English 中文(简体)
Axis2 + Rampart: 具体说明政策标题中的密码摘要
原标题:Axis2 + Rampart: Specifying password digest in policy header

I am trying to send username and a password over web services using axis2 and rampart. I want to send the password as a digest, but for some reason the password is only sent in cleartext. According to several sources, it should happen when I add the to both services.xml and axis2.xml, but it doesnt seem to work. I have also tried to add Digest under the sub-header. Relevant sections of services.xml (server side) and axis2.xml (client side) is given below. Can anybody see anything wrong?

My axis2.xml

<wsp:Policy wsu:Id="UTOverTransport"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SignedSupportingTokens
                xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken
                        sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:HashPassword />
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
            <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
                <ramp:user>test</ramp:user>
                <ramp:passwordCallbackClass>sec.PWCBHandler</ramp:passwordCallbackClass>
            </ramp:RampartConfig>
        </wsp:All>
    </wsp:ExactlyOne>

</wsp:Policy>

我的服务。

<wsp:Policy wsu:Id="UTOverTransport"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SignedSupportingTokens
                xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken
                        sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:HashPassword />
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
            <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
                <ramp:passwordCallbackClass>sec.PWCBHandler</ramp:passwordCallbackClass>
            </ramp:RampartConfig>

        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>
问题回答

你们的组合的问题是,你使用的名称空间表明,轴心是将其解释为WSS 1.1配置。 就我能够从轴心来源了解的情况而言,它不支持从用户名到象征性的密码。 或许这是第1.2号特别安全局的特征。

You need to define supporting token using WSS 1.2 namespaces:

  <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
    <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
             <sp:HashPassword />
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SignedSupportingTokens>

这将用不收听的口号,并因违约而产生。

时间:2013-04-12 16:29:32

I found you may need to add something like this:

<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
 <wsp:ExactlyOne>
  <wsp:All>
   <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
         <sp:HttpsToken RequireClientCertificate="false"/>
        </wsp:Policy>
      </sp:TransportToken>
     </wsp:Policy>
   </sp:TransportBinding>
   <sp:SupportingTokens
     xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
    <wsp:Policy>
     <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/
          ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
    </wsp:Policy>
   </sp:SupportingTokens>
  </wsp:All>
 </wsp:ExactlyOne>
</wsp:Policy>

Ref: http://www.ubm.com/Deepéperwork/jav/library/j-jws-4index.html”

时间:2012-03-27 11:51:46


上一篇:
下一篇:


相关问题
ajax login using httpRequest?

I am trying to develop my login script to give feedback to the user if the login is valid or not. Basically if it isn t correct a div box will show saying its wrong, if its correct it will show its ...

时间:2009-11-14 12:18:03 回答:4 展示:1
Remotely authenticating client Windows user on demand

Suppose I am writing a server for a particular network protocol. If I know that the client is running on a Windows machine, is it possible for my server to authenticate the Windows user that owns the ...

时间:2009-11-14 11:57:12 回答:1 展示:1
Role/Permission based forms authorizing/authentication?

While looking into forms authorizing/authentication, I found that it is possible to do role based authorizing by adding an array of roles to a FormsAuthenticationTicket. That way I can write User....

时间:2009-11-05 23:14:23 回答:1 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全