Web Service Security Usernametoken with PasswordDigest
88 views
Skip to first unread message
Entwickler Roland
Mar 19, 2021, 10:46:12 AM3/19/21
to WildFly
Hi all,
I am struggling with the configuration of wildfly 22/23 to authenticate web service users by usernametoken with password digests. After several tries I managed to get it working with cleartext passwords, but that is not what I was looking for.
I have a Web Service with a policy like this:
<wsp1_2:Policy wssutil:Id="usernameToken">
<ns1:SupportingTokens xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp1_2:Policy>
<ns1:UsernameToken ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp1_2:Policy>
<ns1:HashPassword/>
<ns1:WssUsernameToken10/>
</wsp1_2:Policy>
</ns1:UsernameToken>
</wsp1_2:Policy>
</ns1:SupportingTokens>
</wsp1_2:Policy>
<ns1:SupportingTokens xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp1_2:Policy>
<ns1:UsernameToken ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp1_2:Policy>
<ns1:HashPassword/>
<ns1:WssUsernameToken10/>
</wsp1_2:Policy>
</ns1:UsernameToken>
</wsp1_2:Policy>
</ns1:SupportingTokens>
</wsp1_2:Policy>
Now I added the SubjectCreatingPolicyInterceptor to the WS Endpoint and defined a new endpoint config in which I set ws-security.validate.token to false. That's what I found in the documentary. But I always get an exception from the org.jboss.wsf.stack.cxf.security.authentication.SubjectCreator when it calls the isValid Method from the SecurityDomainContext. I can see that the username and the password digest were correctly extracted from the usernametoken, but now there is something wrong with the security domain.
In my case I have a database with the passwords in cleartext, because the incoming password is already a hash with nonce and timestamp. So to compare the passwords I have to build a hash with the stored password and the nonce and timestamp from the usernametoken. How can I configure this in wildfly? In the elytron subsystem I can use different password mappers, but the digest mappers are for the opposite case when I have a hashed password in the database and the input password is cleartext. In the older security subsystem (legacy) there are some options in the database login module like "hashUserPassword" and "hashStorePassword" but it's not working for me.
In my case I have a database with the passwords in cleartext, because the incoming password is already a hash with nonce and timestamp. So to compare the passwords I have to build a hash with the stored password and the nonce and timestamp from the usernametoken. How can I configure this in wildfly? In the elytron subsystem I can use different password mappers, but the digest mappers are for the opposite case when I have a hashed password in the database and the input password is cleartext. In the older security subsystem (legacy) there are some options in the database login module like "hashUserPassword" and "hashStorePassword" but it's not working for me.
Can somebody help me?
Entwickler Roland
Mar 19, 2021, 10:46:12 AM3/19/21
to WildFly
Hi all,
I am struggling with the configuration of wildfly 22/23 to authenticate web service users by usernametoken with password digests. After several tries I managed to get it working with cleartext passwords, but that is not what I was looking for.
I have a Web Service with a policy like this:
<wsp1_2:Policy wssutil:Id="usernameToken">
<ns1:SupportingTokens xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp1_2:Policy>
<ns1:UsernameToken ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp1_2:Policy>
<ns1:HashPassword/>
<ns1:WssUsernameToken10/>
</wsp1_2:Policy>
</ns1:UsernameToken>
</wsp1_2:Policy>
</ns1:SupportingTokens>
</wsp1_2:Policy>
Now I added the SubjectCreatingPolicyInterceptor to the WS Endpoint and defined a new endpoint config in which I set ws-security.validate.token to false. That's what I found in the documentary. But I always get an exception from the org.jboss.wsf.stack.cxf.security.authentication.SubjectCreator when it calls the isValid Method from the SecurityDomainContext. I can see that the username and the password digest were correctly extracted from the usernametoken, but now there is something wrong with the security domain.
In my case I have a database with the passwords in cleartext, because the incoming password is already a hash depending on the nonce and timestamp. So to compare the passwords I have to build a hash with the stored password and the nonce and timestamp from the usernametoken. How can I configure this with wildfly? In the elytron subsystem I can use different password mappers, but the digest mappers are for the opposite case if I have a hashed password in the database and the input password is cleartext. In the older security subsystem (legacy) there are some options in the database login module like "hashUserPassword" and "hashStorePassword" but it's not working for me.I am struggling with the configuration of wildfly 22/23 to authenticate web service users by usernametoken with password digests. After several tries I managed to get it working with cleartext passwords, but that is not what I was looking for.
I have a Web Service with a policy like this:
<wsp1_2:Policy wssutil:Id="usernameToken">
<ns1:SupportingTokens xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp1_2:Policy>
<ns1:UsernameToken ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp1_2:Policy>
<ns1:HashPassword/>
<ns1:WssUsernameToken10/>
</wsp1_2:Policy>
</ns1:UsernameToken>
</wsp1_2:Policy>
</ns1:SupportingTokens>
</wsp1_2:Policy>
Now I added the SubjectCreatingPolicyInterceptor to the WS Endpoint and defined a new endpoint config in which I set ws-security.validate.token to false. That's what I found in the documentary. But I always get an exception from the org.jboss.wsf.stack.cxf.security.authentication.SubjectCreator when it calls the isValid Method from the SecurityDomainContext. I can see that the username and the password digest were correctly extracted from the usernametoken, but now there is something wrong with the security domain.
Can somebody help me?
Reply all
Reply to author
Forward
0 new messages