Successfully reported this slideshow.
Your SlideShare is downloading. ×

Ws security with opensource platform

Advertisement

More Related Content

Advertisement

Ws security with opensource platform

  1. 1. WS-Security (OASIS) Transport Level Security v.s. Message-Level Security Apache Rampart supports WS-Security Transport Level Security With the UsernameToken we can pass “plain text” or “password digest” The policy1 is to have “HashPassword” for “password digest” without HTTPS Transport Binding Service’s policy1 (without HTTPS Transport Binding) <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws- securitypolicy/200702"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws- sx/ws- securitypolicy/200702/IncludeToken/AlwaysToRecipi ent"> <wsp:Policy> <sp:HashPassword/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:user>alice</ramp:user> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sa mple00.PWCBHandler</ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> Note: Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) Source: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile- 1.0 Issue: most AAZ will NOT hold clear text password AT ALL!!, only password digest. Only YOU & YOU know the clear text password. So, when you lose the password, there is no way
  2. 2. to retrieve password (one-way hash function). It means also, AAZ service will not be able to provide HashPassword verification!!!. But just for demonstration how usernameToken with hashed password, I will need to somehow assume that the service is able to retrieve “plaintext” password to supply to Rampart for SHA-1
  3. 3. First, Try UsernameToken with plaintext password List all the AXIS services http://localhost:8080/axis2/services/listServices We will use the following AXIS service http://localhost:8080/axis2/services/sample000?wsdl Try1: add security header with user/wrong password
  4. 4. Request <soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile- 1.0#PasswordText"> wrong password </wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- security-1.0#Base64Binary">WQlg9p+7C4StUZr388OuXw==</wsse:Nonce> <wsu:Created>2011-02-05T11:09:57.031Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>111</sam:args0> </sam:echo> </soapenv:Body> </soapenv:Envelope> Reply <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body>
  5. 5. <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext- 1.0.xsd"> <faultcode>wsse:InvalidSecurity</faultcode> <faultstring>The security token could not be authenticated or authorized; nested exception is: javax.security.auth.callback.UnsupportedCallbackException: check failed</faultstring> <detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> Tomcat’s log at org.apache.rampart.RampartEngine.process(RampartEngine.java:124) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.jav a:92) ... 19 more pwcb.getUsage()=5 pwcb.getPassword()= wrong password pwcb.getIdentifer()=alice UnsupportedCallbackException!!! [ERROR] The security token could not be authenticated or authorized; nested exce ption is: javax.security.auth.callback.UnsupportedCallbackException: check failed org.apache.axis2.AxisFault: The security token could not be authenticated or aut horized; nested exception is: javax.security.auth.callback.UnsupportedCallbackException: check failed at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFa ult(RampartReceiver.java:166) Try2: using valid user/password But, let find out the password first, just decompile it!  (alice/bobPW) Request <soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd">
  6. 6. <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile- 1.0#PasswordText">bobPW</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- security-1.0#Base64Binary">WQlg9p+7C4StUZr388OuXw==</wsse:Nonce> <wsu:Created>2011-02-05T11:09:57.031Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>111</sam:args0> </sam:echo> </soapenv:Body> </soapenv:Envelope> Request <soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile- 1.0#PasswordText">bobPW</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- security-1.0#Base64Binary">WQlg9p+7C4StUZr388OuXw==</wsse:Nonce> <wsu:Created>2011-02-05T11:09:57.031Z</wsu:Created> </wsse:UsernameToken> </wsse:Security>
  7. 7. </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>Hi it is Seri!!!!</sam:args0> </sam:echo> </soapenv:Body> </soapenv:Envelope> The plantext user/password (alice/bobPW) works!!! Consideration: what about “man-in-the-middle attack (MITM)” Scary? there is no Timestamp in security header to prevent replay attack. So, you must change your create date and nonce for each call.
  8. 8. Next, try the hashed version of “bobPW” password We have error, “bobPW” is not a valid password, this is because I deliberately pass clear text password of “bobPW000” to the setPassword() function. Rampart then calculate digest on this. <soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile- 1.0#PasswordDigest">O4yOKfrAStHBHOQy/Y7e3tGmV5A=</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- security-1.0#Base64Binary">ugzWFiShtsERcAekb6HjHA==</wsse:Nonce> <wsu:Created>2011-02-05T12:11:20.578Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>Hi it is Seri!!!!</sam:args0> </sam:echo>
  9. 9. </soapenv:Body> </soapenv:Envelope> Let calculate the password digest values based on the rule given by OASIS Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) D:wso2RunSOAPUIProj-wsas4PasswordDigestTest>java -cp .;./wss4j-1.5.8.jar;commons-logging-1.1.1.jar PasswordDigestTest ugzWFiShtsERcAekb6HjHA== 2011-02-05T11:20.578Z bobPW000 O4yOKfrAStHBHOQy/Y7e3tGmV5A= O4yOKfrAStHBHOQy/Y7e3tGmV5A= Request with valid user/password (alice/bobPW000) <soapenv:Envelope xmlns:sam="http://sample000.policy.samples.rampart.apache.org" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-2" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile- 1.0#PasswordDigest">79ErE6DrEOuR1j8S2aLIgIq8YXk=</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- security-1.0#Base64Binary">yp9RrxBTS6SFfQfPgQdy+A==</wsse:Nonce> <wsu:Created>2011-02-05T14:07:51.625Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <sam:echo> <!--Optional:--> <sam:args0>Hi it is Seri!!!!</sam:args0> </sam:echo> </soapenv:Body> </soapenv:Envelope> D:wso2RunSOAPUIProj-wsas4PasswordDigestTest>java -cp .;./wss4j-1.5.8.jar;comm ons-logging-1.1.1.jar PasswordDigestTest yp9RrxBTS6SFfQfPgQdy+A== 2011-02-05T14: 07:51.625Z bobPW000 79ErE6DrEOuR1j8S2aLIgIq8YXk=
  10. 10. Question????
  11. 11. with HTTPS Transport Binding Service’s policy2 (with HTTPS Transport Binding) <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=”http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/s ecuritypolicy/ </wsp:Policy> </sp:SignedSupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:passwordCallbackClass>tutorial.rampart.service.PWCBHandler</ramp: passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne > </wsp:Policy> I have tried Tomcat’s web container for HTTPS transport, work fine. However, I love the Open source WSO2-Application Server v4, so I will use it HTTP server for this. Default user/password = admin/admin
  12. 12. I will use HelloWorld service, notice it has both HTTP and HTTPS Transport. I created a “tester” role with “seri” as a user in it.
  13. 13. Just enable the security of the HelloWorld service.
  14. 14. Try HTTP Transport first!!! – not secured? <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <faultcode>wsse:InvalidSecurity</faultcode> <faultstring>Expected transport is "https" but incoming transport found : "http"</faultstring> <detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> Try HTTPS Transport – plaintext password Oopsssssssss! Forgot the Timestamp (very important for replay attack prevention!)
  15. 15. Request <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://www.wso2.org/types"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsu:Timestamp wsu:Id="Timestamp-6" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2011-02-05T14:40:27.296Z</wsu:Created> <wsu:Expires>2011-02-05T14:50:27.296Z</wsu:Expires> </wsu:Timestamp> <wsse:UsernameToken wsu:Id="UsernameToken-5" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd"> <wsse:Username>seri</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-username-token-profile-1.0#PasswordText">TiTus00!</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-soap-message-security- 1.0#Base64Binary">l4+XqEgQweYSiUMbiGqr3Q==</wsse:Nonce> <wsu:Created>2011-02-05T14:39:22.078Z</wsu:Created> </wsse:UsernameToken>
  16. 16. </wsse:Security> </soapenv:Header> <soapenv:Body> <typ:greet> <!--Optional:--> <name>Hi you are there</name> </typ:greet> </soapenv:Body> </soapenv:Envelope> Response After adding Timestamp!, Oops……… Nonce is used detected!! <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <faultcode>wsse:InvalidSecurity</faultcode> <faultstring>Nonce value : l4+XqEgQweYSiUMbiGqr3Q==, already seen before for user name : seri. Possibly this could be a replay attack.</faultstring> <detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> Let fix up the Nonce…and resend… It works!!
