Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-581

expose ability to set Wss4j option ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES via Wss4jSecurityInterceptor

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9
    • Component/s: Security
    • Labels:
      None

      Description

      Wss4j 1.5.8 includes a new WSHandlerConstant named ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES.
      By default, the value for this option is false.

      When migrating my web services application from spring-ws 1.5.7 to 1.5.8 (which includes wss4j 1.5.8), the WS-Security header sent by Microsoft clients do not validate.
      Specifically, when execution reaches line 173 of org.apache.ws.security.message.token.UsernameToken, the field allowNamespaceQualifiedPasswordTypes is false, and as a result the "WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN,"badTokenType01",new Object[]

      {el}

      " is thrown.

      wss4j 1.5.7 for reference looks pretty different within the same UsernameToken constructor; it simply sets passwordType to whatever "elementPassword.getAttribute(WSConstants.PASSWORD_TYPE_ATTR)" returns.

      It appears ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES was developed in response to the format of the Microsoft clients.

      I'm wondering if we can expose a way in Wss4jSecurityInterceptor to set toggle this option.

        Activity

        nblair Nicholas Blair created issue -
        Hide
        nblair Nicholas Blair added a comment -

        What would be the preferred way to expose this? Define a specific setter on Wss4jSecurityInterceptor, something like setAllowNamespaceQualifiedPasswordTypes(boolean)? Or a more generic setHandlerOption(String, String) that delegates to the inner Handler? Or expose the handler itself (getWss4jHandler())?

        Show
        nblair Nicholas Blair added a comment - What would be the preferred way to expose this? Define a specific setter on Wss4jSecurityInterceptor, something like setAllowNamespaceQualifiedPasswordTypes(boolean)? Or a more generic setHandlerOption(String, String) that delegates to the inner Handler? Or expose the handler itself (getWss4jHandler())?
        tareq Tareq Abedrabbo made changes -
        Field Original Value New Value
        Assignee Arjen Poutsma [ arjen.poutsma ] Tareq Abedrabbo [ tareq ]
        Fix Version/s 1.5.9 [ 11296 ]
        Hide
        tareq Tareq Abedrabbo added a comment -

        I added a setAllowQualifiedPasswordTypes setter to achieve that. Could you please test a recent snapshot to see if it works for you?

        Show
        tareq Tareq Abedrabbo added a comment - I added a setAllowQualifiedPasswordTypes setter to achieve that. Could you please test a recent snapshot to see if it works for you?
        Hide
        nblair Nicholas Blair added a comment -

        Just tested with 1.5.9-SNAPSHOT, looks good to me.

        Show
        nblair Nicholas Blair added a comment - Just tested with 1.5.9-SNAPSHOT, looks good to me.
        Hide
        tareq Tareq Abedrabbo added a comment -

        Thanks. I'm thinking that having this property on by default would greatly enhance interoperability with .Net and shouldn't have a downside on ws-security compiling web services. I think I'll remove setAllowQualifiedPasswordTypes and set the corresponding wss4j property by default. This will also simplify the interceptor, which has already an important number of setters exposed, unless you have another idea?

        Show
        tareq Tareq Abedrabbo added a comment - Thanks. I'm thinking that having this property on by default would greatly enhance interoperability with .Net and shouldn't have a downside on ws-security compiling web services. I think I'll remove setAllowQualifiedPasswordTypes and set the corresponding wss4j property by default. This will also simplify the interceptor, which has already an important number of setters exposed, unless you have another idea?
        Hide
        nblair Nicholas Blair added a comment -

        I'm not sure exactly the full impact of that parameter, so even if the default behavior is switched to true I think the setter should remain in order to let deployers override if need be.

        Show
        nblair Nicholas Blair added a comment - I'm not sure exactly the full impact of that parameter, so even if the default behavior is switched to true I think the setter should remain in order to let deployers override if need be.
        Hide
        tareq Tareq Abedrabbo added a comment -

        I allowed for qualified password types by default since this option has on negative impact on complying ws-security headers.
        I'm a bit concerned about the number of properties that the Wss4jSecurityIntecreptor already has so I removed the corresponding setter for the time being but I'm willing to put it back if it turns out to be really beneficial.

        Show
        tareq Tareq Abedrabbo added a comment - I allowed for qualified password types by default since this option has on negative impact on complying ws-security headers. I'm a bit concerned about the number of properties that the Wss4jSecurityIntecreptor already has so I removed the corresponding setter for the time being but I'm willing to put it back if it turns out to be really beneficial.
        tareq Tareq Abedrabbo made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing old issues

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing old issues
        arjen.poutsma Arjen Poutsma made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        47d 12h 53m 1 Tareq Abedrabbo 14/Dec/09 8:40 PM
        Resolved Resolved Closed Closed
        871d 10h 23m 1 Arjen Poutsma 04/May/12 7:03 AM

          People

          • Assignee:
            tareq Tareq Abedrabbo
            Reporter:
            nblair Nicholas Blair
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: