The Source for Java Technology Collaboration
User: Password:
Register | Login help    

Search

Online Books:
java.net on MarkMail:

Plain Text Username Password security with Metro

Posted by kumarjayanti on November 25, 2008 at 1:10 AM PST
Although not considered very secure many users in the past have asked for it. With latest Metro builds we have made it possible to implement a webservice secured by plain-text username and password.  The NetBeans mechanism which metro supports allows plain-text username and password over SSL.   So i took that as a starting point to generate my WebService's WSIT configuration file and then modified the policy so that it accepts a plain-text username and password.  Here is how the modified policy looks like :


<definitions xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://test/" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.xmlsoap.org/wsdl/" 
targetNamespace="http://test/" name="MyWebServiceService">
<ns1:Policy xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/09/policy" wsu:Id="MyWebServicePortBindingPolicy">
<ns1:ExactlyOne>
<ns1:All>
<ns2:SupportingTokens xmlns:ns2="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns2:UsernameToken ns2:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<ns1:Policy>
 <ns1:ExactlyOne>
 <ns1:All>
 <ns2:WssUsernameToken10 />
 </ns1:All>
 </ns1:ExactlyOne>
</ns1:Policy>
</ns2:UsernameToken>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns2:SupportingTokens>
<ns3:UsingAddressing xmlns:ns3="http://www.w3.org/2006/05/addressing/wsdl" />
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>

Here is the Security Header of the message sent from the client to the service.

<wsse:Security S:mustUnderstand="1">
<wsse:UsernameToken xmlns:ns13="http://www.w3.org/2003/05/soap-envelope" wsu:Id="uuid_0df503b1-0d39-4b75-ae9b-df50b7851d82">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>

The client code invoking the webservice is as follows :
try { // Call Web Service Operation

test.MyWebService port = service.getMyWebServicePort();
// TODO initialize WS operation arguments here
java.lang.String parameter = "Plain Text Username/Password";
               
((BindingProvider)port).getRequestContext().put(XWSSConstants.USERNAME_PROPERTY,"test");
((BindingProvider)port).getRequestContext().put(XWSSConstants.PASSWORD_PROPERTY,"test");
java.lang.String result = port.operation(parameter);
out.println("Result = " + result);
} catch (Exception ex) {
    // TODO handle custom exceptions here
}

Anyone interested in getting the sample NetBeans Projects for the  WebService and Client can access the file usernamepassword.zip  here. The only additional step to run this on GlassFish is to create a File user on glassfish with username test and password test. Do not do a clean on the WebService project  since i have actually hand modified the policy of the WebService (as stated above).

Readers who wish to use  Password Digest Authentication  can take a look at http://blogs.sun.com/ashutosh/entry/hash_password_support_and_token.

»
Comments
Comments are listed in date ascending order (oldest first)

Submitted by yaronn02 on Tue, 2008-11-25 14:19.
And if anyone is interested in a WCF equivalnet configuration find it here: http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernameb...

Submitted by gmazza on Thu, 2008-11-27 22:06.
Kumar, just to clarify, are you describing here HTTP Basic Authentication over SSL, *or* the UsernameToken profile with plain text passwords? I think they are different, correct?

Submitted by kumarjayanti on Fri, 2008-11-28 00:38.
No i am not describing HTTP BASIC AUTH. Neither am i using SSL here. This one is just how to do Plain-Text username/password without SSL. The reference to the Netbeans Mechanism "Message Authentication Over SSL" was just to tell that i started with that (so i have all the wsit* files generated by NetBeans instead of having to hand write them) and then modified the Policy to show how to do Plain-Text username/password.

Submitted by gmazza on Sat, 2008-11-29 15:27.
OK, I think the blog title is somewhat confusing then. "Using the UsernameToken profile without SSL encryption" would probably be more accurate. With the usernametoken profile a plaintext password (as opposed to a password digest) is very common, even though the transmission is still encrypted via SSL. In both cases, plaintext and password digest, the password is still encrypted simply because the entire SOAP envelope is. If I'm not mistaken, then, you're using the usernametoken profile but without the SSL encryption, resulting in the *entire* SOAP envelope--not just the plaintext password--becoming externally viewable.

Submitted by obivol on Tue, 2008-12-02 17:13.
Kumar, I opened your project in NetBeans 6.1 and get the following exception: SEC2004: Container-auth: wss: Error securing request SOAPFaultException: SP0105: Either SymmetricBinding/AsymmetricBinding/TransportBinding assertion must be present in the wsdl. I upgraded my Glassfish V2 UR2 to Metro 1.4 (it's been released in October, after your post), no luck... Any idea why this is happening?

Submitted by obivol on Tue, 2008-12-02 18:36.
Update: Metro 1.5 nightly build worked fine. Metro 1.4 nightly failed though...

Submitted by neo1982 on Fri, 2009-01-23 13:38.
Hi Kumar i am trying to deploy a simple web service in tomcat 6 using metro 1.4 I am starting from java source code, not from wsdl, hence the wsdl is made at runtime As mentioned in the metro docs i have included wsit-packagename.service.xml in the WEB-INF folder. For some reason the security policies from my wsit-packagename.service.xml are not getting embedded in my run time generated wsdl. I know that the WSIT configuration file is loaded, becoz i can see it in the tomcat logs INFO: Deploying web application archive jaxws-webapitestserver.war Jan 23, 2009 12:11:50 PM com.sun.xml.ws.transport.http.servlet.WSServletContextL istener contextInitialized INFO: WSSERVLET12: JAX-WS context listener initializing Jan 23, 2009 12:11:51 PM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse INFO: WSP1049: Loaded WSIT configuration from file: jndi:/localhost/jaxws-webapi testserver/WEB-INF/wsit-com.ttv.webapi.server.wstestImpl.xml Jan 23, 2009 12:11:51 PM com.sun.xml.ws.transport.http.servlet.WSServletDelegate Heres my wsit-com.ttv.webapi.server.wstestImpl.xml <?xml version="1.0" encoding="utf-8"?> i have been strugling with for quite a time now Thanks for the help in advance

Submitted by kumarjayanti on Mon, 2009-01-26 02:07.
Please post general questions and questions not related to this post at users@metro.dev.java.net that way it would get the attention of right people. In your case you do not seem to have a PolicyReference to the wsu:id of the policy that you defined this is the reason you are not seeing the policy in the WSDL. Try using NetBeans to generate a sample From Java WebService and then inspect the wsit-packagename.service.xml




 

Feedback  | FAQ  | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2008 Sun Microsystems, Inc.
Collabnet Logo Cognisync Communities
Powered by Sun Microsystems, Inc.,
CollabNet and Cognisync