  17. 17. Try HTTPS Transport – will the WSO2 App server works with the password digest ? ? ? No, why ??? The application does not maintain or have “clear text” password. It is not a common practice to hold “clear text” and so it is not a common service to provide “password digest” authentication! (without writing code!!)
  18. 18. PKI - Asymmetric Key (PubK/PriK) Asymmetric Key (PubK/PriK) vs. Semantic Key (shared/STS) In gereral Sematic Key is very very very very hard!!!! To maintain and trust the key!. Key management is a nightmare! There is no standard adopted or best practice for Semantic key management  I will cover Semantic Authentication in the future with SAML (still learning SAML 2.0 SAML Assertion Token with WS-Security)  Asymmetric Key (PubK/PriK) setup using the HellowService above. Import Client/Service Keystores Password for the keystores is “testing”
  19. 19. o service.jks D:wso2RunSOAPUIProj-wsas4keystores>keytool -list -keystore service.jks -storepass testing Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries service, 5/06/2009, keyEntry, Certificate fingerprint (MD5): D0:A8:F3:25:A8:6D:41:4F:B9:D9:7B:DC:D0:8F:6B:3E client, 5/06/2009, trustedCertEntry, Certificate fingerprint (MD5): A2:72:C0:79:CE:74:F7:B0:EB:38:6D:EF:20:01:BF:D4 o client.jks D:wso2RunSOAPUIProj-wsas4keystores>keytool -list -keystore client.jks -storepass testing Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries service, 5/06/2009, trustedCertEntry, Certificate fingerprint (MD5): D0:A8:F3:25:A8:6D:41:4F:B9:D9:7B:DC:D0:8F:6B:3E client, 5/06/2009, keyEntry,
  20. 20. Certificate fingerprint (MD5): A2:72:C0:79:CE:74:F7:B0:EB:38:6D:EF:20:01:BF:D4 Protect the HelloWorld service endpoint with PKI SOAPUI setup. o Import the keystores both client/service
  21. 21. o Setup Outgoing security (request signing) – Timestamp->Sign->Encrypt
  22. 22. o Setup Incoming (response signature verification and decryption)
  23. 23. Try HelloService (client sign with PrivK and Enc with service Pubk) Request <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://www.wso2.org/types" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <xenc:EncryptedKey Id="EncKeyId- 961EF59EAFFC26AC04129692017685915"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
  24. 24. <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>EMAILADDRESS=service@testing.wso2.c om,CN=Service,OU=Security,O=WSO2,L=Colombo,ST=Western,C=LK</ds:X5 09IssuerName> <ds:X509SerialNumber>10590656242952610662</ds:X509Serial Number> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>GwDUN29FWPaJ9i0j8yvU/Ph6Mz1R6io3Y8U5W SQHXivvpparYB0hbaYlxXX+sTdCnveUejIUJXqY5ZHjnag2EC0UIzGGkfFcux uzCt7tHST0JTLEYTI8yDDW3lTNkVGOdnzkjgR4S6rfe8MkMi41YJVTYnnyvG gt7jKWFt+USRQ=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncDataId-19"/> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature Id="Signature-17" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-18"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>0qgK5jOyh/iTSzYnPJn5y6U3F40=</ds:DigestValu e> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>T2+u8zRGfzzr74xM1BS/HvirK8tDvUh6O8zBUrIzc ff/H2XBSqH1J4xVSYpjB5dsNp2Nk7d+FPLE FpO/cYybKUIUCApImkVG4NRQwyuQAy5b7eTIVot6nqo8CTmhLLroaI8eI623 loEyEYGuNxPH9Hq8 fkGGjkr0Ucyhs7FHdls=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-961EF59EAFFC26AC04129692017671812"> <wsse:SecurityTokenReference wsu:Id="STRId- 961EF59EAFFC26AC04129692017671813" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  25. 25. <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>EMAILADDRESS=client@testing.wso2.or g,CN=Client,OU=Security,O=WSO2,L=Colombo,ST=Western,C=LK</ds:X509I ssuerName> <ds:X509SerialNumber>11125750822478120527</ds:X509Serial Number> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="Timestamp-16" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2011-02-05T15:36:16.578Z</wsu:Created> <wsu:Expires>2011-02-05T15:46:16.578Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="id-18" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <xenc:EncryptedData Id="EncDataId-19" Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Reference URI="#EncKeyId- 961EF59EAFFC26AC04129692017685915"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>qdxZzZpr6+/FjxEVL3gqycf6cGI+rN17bGUkD/StD/ eKaMtUIlPmMNfb/nSH1i7v7pGf/j2XAENA +Bk2k/8J/nO/uULT9JBw9ES76VbggTEvrI9yRCPeDUAZUUuRbpOcTrUpOnM G3SzA3floZYxu6Rw8 jAOgmWuJTeUkHJxMKIOEcrNORE1im9dgJZ/FDuNQk9OpUXH4/O1owKa6P h+F8s5R+5TwlgOJ+rlC 4rIkkS6FGnB614MGD1Gn9Cv8YXbYQ/9+BG5srvNYFmhU4FEDHF12XJW3 VFZV9gnrqigWMW/Opk08 sn9D9aTtMpAwz53485e3WxjUVEwJq2AusefS2T/vmxsFmQWkG1ETYY6d0Ds p1dKierVlKF1zGmnB N3DvhWL2Z3JfWUeRVVmb85Lv/dKis8ECZTSGCTT8zMNQ3SPB1Jgi5Kp5a WGSoHKZNmyP2Vl4whaJ zaRmVoOEXv+q1Vq1MEKCu1+eR90cSf8xHHl4jpJ2VeNAxl+/CUk/2GkK</xe nc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body>
  26. 26. </soapenv:Envelope> A better way is to set the security requirement in the Auth tab (without having to Apply manually above) o Call it 
  27. 27. • Sun Feb 06 02:47:03 EST 2011:ERROR:org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size Java Key size restriction is now over!! The US court cannot dictate the world for key strength restriction for 128 bits or less. The policy for this security is “basic256”. That is it wants the client to secure message with 256 bits!! So, SOAP UI’s JRE security needs to be upgraded. Why would SOAPUI has its own JRE!! (what on earth ?) Go to C:Program FileseviwaresoapUI-3.0.1jrelibsecurity and replace local_policy.jar and US_export_policy.jar with the unlimited versions
  28. 28. Try again! This should fix it.. (3 am..time to go to bed..Seri!!)
