Understanding how rampart engine works

Question

I know that Apache Rampart configuration allows providing a password callback handler class, that can be used to provide passwords needed for Rampart engine to build username tokens and create signatures when sending messages. It's written that Whenever Rampart Engine needs a password to create a username token, it will create a WSPasswordCallback instance setting the appropriate identifier which it extracts from the parameter of the Rampart configuration and pass it to the password callback class via the handle method. But as you see I've used policy based configuration!

SO I've got a few questions to see if I have understand all all that:

1. Is i from here where rampart engine extracts the appropriate username - wsse:Username>bob</wsse:Username>'+

2. After it extracts it it passes it to our PWCBHandler class via handle method. Our handle method sets the appropriate password if the username is correct.

3. And the most important - as I have to consume my web service from javascript at the end I have provided my soap request. But as you see I provide both the username and the password and I can't see where is security as everyone can see my username and password. Is this right. How can I make it more secure.

here is my code.

---

1. Here is my code for PassWordCallback.java class

   ublic void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) {

            WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
           if(pwcb.getIdentifier().equals("test") &&pwcb.getPassword().equals("pass")) {
               return;
            } 
   
           else {
               throw new UnsupportedCallbackException(callbacks[i],"Incorrect login/password");
            }
        }
    }
   

here is my soaprequest from javascript

 "<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
                "<soapenv:Envelope " + 
                     "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
                     "xmlns:tan=\"http://tan\">"+
                    "<soapenv:Header>"+
                     '<wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" soapenv:mustUnderstand="1">'+
'<wsse:UsernameToken xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="123">'+
'<wsse:Username>bob</wsse:Username>'+
'<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobPW</wsse:Password>'+
'</wsse:UsernameToken>'+
'</wsse:Security>'+
"</soapenv:Header>"+
                    "<soapenv:Body>" +
                     "<tan:testws>" +
                     '<tan:x>ECHOO</tan:x>' +
                      ' </tan:testws>'+

                    '</soapenv:Body>' +
                '</soapenv:Envelope>';

Answer 1

I'll answer your 3rd question first

You are using username token authentication method to authenticate the service. To provide security you need to use https transport instead of http. this way you can provide transport level security and hide your password. Some nice reading can be found here http://wso2.com/library/3190/

If you are using insecure channel (say http) then you can encrypt the password. user can create a digest of the password with a random bytes (nounce).To authenticate the request the service will compute the digest value using the password bound to the received usename and will compare the received digest value and the computed digest value. the security headers will be changed. some detailed info can be found in this about this. http://wso2.com/library/240/ . to provide more security you can encrypt the message (http://wso2.com/library/3415/)

For question 1, it does not get the user name from wsse:Username. it extracts the username from the parameter of the Rampart configuration. This configuration can be loaded externally or using java

RampartConfig rc = new RampartConfig();
rc.setUser("admin");
rc.setPwCbClass(PWDCallBackHandler.class.getName()); 

some info regarding callback handler http://wso2.com/library/3733/

for question 2: yes