Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-294

Does Rampart handle replay attacks when using UsernameToken password digest?

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Question
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4
    • Fix Version/s: 1.5.1
    • Component/s: None
    • Labels:
    • Environment:
      Windows XP Professional

      Description

      I am using a simple axis2 service and client to play around with rampart module. As you could see from the policy below, I am using UsernameToken with digest authentication. Rampart does generate different nonce for each request in the client. When I replay the same request using TCPMon i.e. using the same security header, I thought the server (which again engages rampart) would reject this as the nonce is same as the previous request. But the request goes through rampart without any issues.

      So, my question is, is there any configuration to enable rampart (on the server side) to check for duplicate nonce values?

      Followng is the policy file used by the client:

      <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:SupportingTokens
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
      <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:HashPassword/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SupportingTokens>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>

      Follownig is the service.xml entry:

      <service>
      <parameter name="ServiceClass" locked="false">samples.services.SimpleTestService</parameter>
      <operation name="add">
      <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
      </operation>
      <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:SupportingTokens
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
      <wsp:Policy>
      <sp:UsernameToken
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:HashPassword/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SupportingTokens>
      <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
      <ramp:passwordCallbackClass>samples.services.PWCBHandler</ramp:passwordCallbackClass>
      </ramp:RampartConfig>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>
      </service>

      Thank & Regards,
      Bala

        Attachments

          Activity

            People

            • Assignee:
              shankar Selvaratnam Uthaiyashankar
              Reporter:
              balamurali Balamurali

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment