Hash Password Support and Token Assertion Parameters in Metro 1.2

Metro 1.2 released just before Javaone. The Security component has two major feature support from the Security Policy 1.2 specification:

  • Digest(Hash) Password Support

  • Availability of Security Token Assertion parameters like Issuer, IssuerName and Claims for verification by users.

Both these features are available for the Security Policy 1.2 namespace.

Apart from this there are many bug fixes. Please refer the status notes for Security and Security Policy.

Digest Password Support

The WSS 1.1 Username Token Profile allows digest passwords to be sent in a wsse:UsernameToken of a SOAP message. Two more optional elements are included in the wsse:UsernameToken in this case: wsse:Nonce and wsse:Created. A nonce is a random value that the sender creates to include in each UsernameToken that it sends. A creation time is added to combine nonces to a “freshness” time period. The Password Digest in this case is calculated as:

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

This is how a UsernameToken with Digest Password looks like:

<wsse:UsernameToken wsu:Id="uuid_faf0159a-6b13-4139-a6da-cb7b4100c10c">
   <wsse:Username>Alice</wsse:Username>
   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">6S3P2EWNP3lQf+9VC3emNoT57oQ=</wsse:Password>
   <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YF6j8V/CAqi+1nRsGLRbuZhi</wsse:Nonce>
   <wsu:Created>2008-04-28T10:02:11Z</wsu:Created>
</wsse:UsernameToken>

The Security Policy assertion for a UsernameToken with digest password looks like:

<sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
   <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
         <wsp:Policy>
            <sp:WssUsernameToken10 />
            <sp:HashPassword />
         </wsp:Policy>
      </sp:UsernameToken>
   </wsp:Policy>
</sp:SignedSupportingTokens>

The testcase s17 available at https://wsit.dev.java.net/source/browse/\*checkout\*/wsit/wsit/test/e2e/testcases/xwss/s17 provides a sample for Digest Password scenaro and the complete WSDL can be accessed at wsdl. The service needs to provide an implementation of abstract class PasswordValidationCallback.WsitDigestPasswordValidator. The testcase includes a sample implementation. The implementation class name is specified in the ValidatorConfirguration of the WSDL:

<sc:ValidatorConfiguration xmlns:sc="http://schemas.sun.com/2006/03/wss/server">
   <sc:Validator name="usernameValidator" classname="xwss.s17.server.SampleWsitDigestPasswordValidator" />
</sc:ValidatorConfiguration>

Tooling support for Hash Password will come with the 1.3 release of Metro.

Availability of Security Token Assertion parameters like Issuer, IssuerName and Claims to end users

SecurityPolicy 1.2 spec allows a token assertion to carry optional sp:Issuer or sp:IssuerName elements and wst:Claims element. In the earlier version, these elements were only allowed for an IssuedToken assertion. We make this information available in com.sun.xml.wss.TokenPolicyMetaData class, and it can be used ,for example, in a CallbackHandler. Here is a code snippet:

SAMLCallback cb = ...
Map props = cb.getRuntimeProperties();
com.sun.xml.wss.TokenPolicyMetaData metaData = new
com.sun.xml.wss.TokenPolicyMetaData(props);

String issuer = metaData.getIssuer();
org.w3c.dom.Element claims = metaData.getClaims();

The Issuer or IssuerName information is available as a String, representing the URI. The Claims information is available as a DOM Element.

Comments:

Great !!

Alas can get test case s17 to work.

Installed metro 1.2 for both glassfish V2 and webservice-api.jar over both jdk/jre/endorsed and jre/endorsed (java 6b6), created a web service from test case wsdl in netbeans 6.1 and deployed.

Tried to test the service from SoapUI by adding hashed username token and I get auth failure.

This fails with:

<message>Authentication of Username Password Token Failed</message>
<ns2:stackTrace>
<ns2:frame class="com.sun.xml.ws.security.opt.impl.util.SOAPUtil" file="SOAPUtil.java" line="165" method="getSOAPFaultException"/> <ns2:frame class="com.sun.xml.wss.provider.wsit.WSITServerAuthContext" file="WSITServerAuthContext.java" line="315" method="validateRequest"/>
<ns2:frame class="com.sun.xml.wss.provider.wsit.WSITServerAuthContext" file="WSITServerAuthContext.java" line="223" method="validateRequest"/>

etc.

Apparently the pasword validator never gets called.

Would you mind giving an example of basic auth giving details on what setup to use, and where the user name is returned as reply ?

Thanks.

Posted by Andrew on July 04, 2008 at 04:45 PM IST #

Hello,

I learning Security Token Service and I managed to have my service and client working with STS. I followed tutorial in: http://java.sun.com/webservices/reference/tutorials/wsit/doc/index.html

The tutorial does not tell me how to set the content of the "wst:Claims" element and I could not find any option in Netbeans which allow me to set it. I am using Netbeans 6.7 Beta, JDK 1.6, Metro 1.5, Glassfish 2.1.

I just wonder if you can show me how to set the content of the "wst:Claims" element?

Any help would be greatly appreciated

Best regards,
Phi

Posted by Phi on May 26, 2009 at 06:39 AM IST #

Hi Phi,

Please post your question about wst:Claims
in the Metro forum:

http://forums.java.net/jive/forum.jspa?forumID=46&start=0

We will help you there.

Thanks!

Jiandong

Posted by Jiandong Guo on June 23, 2009 at 09:51 PM IST #

You may check this blog entry for how to handle
Claims with Metro:

http://blogs.sun.com/trustjdg/entry/handling_claims_with_sts

Posted by Jiandong Guo on June 23, 2009 at 09:55 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

ashutoshshahi

Search

Categories
Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
       
       
Today
Bookmarks
Blogroll

No bookmarks in folder