Skip to main content

Plain Text Username Password security with Metro

Posted by kumarjayanti on November 25, 2008 at 1:10 AM PST

Although not considered very secure many users in the past have asked
for it. With latest Metro builds we have made it possible to implement
a webservice secured by plain-text username and password.  The
NetBeans mechanism which metro supports allows href="https://wsit-docs.dev.java.net/releases/m6/WSIT_Security4.html#wp129409">plain-text
username and password over SSL.   So i took that as a
starting point to generate my WebService's WSIT configuration file and
then modified the policy so that it accepts a plain-text username and
password.  Here is how the modified policy looks like :




cellspacing="2">
<class="start-tag">definitions xmlns:wsu=class="attribute-value">"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" class="attribute-name">
xmlns:soap=class="attribute-value">"http://schemas.xmlsoap.org/wsdl/soap/" class="attribute-name">xmlns:tns="http://test/"
class="attribute-name">xmlns:xsd="http://www.w3.org/2001/XMLSchema" class="attribute-name">xmlns="http://schemas.xmlsoap.org/wsdl/" class="attribute-name">
targetNamespace=class="attribute-value">"http://test/" class="attribute-name">name="MyWebServiceService">
<class="start-tag">ns1:Policy xmlns:ns1=class="attribute-value">"http://schemas.xmlsoap.org/ws/2004/09/policy" class="attribute-name">wsu:Id="MyWebServicePortBindingPolicy">
<class="start-tag">ns1:ExactlyOne>
<class="start-tag">ns1:All>
<ns2:SupportingTokensclass="attribute-name"> xmlns:ns2="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<class="start-tag">ns1:Policy>
<ns1:ExactlyOne>
<class="start-tag">ns1:All>
<ns2:UsernameTokenclass="attribute-name"> ns2:IncludeToken=class="attribute-value">"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<class="start-tag">ns1:Policy>
<class="start-tag">ns1:ExactlyOne>
<class="start-tag">ns1:All>
<class="start-tag">ns2:WssUsernameToken10class="attribute-name"> />
ns1:All>
class="end-tag">ns1:ExactlyOne>
ns1:Policy>
class="end-tag">ns2:UsernameToken>
class="end-tag">ns1:All>
ns1:ExactlyOne>
class="end-tag">ns1:Policy>
ns2:SupportingTokens>
<class="start-tag">ns3:UsingAddressingclass="attribute-name"> xmlns:ns3="http://www.w3.org/2006/05/addressing/wsdl" class="attribute-name">/>
ns1:All>
class="end-tag">ns1:ExactlyOne>
ns1:Policy>



Here is the Security Header of the message sent from the client to the
service.


cellspacing="2">
S:mustUnderstand="1">

xmlns:ns13="http://www.w3.org/2003/05/soap-envelope"
wsu:Id="uuid_0df503b1-0d39-4b75-ae9b-df50b7851d82">

test

Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test





The client code invoking the webservice is as follows :

cellspacing="2">
try { // Call Web Service
Operation



test.MyWebService port = service.getMyWebServicePort();

// TODO initialize WS operation arguments here

java.lang.String parameter = "Plain Text Username/Password";

               


((BindingProvider)port).getRequestContext().put(XWSSConstants.USERNAME_PROPERTY,"test");

((BindingProvider)port).getRequestContext().put(XWSSConstants.PASSWORD_PROPERTY,"test");

java.lang.String result = port.operation(parameter);

out.println("Result = " + result);

} catch (Exception ex) {

    // TODO handle custom exceptions here

}



Anyone interested in getting the sample NetBeans Projects for the 
WebService and Client can access the file href="http://java.net/downloads/xwss/samples/">usernamepassword.zip 
href="http://java.net/downloads/xwss/samples/">here.
The only additional step to run this on GlassFish is to create a File
user on glassfish with username test and password test. Do not do a
clean on the WebService project  since i have actually hand
modified the policy of the WebService (as stated above).



Readers who wish to use  Password
Digest Authentication  can take a look at 
href="http://blogs.sun.com/ashutosh/entry/hash_password_support_and_token">http://blogs.sun.com/ashutosh/entry/hash_password_support_and_token.


Comments

This article has really saved my life. I spent a few days to ...

This article has really saved my life. I spent a few days to find a way to run UsernameToken authentication with plain text password on Glassfish/Metro. :)

Thanks

<p>This is a really good read for me, Must admit that you ...

This is a really good read for me, Must admit that you are one of the best bloggers I ever saw. Thanks for posting this informative article.

<p>&nbsp;Hi,</p> <p>&nbsp; the link seems to be broken... ...

Hi,
the link seems to be broken... :(
Where can we get the example now because it may be VERY helpful for me ??
Thanks !! :)
Matthieu

Fixed the link.

Fixed the link.

<p>The article was very informative .like your blog. I will ...

The article was very informative .like your blog. I will visit it more often.
http://ebooksplanet.net/

Plain Text Username Password

Just how secure would you consider this feature on a wider scale? I am specially referring to business security compliance. Would you trust your business internal system on Metro script?. I could use some answers based on real experiences, I am currently reviewing several system security products and need to make a good decision.

broken link

I would like to use digest password authentication method and I'd like to have a look at the example at the URL http://blogs.sun.com/ashutosh/entry/hash_password_support_and_token, but the link seems to be broken. Thanks in advance.

Please post general questions and questions not related to this post at users@metro.dev.java.net that way it would get the attention of right people. In your case you do not seem to have a PolicyReference to the wsu:id of the policy that you defined this is the reason you are not seeing the policy in the WSDL. Try using NetBeans to generate a sample From Java WebService and then inspect the wsit-packagename.service.xml

Hi Kumar i am trying to deploy a simple web service in tomcat 6 using metro 1.4 I am starting from java source code, not from wsdl, hence the wsdl is made at runtime As mentioned in the metro docs i have included wsit-packagename.service.xml in the WEB-INF folder. For some reason the security policies from my wsit-packagename.service.xml are not getting embedded in my run time generated wsdl. I know that the WSIT configuration file is loaded, becoz i can see it in the tomcat logs INFO: Deploying web application archive jaxws-webapitestserver.war Jan 23, 2009 12:11:50 PM com.sun.xml.ws.transport.http.servlet.WSServletContextL istener contextInitialized INFO: WSSERVLET12: JAX-WS context listener initializing Jan 23, 2009 12:11:51 PM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse INFO: WSP1049: Loaded WSIT configuration from file: jndi:/localhost/jaxws-webapi testserver/WEB-INF/wsit-com.ttv.webapi.server.wstestImpl.xml Jan 23, 2009 12:11:51 PM com.sun.xml.ws.transport.http.servlet.WSServletDelegate Heres my wsit-com.ttv.webapi.server.wstestImpl.xml <?xml version="1.0" encoding="utf-8"?> i have been strugling with for quite a time now Thanks for the help in advance

Update: Metro 1.5 nightly build worked fine. Metro 1.4 nightly failed though...

Kumar, I opened your project in NetBeans 6.1 and get the following exception: SEC2004: Container-auth: wss: Error securing request SOAPFaultException: SP0105: Either SymmetricBinding/AsymmetricBinding/TransportBinding assertion must be present in the wsdl. I upgraded my Glassfish V2 UR2 to Metro 1.4 (it's been released in October, after your post), no luck... Any idea why this is happening?

OK, I think the blog title is somewhat confusing then. "Using the UsernameToken profile without SSL encryption" would probably be more accurate. With the usernametoken profile a plaintext password (as opposed to a password digest) is very common, even though the transmission is still encrypted via SSL. In both cases, plaintext and password digest, the password is still encrypted simply because the entire SOAP envelope is. If I'm not mistaken, then, you're using the usernametoken profile but without the SSL encryption, resulting in the *entire* SOAP envelope--not just the plaintext password--becoming externally viewable.

No i am not describing HTTP BASIC AUTH. Neither am i using SSL here. This one is just how to do Plain-Text username/password without SSL. The reference to the Netbeans Mechanism "Message Authentication Over SSL" was just to tell that i started with that (so i have all the wsit* files generated by NetBeans instead of having to hand write them) and then modified the Policy to show how to do Plain-Text username/password.

Kumar, just to clarify, are you describing here HTTP Basic Authentication over SSL, *or* the UsernameToken profile with plain text passwords? I think they are different, correct?

re

After restarting Openoffice, assignment writing i try to insert a picture. But when i fill the field and press Serch button, assignment help nothing happens.

re

Thanks for the great tips. I have been looking for something like this to help in my site building for ages. Wonder File Reviews

And if anyone is interested in a WCF equivalnet configuration find it here: http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernameb...