Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-294

Does Rampart handle replay attacks when using UsernameToken password digest?

    XMLWordPrintableJSON

Details

    • Question
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.4
    • 1.5.1
    • None
    • Windows XP Professional

    Description

      I am using a simple axis2 service and client to play around with rampart module. As you could see from the policy below, I am using UsernameToken with digest authentication. Rampart does generate different nonce for each request in the client. When I replay the same request using TCPMon i.e. using the same security header, I thought the server (which again engages rampart) would reject this as the nonce is same as the previous request. But the request goes through rampart without any issues.

      So, my question is, is there any configuration to enable rampart (on the server side) to check for duplicate nonce values?

      Followng is the policy file used by the client:

      <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:SupportingTokens
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
      <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:HashPassword/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SupportingTokens>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>

      Follownig is the service.xml entry:

      <service>
      <parameter name="ServiceClass" locked="false">samples.services.SimpleTestService</parameter>
      <operation name="add">
      <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
      </operation>
      <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:SupportingTokens
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
      <wsp:Policy>
      <sp:UsernameToken
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:HashPassword/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SupportingTokens>
      <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
      <ramp:passwordCallbackClass>samples.services.PWCBHandler</ramp:passwordCallbackClass>
      </ramp:RampartConfig>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>
      </service>

      Thank & Regards,
      Bala

      Attachments

        1. RAMPART-294.diff
          23 kB
          Amila Jayasekara
        2. SimpleTestService.aar
          3 kB
          Balamurali

        Activity

          People

            shankar Selvaratnam Uthaiyashankar
            balamurali Balamurali
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: