• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Rampart encrypting options: I can't encrypt parameters

 
Enrico Viappiani
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi guys, I have a Web service developed in java, deployed on Tomcat / Axis2.
Every method in the service, has "User", a class containing username and password in plain.
I need to encrypt that parameters in the SOAP request, so i engaged rampart, and seems to do the job, but using a soap monitor i noticed that the user/password parameters are in plain text, clear and unencrypted!!!
the soap request catched by soap monitor is this:





Any ideas? how can I configure rampart to encrypt that section? thanks

Enrico
 
Tim Moores
Bartender
Posts: 2747
38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The password isn't in clear text; it's digested. What are you worried about?

Update: Oh, you mean your password, not the WS-Security password. Sorry.

Update #2: It doesn't look like you're using WS-Encryption, it looks like you're using WS-Signature (which leaves the contents in clear text).
 
Enrico Viappiani
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:The password isn't in clear text; it's digested. What are you worried about?

Update: Oh, you mean your password, not the WS-Security password. Sorry.

Update #2: It doesn't look like you're using WS-Encryption, it looks like you're using WS-Signature (which leaves the contents in clear text).


I'm used to think that this configuration of axis2.xml was enough, but it seems that i was wrong:



thanks in advance guys!
 
Tim Moores
Bartender
Posts: 2747
38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Remove the Signature item. Or do you want to sign the request?

I also noticed an introduction to Encryption with Axis at http://www.javaranch.com/journal/2008/10/Journal200810.jsp#a5
 
Enrico Viappiani
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:Remove the Signature item. Or do you want to sign the request?

I also noticed an introduction to Encryption with Axis at http://www.javaranch.com/journal/2008/10/Journal200810.jsp#a5


Yeah I followed that guide some months ago!

Do you think that Signature will set the Encryption apart? I'll try it..

Edit: same problem , i'm searching for a full guide on rampart options and examples, but i can't find nothing useful
 
Enrico Viappiani
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
UPDATE: Added the policy.xml file... but nothing happens..
 
Tim Moores
Bartender
Posts: 2747
38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is policy.xml?

Have you gotten the example in that article to run?
 
Enrico Viappiani
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:What is policy.xml?

Have you gotten the example in that article to run?


yes, but the body is plain text as before... i opened a issues on the apache page.

policy.xml sets the policy for the client and wsp protocol.
Rampart with encrypt tag, should encrypt the body as default anyway... I'm really stuck with this, i thinks this is a pretty stupid issue, but there's no error feedback on the console, i'm literally gettin mad..
 
Enrico Viappiani
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I received an answer by JSF.
Configuration by properties is deprecated.. so i need to do that by using a policy.xml file.. but honestly i can't find nothing useful on the steps to perform to accomplish that, just a bunch on nonsense examples and nothing serious.
Which file has to be modified, which not.. great confusion.. i think i'm gonna downgrade to rampart 1 and get the project to work.
 
Enrico Viappiani
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
solved.. i was using a soap monitor that decrypt the request before that the monitor catch it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic