Rampart
  1. Rampart
  2. RAMPART-385

Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy

    Details

    • Type: Question Question
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      JBoss 5.1.2
      Axis2 1.6.2
      Rampart/Rahas 1.6.2

      Description

      A Policy was specified on a web service as such:

      <sp:SupportingTokens>
      <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:NoPassword/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SupportingTokens>

      If the request contains username token + password in security header, I would expect (hope) rampart to ignore
      the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).

      Anyway: rampart will go into the password callback and require us to supply the value.
      Is this correct?

      1. RAMPART-385.patch
        15 kB
        Suresh Attanayake
      2. policy-1.2-UT.xml
        2 kB
        Suresh Attanayake

        Activity

        Simon Jongsma created issue -
        Suresh Attanayake made changes -
        Field Original Value New Value
        Comment [ I could reproduce this issue. This seems to come from Neethi. ]
        Hide
        Suresh Attanayake added a comment -

        Hi,

        This is not a bug. You must have used the WS-SecurityPolicy version 1.1. The <sp:NoPassword../> is not a part of the WS-SecurityPolicy version 1.1. It is defined in the WS-SecurityPolicy version 1.2.
        So use policy version 1.2. Rampart handles the NoPassword policy well.
        Anyhow I have added done policy validation on this. It is with the patch (RAMPART-385.patch) attached herewith.

        Thanks,
        -Suresh

        Show
        Suresh Attanayake added a comment - Hi, This is not a bug. You must have used the WS-SecurityPolicy version 1.1. The <sp:NoPassword../> is not a part of the WS-SecurityPolicy version 1.1. It is defined in the WS-SecurityPolicy version 1.2. So use policy version 1.2. Rampart handles the NoPassword policy well. Anyhow I have added done policy validation on this. It is with the patch ( RAMPART-385 .patch) attached herewith. Thanks, -Suresh
        Hide
        Suresh Attanayake added a comment -

        Attaching a patch for UsernameToken Assertion policy validation.

        Show
        Suresh Attanayake added a comment - Attaching a patch for UsernameToken Assertion policy validation.
        Suresh Attanayake made changes -
        Attachment RAMPART-385.patch [ 12544407 ]
        Suresh Attanayake made changes -
        Attachment RAMPART-385.patch [ 12544407 ]
        Hide
        Suresh Attanayake added a comment -

        Attaching the patch with test cases.

        Show
        Suresh Attanayake added a comment - Attaching the patch with test cases.
        Suresh Attanayake made changes -
        Attachment RAMPART-385.patch [ 12544411 ]
        Suresh Attanayake made changes -
        Attachment RAMPART-385.patch [ 12544411 ]
        Suresh Attanayake made changes -
        Attachment RAMPART-385.patch [ 12544427 ]
        Hide
        Simon Jongsma added a comment -

        Thanks so far Suresh. I was not aware I could specify the WS-SecurityPolicy version to be used by Rampart.
        Could you instruct me as to where I can specify this?

        Show
        Simon Jongsma added a comment - Thanks so far Suresh. I was not aware I could specify the WS-SecurityPolicy version to be used by Rampart. Could you instruct me as to where I can specify this?
        Hide
        Suresh Attanayake added a comment -

        Hi Simon,

        You should write the security policy using the WS-Security Policy 1.2 language. I'm attaching a sample policy file for your case.

        Thanks,
        -Suresh

        Show
        Suresh Attanayake added a comment - Hi Simon, You should write the security policy using the WS-Security Policy 1.2 language. I'm attaching a sample policy file for your case. Thanks, -Suresh
        Suresh Attanayake made changes -
        Attachment policy-1.2-UT.xml [ 12566364 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Simon Jongsma
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:

              Development