[prev in list] [next in list] [prev in thread] [next in thread]
List: wss4j-dev
Subject: Re: WSS4J authentication using LDAP
From: "Ruchith Fernando" <ruchith.fernando () gmail ! com>
Date: 2006-10-28 3:57:36
Message-ID: 559c463d0610272057x49fb355axec37c7d6d6cce10a () mail ! gmail ! com
[Download RAW message or body]
Mutaza,
After considering your scenario I feel may be you are looking for a
WS-SecureConversation functionality.
WS-SecureConversation will allow you to first authenticate the user
and set up a security context and then perform crypto operations on
subsequent messages within the established security context.
I'm in the process of adding examples to Rampart. Will add a few on
WS-SecConv as well.
Thanks,
Ruchith
On 10/26/06, Madraswala, Murtaza <Murtaza.Madraswala@nike.com> wrote:
> Ruchith,
> I knew I could use this approach, its just that UsernameToken and
> plaintext passwords necessitate the use of a point to point transport
> level security mechanism. This is not very helpful if you want to do
> routing of subsequent messages (not to mention the initial request
> itself based on the contents of the SOAP message). The solution I am
> thinking of now is to use UsernameToken + plaintext password over SSL
> just for authentication, then tearing the SSL connection down and
> encrypting the SOAP bodies of all subsequent messages using wss4j. I
> guess the one learning curve here is to figure out a way to get the
> service and client to adopt say a "Timestamp Encrypt Signature" approach
> after first using the "UsernameToken" approach.
> Let me know if you have any thoughts.
> Once again I appreciate all the feedback you send me.
>
> Thanks,
> Murtaza.
>
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Tuesday, October 24, 2006 7:23 PM
> To: Madraswala, Murtaza
> Cc: wss4j-dev@ws.apache.org
> Subject: Re: WSS4J authentication using LDAP
>
> Hi Murtaza,
>
> We use UsernameToken with a plain text password exactly for this
> purpose!
>
> - The *plain text password* is sent in the UsernameToken to the service.
> - In the callback handler class you can use the same algorithms that
> AD uses to generate the hash from the password you get from the
> UsernameToken.
> - Now you can compare this with the one you have stored in AD ! (This
> also happens within the callback handler)
>
> This is explained here [1] in the section where we talk about
> USERNAME_TOKEN_UNKNOWN usage of WSPasswordCallback object passed in to
> the callback handler.
>
> Thanks,
> Ruchith
>
> [1]
> http://www.wso2.net/articles/rampart/java/2006/08/15/usernametoken-auth
>
>
> On 10/25/06, Madraswala, Murtaza <Murtaza.Madraswala@nike.com> wrote:
> > Ruchith,
> > Thanks very much, I seem to have figured this issue out. My real
> > objective is to perform authentication with the Active Directory.
> > Passwords are never stored in clear text there, and I don't want to
> use
> > transport layer security mechanisms like SSL. If I generate a digest
> of
> > the password using UsernameToken there is no way to recover the
> password
> > from the digest. I can try generating the hash that the AD uses to
> > perform a comparison for user authenticity (just like Windows clients
> do
> > using Kerberos) at the client side, and send the hash in the SOAP
> packet
> > to run against AD, but I don't know how that would use WS-Security. (I
> > guess I would have to put the userID/Pwd combination in the SOAP body
> > and encrypt and sign that, then recover it on the server side) Is
> there
> > no solution that can use the digest, nonce, and username that appears
> on
> > the server side to perform authentication with AD (Doesn't look likely
> > to me) or specify the token so that the hash required by AD is
> generated
> > and sent in the SOAP packet (like Windows clients send)?
> > I appreciate all the help and advice you can provide in this
> regard.
> >
> > Thanks,
> > Murtaza.
> >
> > -----Original Message-----
> > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > Sent: Friday, October 20, 2006 4:44 AM
> > To: Madraswala, Murtaza
> > Cc: wss4j-dev@ws.apache.org; werner.dittmann@seimens.com;
> > wss4j-dev-subscribe@ws.apache.org
> > Subject: Re: WSS4J authentication using LDAP
> >
> > The stack trace you posted says that the incoming message does not
> > contain a "Security" header when its expected to contain one. Please
> > re-check your client configuration if the exception was thrown at the
> > server side receiver handler.
> >
> > I see a few approaches to your overall problem :
> >
> > - Use UsernameToken over HTTPS.
> > - Encrypt the UsernameToken using WS-Security mechanisms (specify the
> > UsernameToken element in the encryptionParts)
> >
> > IMHO either case can hide the password from a third party. In both
> > cases you can use a plain text password and can carryout your
> > authentication with the LDAP server in the callback handler you use at
> > the service.
> >
> >
> > On 10/12/06, Madraswala, Murtaza <Murtaza.Madraswala@nike.com> wrote:
> > >
> > >
> > > Hello,
> > > I am fairly new to development using Axis and WSS4J. I am trying
> to
> > build
> > > a web service that accepts a UserID/Password combination and
> validates
> > it
> > > against an LDAP database. I have managed to execute the first
> example
> > given
> > > in the tutorial on the WSS4J site. I find that when I set the
> > passwordType
> > > to "PasswordDigest", a null value is returned when I extract the
> value
> > in
> > > the PWCallback class on the server side. If I use the "PasswordText"
> > option
> > > then the actual value is returned but the problem here is that the
> > password
> > > is also clearly visible in the SOAP message. I have tried quite a
> few
> > times
> > > to combine signature and encyption (as explained in the tutorials),
> > having
> > > generated my own keystore for the server and the client as well as
> the
> > > certificates but to no avail. The latest error message I get at the
> > client
> > > when I try to run this is listed below:
> > >
> > > C:\client>java samples.stock.client.StockServiceClient XXX
> > > Calling service...
> > > Exception in thread "main" AxisFault
> > > faultCode:
> > > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
> > > faultSubcode:
> > > faultString: WSDoAllReceiver: Request does not contain required
> > Security
> > > header
> > >
> > > faultActor:
> > > faultNode:
> > > faultDetail:
> > >
> > > {http://xml.apache.org/axis/}stackTrace:WSDoAllReceiver:
> > > Request does no
> > > t contain required Security header
> > > at
> > >
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > > va:175)
> > > at
> > >
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > > y.java:32)
> > > at
> > > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > > at
> > > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > > at
> > > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > > at
> > > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2767)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2443)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2366)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:1812)
> > > at
> > >
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > > pBindingStub.java:106)
> > > at
> > >
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > > 53)
> > >
> > > {http://xml.apache.org/axis/}hostname:MMADRAW3
> > >
> > > WSDoAllReceiver: Request does not contain required Security header
> > > at
> > >
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
> > > va:175)
> > > at
> > >
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
> > > y.java:32)
> > > at
> > > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > > at
> > > org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > > at
> > > org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
> > > at
> > > org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2767)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2443)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:2366)
> > > at
> > > org.apache.axis.client.Call.invoke(Call.java:1812)
> > > at
> > >
> samples.stock.client.StockWss01SoapBindingStub.getQuote(StockWss01Soa
> > > pBindingStub.java:106)
> > > at
> > >
> samples.stock.client.StockServiceClient.main(StockServiceClient.java:
> > > 53)
> > >
> > >
> > > If someone could suggest a technique to encypt the whole SOAP
> > message
> > > or atleast the password, then extract it on the server side so that
> it
> > can
> > > be used to perform a bind against an LDAP server, I would greatly
> > appreciate
> > > it.
> > >
> > > Thanks,
> > > Murtaza.
> > >
> > > s
> > > Murtaza Madraswala
> > >
> >
> >
> > --
> > www.ruchith.org
> >
> >
> >
>
>
> --
> www.ruchith.org
>
>
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic