PI45840: ALLOW PASSWORDDIGEST ON USERNAMETOKEN IN JAX-WS WS-SECURITY WITH CUSTOM LOGIN MODULE

Fixes are available

APAR status

Closed as new function.

Error description

In JAX-WS WS-Security, you cannot generate or consume a
UsernameToken with passwords of type PasswordDigest.  Because
of user registry constraints, the runtime itself cannot support
consuming passwords of type PasswordDigest, but an
administrator should be allowed to introduce a custom login
module that will do the authentication.

The runtime also does not emit UsernameTokens with passwords
of type PasswordDigest or allow you to create a UsernameToken
with the GenericSecurityTokenFactory APIs that use
PasswordDigest.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  WS-Security enabled JAX-WS web services     *
*                  applications and UsernameToken              *
****************************************************************
* PROBLEM DESCRIPTION: JAX-WS WS-Security should generate      *
*                      and consume UsernameTokens with         *
*                      PasswordType of PasswordDigest          *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
The JAX-WS WS-Security runtime only accepts and emits
UsernameTokens with a PasswordType of
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
username
-token-profile-1.0#PasswordText.  If the PasswordType is
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
username
-token-profile-1.0#PasswordDigest, the token is rejected.
You also cannot emit tokens with PasswordType of
PasswordDigest.  The runtime should be able to emit tokens
with a PasswordType of PasswordDigest and accept
PasswordDigest if a custom login module is in place.

Problem conclusion

The JAX-WS WS-Security run time is updated to support
PasswordDigest.  To emit a UsernameToken with a PasswordType
of PasswordDigest, set the following custom property on the
UsernameToken callback handler:

com.ibm.wsspi.wssecurity.token.username.emitPasswordDigest=true

You can also create a UsernameToken with a PasswordType of
PasswordDigest using a new
com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFa
ctory API:

/**
* Create a fully-populated UsernameToken with a username
* and password with support for timestamp, nonce, and
* passwordDigest password type.
*
* The password stored on the UsernameToken object will be
* in clear text regardless of the passwordDigest setting.  Only
* the XML string is affected by the passwordDigest setting.
*
* @param username username for the UsernameToken element
* @param password password for the UsernameToken element.
* Null for no password.
* @param useTimestamp true=add timestamp, false=no timestamp
* @param addNonce true=add nonce, false=no nonce
* @param passwordDigest true=PasswordType=PasswordDigest,
* false=PasswordType=PasswordText
* @return A fully-populated <code>UsernameToken</code>
*/
public abstract UsernameToken getFullUsernameToken(String
  username, char[] password, boolean useTimestamp, boolean
  addNonce, boolean passwordDigest)
  throws LoginException;


You can consume a UsernameToken with a PasswordType of
PasswordDigest only if custom code is in place.  You have two
choices with this implementation:

1) Use a custom callback handler
  1a) Create a custom class that implements
javax.security.auth.callback.CallbackHandler and make it
available to the provider application.

  1b) The callback handler will be passed
javax.security.auth.callback.NameCallback and
javax.security.auth.callback.PasswordCallback objects.

  1c) In the PasswordCallback, set the plain-text password that
corresponds to the username retrieved from
NameCallback.getName()

   * If an error occurs while retrieving the password, throw
an IOException.  For instance, if the user name is not
recognized.

  1d) In the WS-Security bindings for the provider application,
in the UsernameToken consumer callback handler, set the
following custom property to the class name of the custom
callback handler:

com.ibm.wsspi.wssecurity.token.UsernameToken.digestPasswordCallb
ackHandler

  1e) At runtime, the UNTConsumeLoginModule will do the
following:

  * Retrieve the plain-text password from the custom callback
handler.
  * Calculate the digest of the plain-text password using the
Timestamp and Nonce in the token (if they exist).
  * Compare the digest of the plain-text password against the
digested password in the token.
  ** If the comparison fails, the token will be rejected.
  ** If the comparison is successful, the password on the
UsernameToken object will be set to the plain-text password
and used later if required.
  * Check the registry using the username/plain-text password.
  ** If you don't want to check the registry, be sure to set
com.ibm.wsspi.wssecurity.token.UsernameToken.disableUserRegistry
Check=true on the UsernameToken callback handler.

  * If a caller configuration exists for the UsernameToken,
the LoginProcessor will check the registry for the
username/plain-text password unless a custom login module is
used to bypass the registry check.  See the following article
for more information:

https://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.
ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html


2) Implement a JAAS login module to validate the UsernameToken
containing the digested password.

  2a) Implement a UsernameToken authentication JAAS login
module.  See the following document for more information:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.i
bm.websphere.nd.doc/ae/twbs_replace_authmethod_usernametoken.htm
l

  2b) In the login module, validate the digested password.  New
APIs have been added to the
com.ibm.websphere.wssecurity.wssapi.WSSUtilFactory interface
to help:

public abstract String digestPassword(String nonce, String
  created, char [] password)
  throws LoginException;

public abstract String digestPassword(byte[] nonce,
  java.util.Date created, char [] password)
  throws LoginException;

There are methods in the UsernameToken interface that you can
use to obtain the values for the nonce (getNonce) and created
(getCreatedTime):

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.i
bm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/wssecurit
y/wssapi/token/UsernameToken.html


You can also use the verifyDigestedPassword method in the
WSSUtilFactory interface to have the UsernameToken object do
the digest calculation and comparision itself:

public abstract boolean verifyDigestedPassword(UsernameToken
  unt, char [] expectedPassword)
  throws LoginException;


/**
* Calculates a password digest string.
*
* This method calculates a password digest string that can be
* used with the UsernameToken #PasswordDigest Password Type
*
* @param nonce UsernameToken nonce value in bytes
* @param created UsernameToken created date
* @return the password digest string calculated from the input
* values
*/

public abstract String digestPassword(byte[] nonce,
java.util.Date created, char [] password) throws LoginException;

/**
* Calculates a password digest string.
*
* This method calculates a password digest string that can be
* used with the UsernameToken #PasswordDigest Password Type
*
* @param nonce UsernameToken nonce value, base-64 encoded
* @param created UsernameToken created date in UTC String
* format (as it appears in the token XML)
* @return the password digest string calculated from the input
* values
*/
public abstract String digestPassword(String nonce, String
created, char [] password) throws LoginException;

/**
* Verifies a digested password on a UsernameToken object.
*
* This method will verify that the comparison password is the
* same as the password used to make the digested password on
* the UsernameToken object.
* This is done by calculating the digest value for the
* comparison password using the nonce and created data in the
* token, then comparing it to the digested password on the
* UsernameToken.
*
* This method can only be used with UsernameTokens that have
* been consumed by a token consumer (UNTConsumeLoginModule or
* GenericIssuedTokenConsumeLoginModule).
* If a UsernameToken was created with a
* GenericSecurityTokenFactory.getFullUsernameToken method,
* the  password in the token object (not the  XML) will
* be in clear text regardless of the password digest setting.
* In this case, this method will return false unless both
* passwords are empty.
*
* @param unt UsernameToken containing a digested password
* @param expectedPassword Password to compare
* @return true if the digested value of the comparison
* password equals the password on the unt object, otherwise
* false
*/
public abstract boolean verifyDigestedPassword(UsernameToken
unt, char [] expectedPassword) throws LoginException;


The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.41, 8.0.0.12, and 8.5.5.8.  Please refer to
the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, WSSEC

Temporary fix

Comments

APAR Information

APAR number
PI45840
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-07-28
Closed date
2015-09-16
Last modified date
2015-09-16

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R700 PSY
UP
R800 PSY
UP
R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
27 April 2022

Tips

PI45840: ALLOW PASSWORDDIGEST ON USERNAMETOKEN IN JAX-WS WS-SECURITY WITH CUSTOM LOGIN MODULE

Fixes are available

Subscribe

APAR status

Closed as new function.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

R850 PSY

Document Information

Share your feedback

Need support?