  29. 29. Response (decrypted->signature verified) <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsu:Timestamp wsu:Id="Timestamp-34" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2011-02-05T16:01:13.171Z</wsu:Created> <wsu:Expires>2011-02-05T16:06:13.171Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-soap-message-security-
  30. 30. 1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="A3F6B416F375E7E35A129692167332844" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-utility- 1.0.xsd">MIIDjTCCAvagAwIBAgIJAJpmm20hUYZPMA0GCSqGSIb3DQEBB QUAMIGMMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjE QMA4GA1UEBxMHQ29sb21ibzENMAsGA1UEChMEV1NPMjERMA8GA1U ECxMIU2VjdXJpdHkxDzANBgNVBAMTBkNsaWVudDEmMCQGCSqGSIb3 DQEJARYXY2xpZW50QHRlc3Rpbmcud3NvMi5vcmcwHhcNMDkwNjA0MT U1NDQ2WhcNMTkwNjAyMTU1NDQ2WjCBjDELMAkGA1UEBhMCTEsxE DAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgN VBAoTBFdTTzIxETAPBgNVBAsTCFNlY3VyaXR5MQ8wDQYDVQQDEwZ DbGllbnQxJjAkBgkqhkiG9w0BCQEWF2NsaWVudEB0ZXN0aW5nLndzbzIub3 JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfVUF1ZoijyQ4Eg 4MW9T2RKF/zgGuNiVaFWCAnb9iYtjb5Y08YBtYgzfnVNJrPJbNwc1q3eJ+4V xVBUNXmboZahAPUx77Asheo7rR8g6hZh/VkjF8XrQm2Sd6HOX0f2syy/nun WOpsFcW+G21cMfPvx1wFMuU4yVEe2OtntyJkYwIDAQABo4H0MIHxMB0 GA1UdDgQWBBRWgHakeCsgzoqsLatPoOfYpqMaBjCBwQYDVR0jBIG5MIG 2gBRWgHakeCsgzoqsLatPoOfYpqMaBqGBkqSBjzCBjDELMAkGA1UEBhMC TEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTA LBgNVBAoTBFdTTzIxETAPBgNVBAsTCFNlY3VyaXR5MQ8wDQYDVQQD EwZDbGllbnQxJjAkBgkqhkiG9w0BCQEWF2NsaWVudEB0ZXN0aW5nLndzbz Iub3JnggkAmmabbSFRhk8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ UFAAOBgQDSHfaNHkDhX/mJTV3ProEAtN0d5vwVrJliqh3/rH8rMLZaj+fTxR KT0ke0Ngj+V0QXebF5BWEXy2NJpzuUy81OECvCp4U7ZvtBKNFImzDof9ki TTxpI20QiNiySvYeINiRJu6jp0rj2WcL61kdMrefIRFyFEbtUXvwTBI4XVmSqg ==</wsse:BinarySecurityToken> <xenc:EncryptedKey Id="EncKeyId- A3F6B416F375E7E35A129692167332845"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:Reference URI="#A3F6B416F375E7E35A129692167332844" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData>
  31. 31. <xenc:CipherValue>U8yHOWFCtglXN1KWDBg6daTvnL9BpyHhLpm ErG94UaUofG53qZ0LeJGlcwtgscUVuq6zzUIJn/65Xe+8jLs9KDfIY2mFQtezoO RQ7Sz8qNL0FveEtkLJB6ZuAk63jqw6V+QU3/YF4MlzOva/ +GOIt8TX04N+LAN4vF6qWw/QIwQ=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncDataId-37"/> </xenc:ReferenceList> </xenc:EncryptedKey> <wsse11:SignatureConfirmation Value="BWH4NKLjTIgrE7KnHCmW11VoDcBsKjaZcwdYMLQS9lw54Olhftgn yCPoxBObvOq+ +zLucpE8Qt4iO+DTmpevDFpjajk4EvOoNT41AvNKBfbshG9L/eQdIKUPlAp1 W2LY1mBYAHTndUjhYukaVYzdRd4n1R2p7KBGKeEA1dDpp2Q=" wsu:Id="SigConf-35" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss- wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/> <ds:Signature Id="Signature-36" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Id-19879731"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LtvmS+tz7d9ntpRrxS65VSB+z7A=</ds:DigestValu e>
  32. 32. </ds:Reference> <ds:Reference URI="#Timestamp-34"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>dyvypfnQ8P8yUNwps8pALyY7t3g=</ds:DigestVal ue> </ds:Reference> <ds:Reference URI="#SigConf-35"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>oVuLvqBsFJpk+HzzamPuQ6/bX14=</ds:DigestVal ue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>bISYDi/Q89WoAOvnb8vzK8FRA+BDPScmaMqSh BrFxC99IzN9DGm4Ot5o8OILyVlcEIob9cyCd0qjpl3ikrQq83e3mX3EQD3mw+3 nOQkr2CX7WQmpJzCGjywWkY3+TdVOoVxftWIFF8OwpNQ8KgMmhWaY8 BeOvdL8fL4zAetopd4=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-A3F6B416F375E7E35A129692167326542"> <wsse:SecurityTokenReference wsu:Id="STRId- A3F6B416F375E7E35A129692167326543" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  33. 33. <wsse:KeyIdentifier EncodingType="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-soap-message-security- 1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap- message-security- 1.1#ThumbprintSHA1">urp3hTi9z3xoBJ0W6PLxtgq5gF0=</wsse:KeyIdentifier > </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="Id-19879731" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <ns:greetResponse xmlns:ns="http://www.wso2.org/types"> <return>Hello World, Hi TS_Client_Sign_Service_Enc !!!</return> </ns:greetResponse> </soapenv:Body> </soapenv:Envelope> SOAPUI attempt to Decrypt -> Verify Signature (the reversed of the request security order (ie. Sign -> Encrypt) That is why we can see the clear text on the message replied by the service!
  34. 34. • {signed-element-ids=[Timestamp-34, SigConf-35, Id-19879731], signature- value=[B@312737, principal=EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK, x509-certificate=[ [ Version: V3 Subject: EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142787805887320168542756913024439565736989257239165007008662260 193547498928736096603124059603215869018576688878929314609149290 485371788007153295892396211768440847822078708792134872328877577 461616678984794572805792551131582166323949869010712947644117382 585954355741145836197196574350626777457965611383098455857 public exponent: 65537 Validity: [From: Fri Jun 05 01:50:54 EST 2009, To: Mon Jun 03 01:50:54 EST 2019] Issuer: EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK SerialNumber: [ 92f991bd c376a366] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 2A 92 B8 8F EB 5B FF FA B2 9F AE 3B B6 8F 30 F9 *....[.....;..0. 0010: AB 04 11 2F .../ ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 2A 92 B8 8F EB 5B FF FA B2 9F AE 3B B6 8F 30 F9 *....[.....;..0. 0010: AB 04 11 2F .../ ] [EMAILADDRESS=service@testing.wso2.com, CN=Service, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK] SerialNumber: [ 92f991bd c376a366] ] [3]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] ] Algorithm: [SHA1withRSA] Signature: 0000: AD C7 FA 2A CA 4D C5 FC 28 08 7C 60 77 8C D7 F4 ...*.M..(..`w... 0010: 99 A1 77 1A 8E 9D 95 4C 40 A2 47 BE 10 76 26 82 ..w....L@.G..v&. 0020: EF 42 C1 B5 79 E8 CD 4B 60 D7 72 5B BD 66 88 24 .B..y..K`.r[.f.$ 0030: 5C 64 D1 F8 BD 06 C3 AE 01 EC 61 D8 03 0F E6 4C d........a....L 0040: 77 ED 3D D9 D0 EB 6C 38 3F AF 11 E3 10 23 F6 D9 w.=...l8?....#.. 0050: 5A 35 8F 2F 1A 7C BC E6 A8 76 D6 47 70 D1 E6 CD Z5./.....v.Gp... 0060: 98 5C A6 25 BE 87 32 00 37 5A C0 39 42 BD 09 88 ..%..2.7Z.9B... 0070: 9C 70 35 D7 06 6B 37 CF 4D 95 76 0D 03 8C 19 E9
  35. 35. .p5..k7.M.v..... ], data-ref-uris=[org.apache.ws.security.WSDataRef@8c3eb8, org.apache.ws.security.WSDataRef@169baee, org.apache.ws.security.WSDataRef@6f83e2], action=2} • {signature-confirmation=, action=128} • {decrypted-key=[B@c47220, x509-certificate=[ [ Version: V3 Subject: EMAILADDRESS=client@testing.wso2.org, CN=Client, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 156829787087058823772740149638388103538055568357051354167337442 712330446127825134158762805864671391781756669323262925162860183 606703961194780176034603586880734475502021967653259319661122546 654797840395948823849558697600164262393888293439239666341788323 776432930742293161722065157625649824305034220675463799907 public exponent: 65537 Validity: [From: Fri Jun 05 01:54:46 EST 2009, To: Mon Jun 03 01:54:46 EST 2019] Issuer: EMAILADDRESS=client@testing.wso2.org, CN=Client, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK SerialNumber: [ 9a669b6d 2151864f] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 56 80 76 A4 78 2B 20 CE 8A AC 2D AB 4F A0 E7 D8 V.v.x+ ...