Hash Password Support and Token Assertion Parameters in Metro 1.2
By ashutoshshahi on May 23, 2008
Metro 1.2 released just before Javaone. The Security component has two major feature support from the Security Policy 1.2 specification:
Digest(Hash) Password Support
Availability of Security Token Assertion parameters like Issuer, IssuerName and Claims for verification by users.
Both these features are available for the Security Policy 1.2 namespace.
Digest Password Support
The WSS 1.1 Username Token Profile allows digest passwords to be sent in a wsse:UsernameToken of a SOAP message. Two more optional elements are included in the wsse:UsernameToken in this case: wsse:Nonce and wsse:Created. A nonce is a random value that the sender creates to include in each UsernameToken that it sends. A creation time is added to combine nonces to a “freshness” time period. The Password Digest in this case is calculated as:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
This is how a UsernameToken with Digest Password looks like:
<wsse:UsernameToken wsu:Id="uuid_faf0159a-6b13-4139-a6da-cb7b4100c10c"> <wsse:Username>Alice</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">6S3P2EWNP3lQf+9VC3emNoT57oQ=</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YF6j8V/CAqi+1nRsGLRbuZhi</wsse:Nonce> <wsu:Created>2008-04-28T10:02:11Z</wsu:Created> </wsse:UsernameToken>
The Security Policy assertion for a UsernameToken with digest password looks like:
<sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssUsernameToken10 /> <sp:HashPassword /> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens>
The testcase s17 available at https://wsit.dev.java.net/source/browse/\*checkout\*/wsit/wsit/test/e2e/testcases/xwss/s17 provides a sample for Digest Password scenaro and the complete WSDL can be accessed at wsdl. The service needs to provide an implementation of abstract class PasswordValidationCallback.WsitDigestPasswordValidator. The testcase includes a sample implementation. The implementation class name is specified in the ValidatorConfirguration of the WSDL:
<sc:ValidatorConfiguration xmlns:sc="http://schemas.sun.com/2006/03/wss/server"> <sc:Validator name="usernameValidator" classname="xwss.s17.server.SampleWsitDigestPasswordValidator" /> </sc:ValidatorConfiguration>
Tooling support for Hash Password will come with the 1.3 release of Metro.
Availability of Security Token Assertion parameters like Issuer, IssuerName and Claims to end users
SecurityPolicy 1.2 spec allows a token assertion to carry optional sp:Issuer or sp:IssuerName elements and wst:Claims element. In the earlier version, these elements were only allowed for an IssuedToken assertion. We make this information available in com.sun.xml.wss.TokenPolicyMetaData class, and it can be used ,for example, in a CallbackHandler. Here is a code snippet:
SAMLCallback cb = ... Map props = cb.getRuntimeProperties(); com.sun.xml.wss.TokenPolicyMetaData metaData = new com.sun.xml.wss.TokenPolicyMetaData(props); String issuer = metaData.getIssuer(); org.w3c.dom.Element claims = metaData.getClaims();
The Issuer or IssuerName information is available as a String, representing the URI. The Claims information is available as a DOM Element.