 25 BE 87 32 00 37 5A C0 39 42 BD 09 88 ..%..2.7Z.9B... 0070: 9C 70 35 D7 06 6B 37 CF 4D 95 76 0D 03 8C 19 E9
  • 35. .p5..k7.M.v..... ], data-ref-uris=[org.apache.ws.security.WSDataRef@8c3eb8, org.apache.ws.security.WSDataRef@169baee, org.apache.ws.security.WSDataRef@6f83e2], action=2}• {signature-confirmation=, action=128}• {decrypted-key=[B@c47220, x509-certificate=[ [ Version: V3 Subject: EMAILADDRESS=client@testing.wso2.org, CN=Client, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 156829787087058823772740149638388103538055568357051354167337442 712330446127825134158762805864671391781756669323262925162860183 606703961194780176034603586880734475502021967653259319661122546 654797840395948823849558697600164262393888293439239666341788323 776432930742293161722065157625649824305034220675463799907 public exponent: 65537 Validity: [From: Fri Jun 05 01:54:46 EST 2009, To: Mon Jun 03 01:54:46 EST 2019] Issuer: EMAILADDRESS=client@testing.wso2.org, CN=Client, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK SerialNumber: [ 9a669b6d 2151864f] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 56 80 76 A4 78 2B 20 CE 8A AC 2D AB 4F A0 E7 D8 V.v.x+ ...-.O... 0010: A6 A3 1A 06 .... ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 56 80 76 A4 78 2B 20 CE 8A AC 2D AB 4F A0 E7 D8 V.v.x+ ...-.O... 0010: A6 A3 1A 06 .... ] [EMAILADDRESS=client@testing.wso2.org, CN=Client, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK] SerialNumber: [ 9a669b6d 2151864f] ] [3]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints: [ CA:true PathLen:2147483647 ] ] Algorithm: [SHA1withRSA] Signature: 0000: D2 1D F6 8D 1E 40 E1 5F F9 89 4D 5D CF AE 81 00 .....@._..M].... 0010: B4 DD 1D E6 FC 15 AC 99 62 AA 1D FF AC 7F 2B 30 ........b.....+0 0020: B6 5A 8F E7 D3 C5 12 93 D2 47 B4 36 08 FE 57 44 .Z.......G.6..WD 0030: 17 79 B1 79 05 61 17 CB 63 49 A7 3B 94 CB CD 4E .y.y.a..cI.;...N 0040: 10 2B C2 A7 85 3B 66 FB 41 28 D1 48 9B 30 E8 7F .+...;f.A(.H.0.. 0050: D9 22 4D 3C 69 23 6D 10 88 D8 B2 4A F6 1E 20 D8 ."M• {binary-security- token=MIIDjTCCAvagAwIBAgIJAJpmm20hUYZPMA0GCSqGSIb3DQEB BQUAMIGMMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdG VybjEQMA4GA1UEBxMHQ29sb21ibzENMAsGA1UEChMEV1NPMjERM A8GA1UECxMIU2VjdXJpdHkxDzANBgNVBAMTBkNsaWVudDEmMCQ GCSqGSIb3DQEJARYXY2xpZW50QHRlc3Rpbmcud3NvMi5vcmcwHhcN MDkwNjA0MTU1NDQ2WhcNMTkwNjAyMTU1NDQ2WjCBjDELMAkG A1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0Nv bG9tYm8xDTALBgNVBAoTBFdTTzIxETAPBgNVBAsTCFNlY3VyaXR5 MQ8wDQYDVQQDEwZDbGllbnQxJjAkBgkqhkiG9w0BCQEWF2NsaWVu dEB0ZXN0aW5nLndzbzIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQDfVUF1ZoijyQ4Eg4MW9T2RKF/zgGuNiVaFWCAnb9iYtjb5 Y08YBtYgzfnVNJrPJbNwc1q3eJ+4VxVBUNXmboZahAPUx77Asheo7rR8g 6hZh/VkjF8XrQm2Sd6HOX0f2syy/nunWOpsFcW+G21cMfPvx1wFMuU4y VEe2OtntyJkYwIDAQABo4H0MIHxMB0GA1UdDgQWBBRWgHakeCsgzo qsLatPoOfYpqMaBjCBwQYDVR0jBIG5MIG2gBRWgHakeCsgzoqsLatPoO fYpqMaBqGBkqSBjzCBjDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB
  • 36. 1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzI xETAPBgNVBAsTCFNlY3VyaXR5MQ8wDQYDVQQDEwZDbGllbnQxJj AkBgkqhkiG9w0BCQEWF2NsaWVudEB0ZXN0aW5nLndzbzIub3JnggkAm mabbSFRhk8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB gQDSHfaNHkDhX/mJTV3ProEAtN0d5vwVrJliqh3/rH8rMLZaj+fTxRKT0ke 0Ngj+V0QXebF5BWEXy2NJpzuUy81OECvCp4U7ZvtBKNFImzDof9kiTTx pI20QiNiySvYeINiRJu6jp0rj2WcL61kdMrefIRFyFEbtUXvwTBI4XVmSqg= =, action=4096, x509- certificates=[Ljava.security.cert.X509Certificate;@ba22e1}• {timestamp=2011-02-05T16:01:13.171Z2011-02-05T16:06:13.171Z, action=32}
  • 37. Semantic Key (shared) – Secured Token Service(STS)
  • 38. AppendixPasswordDigestTest.javaimport java.security.MessageDigest;import org.apache.ws.security.util.Base64;public class PasswordDigestTest { public static void main(String[] args) { /* String nonce="UIYifr1SPoNlrmmKGSVOug=="; String created = "2009-12-03T16:14:49Z"; String password ="test8"; */ String nonce="ugzWFiShtsERcAekb6HjHA=="; String created = "2011-02-05T12:11:20.578Z"; String password ="bobPW000"; String expectedHashPwd = "O4yOKfrAStHBHOQy/Y7e3tGmV5A="; //String res =doPasswordDigest(nonce, created, password); String res =doPasswordDigest(args[0], args[1], args[2]); System.out.println(expectedHashPwd + " " + res); } public static String doPasswordDigest(String nonce, String created, String password) { String passwdDigest = null; try { byte[] b1 = nonce != null ? Base64.decode(nonce) : new byte[0]; byte[] b2 = created != null ? created.getBytes("UTF-8") : new byte[0]; byte[] b3 = password.getBytes("UTF-8"); byte[] b4 = new byte[b1.length + b2.length + b3.length]; int offset = 0; System.arraycopy(b1, 0, b4, offset, b1.length); offset += b1.length; System.arraycopy(b2, 0, b4, offset, b2.length); offset += b2.length; System.arraycopy(b3, 0, b4, offset, b3.length); MessageDigest sha = MessageDigest.getInstance("SHA-1"); sha.reset(); sha.update(b4); passwdDigest = Base64.encode(sha.digest()); } catch (Exception e) { e.printStackTrace(); } return passwdDigest; }}
  • 39. PWCBHandler.javapackage org.apache.rampart.samples.policy.sample000;import java.io.IOException;import java.io.PrintStream;import javax.security.auth.callback.Callback;import javax.security.auth.callback.CallbackHandler;import javax.security.auth.callback.UnsupportedCallbackException;import org.apache.ws.security.WSPasswordCallback;public class PWCBHandler implements CallbackHandler{ public void handle(Callback[] paramArrayOfCallback) throws IOException, UnsupportedCallbackException { for (int i = 0; i < paramArrayOfCallback.length; ++i) { WSPasswordCallback localWSPasswordCallback =(WSPasswordCallback)paramArrayOfCallback[i]; System.out.println("pwcb.getUsage()=" + localWSPasswordCallback.getUsage()); System.out.println("pwcb.getPassword()=" + localWSPasswordCallback.getPassword()); System.out.println("pwcb.getIdentifer()=" + localWSPasswordCallback.getIdentifer()); if (localWSPasswordCallback.getUsage() == 5) { if ((localWSPasswordCallback.getIdentifer().equals("alice")) &&(localWSPasswordCallback.getPassword().equals("bobPW"))) { System.out.println("alice/bobPW found"); return; } System.out.println("UnsupportedCallbackException!!!"); throw new UnsupportedCallbackException(paramArrayOfCallback[i], "check failed"); }//assume getUsage()==2 ie. Hashed password!! System.out.println("The client requests for the password of (bobPW000) " +localWSPasswordCallback.getIdentifer());//I assumed that I somehow, somewhere I can get clear password needed for SHA-1 digest function.//e.g I could have retrieved from LDAP and set it here for Rampart to do password digest calculation!// Here I just use a different password ie “bobPW000”, I could have used the same password ie “bobPW” in thesetPassword() below. localWSPasswordCallback.setPassword("bobPW000"); } }}