Kumar Jayanti's Blog: Plain Text Username Password security with Metro

My pages	Projects	Communities	java.net

Get Involved

java-net Project

Request a Project

Project Help Wanted Ads

Publicize your Project

Get Informed

java.net Online Books

java.net Archives

Get Connected

java.net Forums

Wiki and Javapedia

People, Partners, and Jobs

Java User Groups

RSS Feeds

Search

Online Books:

java.net on MarkMail:

Advanced Search

Kumar Jayanti's Blog

«Client Side Certificate Handling in Secure Metro WebServices | Main | Custom Realms in GlassFish V3 »

Plain Text Username Password security with Metro

Posted by kumarjayanti on November 25, 2008 at 01:10 AM | Comments (8)

Although not considered very secure many users in the past have asked for it. With latest Metro builds we have made it possible to implement a webservice secured by plain-text username and password. The NetBeans mechanism which metro supports allows plain-text username and password over SSL. So i took that as a starting point to generate my WebService's WSIT configuration file and then modified the policy so that it accepts a plain-text username and password. Here is how the modified policy looks like :

<definitions xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://test/" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.xmlsoap.org/wsdl/" 
targetNamespace="http://test/" name="MyWebServiceService">
<ns1:Policy xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/09/policy" wsu:Id="MyWebServicePortBindingPolicy">
<ns1:ExactlyOne>
<ns1:All>
<ns2:SupportingTokens xmlns:ns2="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns2:UsernameToken ns2:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<ns1:Policy>
 <ns1:ExactlyOne>
 <ns1:All>
 <ns2:WssUsernameToken10 />
 </ns1:All>
 </ns1:ExactlyOne>
</ns1:Policy>
</ns2:UsernameToken>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns2:SupportingTokens>
<ns3:UsingAddressing xmlns:ns3="http://www.w3.org/2006/05/addressing/wsdl" />
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>

Here is the Security Header of the message sent from the client to the service.

<wsse:Security
S:mustUnderstand="1">

<wsse:UsernameToken
xmlns:ns13="http://www.w3.org/2003/05/soap-envelope"
wsu:Id="uuid_0df503b1-0d39-4b75-ae9b-df50b7851d82">

<wsse:Username>test</wsse:Username>

<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

The client code invoking the webservice is as follows :

try { // Call Web Service
Operation



test.MyWebService port = service.getMyWebServicePort();

// TODO initialize WS operation arguments here

java.lang.String parameter = "Plain Text Username/Password";

               


((BindingProvider)port).getRequestContext().put(XWSSConstants.USERNAME_PROPERTY,"test");

((BindingProvider)port).getRequestContext().put(XWSSConstants.PASSWORD_PROPERTY,"test");

java.lang.String result = port.operation(parameter);

out.println("Result = " + result);

} catch (Exception ex) {

    // TODO handle custom exceptions here

}

Anyone interested in getting the sample NetBeans Projects for the WebService and Client can access the file usernamepassword.zip here. The only additional step to run this on GlassFish is to create a File user on glassfish with username test and password test. Do not do a clean on the WebService project since i have actually hand modified the policy of the WebService (as stated above).

Readers who wish to use Password Digest Authentication can take a look at : http://blogs.sun.com/ashutosh/entry/hash_password_support_and_token.

Bookmark blog post:

del.icio.us

Digg

DZone

Furl

Comments

Comments are listed in date ascending order (oldest first) | Post Comment

And if anyone is interested in a WCF equivalnet configuration find it here:

http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernamebinding.html

Posted by: yaronn02 on November 25, 2008 at 01:19 PM

Kumar, just to clarify, are you describing here HTTP Basic Authentication over SSL, *or* the UsernameToken profile with plain text passwords? I think they are different, correct?

Posted by: gmazza on November 27, 2008 at 09:06 PM

No i am not describing HTTP BASIC AUTH. Neither am i using SSL here. This one is just how to do Plain-Text username/password without SSL.

The reference to the Netbeans Mechanism "Message Authentication Over SSL" was just to tell that i started with that (so i have all the wsit* files generated by NetBeans instead of having to hand write them) and then modified the Policy to show how to do Plain-Text username/password.

Posted by: kumarjayanti on November 27, 2008 at 11:38 PM

OK, I think the blog title is somewhat confusing then. "Using the UsernameToken profile without SSL encryption" would probably be more accurate. With the usernametoken profile a plaintext password (as opposed to a password digest) is very common, even though the transmission is still encrypted via SSL. In both cases, plaintext and password digest, the password is still encrypted simply because the entire SOAP envelope is. If I'm not mistaken, then, you're using the usernametoken profile but without the SSL encryption, resulting in the *entire* SOAP envelope--not just the plaintext password--becoming externally viewable.

Posted by: gmazza on November 29, 2008 at 02:27 PM

Kumar, I opened your project in NetBeans 6.1 and get the following exception:

SEC2004: Container-auth: wss: Error securing request
SOAPFaultException: SP0105: Either SymmetricBinding/AsymmetricBinding/TransportBinding assertion must be present in the wsdl.

I upgraded my Glassfish V2 UR2 to Metro 1.4 (it's been released in October, after your post), no luck... Any idea why this is happening?

Posted by: obivol on December 02, 2008 at 04:13 PM

Update: Metro 1.5 nightly build worked fine. Metro 1.4 nightly failed though...

Posted by: obivol on December 02, 2008 at 05:36 PM

Hi Kumar

i am trying to deploy a simple web service in tomcat 6 using metro 1.4
I am starting from java source code, not from wsdl, hence the wsdl is made at runtime

As mentioned in the metro docs i have included wsit-packagename.service.xml in the WEB-INF folder.
For some reason the security policies from my wsit-packagename.service.xml are not getting embedded in my run time generated wsdl.

I know that the WSIT configuration file is loaded, becoz i can see it in the tomcat logs

INFO: Deploying web application archive jaxws-webapitestserver.war
Jan 23, 2009 12:11:50 PM com.sun.xml.ws.transport.http.servlet.WSServletContextL
istener contextInitialized
INFO: WSSERVLET12: JAX-WS context listener initializing
Jan 23, 2009 12:11:51 PM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse

INFO: WSP1049: Loaded WSIT configuration from file: jndi:/localhost/jaxws-webapi
testserver/WEB-INF/wsit-com.ttv.webapi.server.wstestImpl.xml
Jan 23, 2009 12:11:51 PM com.sun.xml.ws.transport.http.servlet.WSServletDelegate

Heres my wsit-com.ttv.webapi.server.wstestImpl.xml

i have been strugling with for quite a time now
Thanks for the help in advance

Posted by: neo1982 on January 23, 2009 at 12:38 PM

Please post general questions and questions not related to this post at users@metro.dev.java.net that way it would get the attention of right people.

In your case you do not seem to have a PolicyReference to the wsu:id of the policy that you defined this is the reason you are not seeing the policy in the WSDL.

Try using NetBeans to generate a sample From Java WebService and then inspect the wsit-packagename.service.xml

Posted by: kumarjayanti on January 26, 2009 at 01:07 AM

Powered by
Movable Type 3.01D

java.net RSS Feeds