-.O... 0010: A6 A3 1A 06 .... ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 56 80 76 A4 78 2B 20 CE 8A AC 2D AB 4F A0 E7 D8 V.v.x+ ...-.O... 0010: A6 A3 1A 06 .... ] [EMAILADDRESS=client@testing.wso2.org, CN=Client, OU=Security, O=WSO2, L=Colombo, ST=Western, C=LK] SerialNumber: [ 9a669b6d 2151864f] ] [3]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints: [ CA:true PathLen:2147483647 ] ] Algorithm: [SHA1withRSA] Signature: 0000: D2 1D F6 8D 1E 40 E1 5F F9 89 4D 5D CF AE 81 00 .....@._..M].... 0010: B4 DD 1D E6 FC 15 AC 99 62 AA 1D FF AC 7F 2B 30 ........b.....+0 0020: B6 5A 8F E7 D3 C5 12 93 D2 47 B4 36 08 FE 57 44 .Z.......G.6..WD 0030: 17 79 B1 79 05 61 17 CB 63 49 A7 3B 94 CB CD 4E .y.y.a..cI.;...N 0040: 10 2B C2 A7 85 3B 66 FB 41 28 D1 48 9B 30 E8 7F .+...;f.A(.H.0.. 0050: D9 22 4D 3C 69 23 6D 10 88 D8 B2 4A F6 1E 20 D8 ."M • {binary-security- token=MIIDjTCCAvagAwIBAgIJAJpmm20hUYZPMA0GCSqGSIb3DQEB BQUAMIGMMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdG VybjEQMA4GA1UEBxMHQ29sb21ibzENMAsGA1UEChMEV1NPMjERM A8GA1UECxMIU2VjdXJpdHkxDzANBgNVBAMTBkNsaWVudDEmMCQ GCSqGSIb3DQEJARYXY2xpZW50QHRlc3Rpbmcud3NvMi5vcmcwHhcN MDkwNjA0MTU1NDQ2WhcNMTkwNjAyMTU1NDQ2WjCBjDELMAkG A1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0Nv bG9tYm8xDTALBgNVBAoTBFdTTzIxETAPBgNVBAsTCFNlY3VyaXR5 MQ8wDQYDVQQDEwZDbGllbnQxJjAkBgkqhkiG9w0BCQEWF2NsaWVu dEB0ZXN0aW5nLndzbzIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQDfVUF1ZoijyQ4Eg4MW9T2RKF/zgGuNiVaFWCAnb9iYtjb5 Y08YBtYgzfnVNJrPJbNwc1q3eJ+4VxVBUNXmboZahAPUx77Asheo7rR8g 6hZh/VkjF8XrQm2Sd6HOX0f2syy/nunWOpsFcW+G21cMfPvx1wFMuU4y VEe2OtntyJkYwIDAQABo4H0MIHxMB0GA1UdDgQWBBRWgHakeCsgzo qsLatPoOfYpqMaBjCBwQYDVR0jBIG5MIG2gBRWgHakeCsgzoqsLatPoO fYpqMaBqGBkqSBjzCBjDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB
  36. 36. 1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzI xETAPBgNVBAsTCFNlY3VyaXR5MQ8wDQYDVQQDEwZDbGllbnQxJj AkBgkqhkiG9w0BCQEWF2NsaWVudEB0ZXN0aW5nLndzbzIub3JnggkAm mabbSFRhk8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB gQDSHfaNHkDhX/mJTV3ProEAtN0d5vwVrJliqh3/rH8rMLZaj+fTxRKT0ke 0Ngj+V0QXebF5BWEXy2NJpzuUy81OECvCp4U7ZvtBKNFImzDof9kiTTx pI20QiNiySvYeINiRJu6jp0rj2WcL61kdMrefIRFyFEbtUXvwTBI4XVmSqg= =, action=4096, x509- certificates=[Ljava.security.cert.X509Certificate;@ba22e1} • {timestamp=2011-02-05T16:01:13.171Z2011-02-05T16:06:13.171Z, action=32}
  37. 37. Semantic Key (shared) – Secured Token Service (STS)
  38. 38. Appendix PasswordDigestTest.java import java.security.MessageDigest; import org.apache.ws.security.util.Base64; public class PasswordDigestTest { public static void main(String[] args) { /* String nonce="UIYifr1SPoNlrmmKGSVOug=="; String created = "2009-12-03T16:14:49Z"; String password ="test8"; */ String nonce="ugzWFiShtsERcAekb6HjHA=="; String created = "2011-02-05T12:11:20.578Z"; String password ="bobPW000"; String expectedHashPwd = "O4yOKfrAStHBHOQy/Y7e3tGmV5A="; //String res =doPasswordDigest(nonce, created, p assword); String res =doPasswordDigest(args[0], args[1], args[2]); System.out.println(expectedHashPwd + " " + res); } public static String doPasswordDigest(String nonce, String created, String password) { String passwdDigest = null; try { byte[] b1 = nonce != null ? Base64.decode(nonce) : new byte[0]; byte[] b2 = created != null ? created.getBytes("UTF-8") : new byte[0]; byte[] b3 = password.getBytes("UTF-8"); byte[] b4 = new byte[b1.length + b2.length + b3.length]; int offset = 0; System.arraycopy(b1, 0, b4, offset, b1.length); offset += b1.length; System.arraycopy(b2, 0, b4, offset, b2.length); offset += b2.length; System.arraycopy(b3, 0, b4, offset, b3.length); MessageDigest sha = MessageDigest.getInstance("SHA-1"); sha.reset(); sha.update(b4); passwdDigest = Base64.encode(sha.digest()); } catch (Exception e) { e.printStackTrace(); } return passwdDigest; } }
  39. 39. PWCBHandler.java package org.apache.rampart.samples.policy.sample000; import java.io.IOException; import java.io.PrintStream; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import org.apache.ws.security.WSPasswordCallback; public class PWCBHandler implements CallbackHandler { public void handle(Callback[] paramArrayOfCallback) throws IOException, UnsupportedCallbackException { for (int i = 0; i < paramArrayOfCallback.length; ++i) { WSPasswordCallback localWSPasswordCallback = (WSPasswordCallback)paramArrayOfCallback[i]; System.out.println("pwcb.getUsage()=" + localWSPasswordCallback.getUsage()); System.out.println("pwcb.getPassword()=" + localWSPasswordCallback.getPassword()); System.out.println("pwcb.getIdentifer()=" + localWSPasswordCallback.getIdentifer()); if (localWSPasswordCallback.getUsage() == 5) { if ((localWSPasswordCallback.getIdentifer().equals("alice")) && (localWSPasswordCallback.getPassword().equals("bobPW"))) { System.out.println("alice/bobPW found"); return; } System.out.println("UnsupportedCallbackException!!!"); throw new UnsupportedCallbackException(paramArrayOfCallback[i], "check failed"); } //assume getUsage()==2 ie. Hashed password!! System.out.println("The client requests for the password of (bobPW000) " + localWSPasswordCallback.getIdentifer()); //I assumed that I somehow, somewhere I can get clear password needed for SHA-1 digest function. //e.g I could have retrieved from LDAP and set it here for Rampart to do password digest calculation! // Here I just use a different password ie “bobPW000”, I could have used the same password ie “bobPW” in the setPassword() below. localWSPasswordCallback.setPassword("bobPW000"); } } }

×