WS-Security username password cleartext header being treated as username digest when nonce and created elements are included in the header. (Legacy_Onyx KB Id: 240003)

Document ID : KB000054948
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Hi,

I have a question about ws-security usernameToken with a clear password. When I have a username token with a password of passwordtext type with the 2 optional element nonce and created, TransactionMinder thinks the password is of the type digest and tries to unobsecure the value.

&ltwsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
&ltwsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
&ltwsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">leggettc</wsse:Username>
&ltwsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">password</wsse:Password>
&ltwsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2006-10-10T00:51:06.454Z</wsu:Created>
&ltwsse:Nonce xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">SJjeOjZ9SGaO44tHSTgM8Q==</wsse:Nonce>
</wsse:UsernameToken>
</wsse:Security>

2006-10-09 20:51:09,068 [DEBUG] handler.authentication.WSSecurityUsernameAuthHandler 2149e780-1554-452aee7c-155c-0303254c - Username digest values for creds.Password(digest): password creds.certUserDN(nonce): SJjeOjZ9SGaO44tHSTgM8Q== creds.certIssuerDN(created): 2006-10-10T00:51:06.454Z

When the header value doesnot include the the nonce and created tags, transactionminder doesnt not try to decrypt the password.

&ltwsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
&ltwsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
&ltwsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">leggettc</wsse:Username>
&ltwsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>

2006-10-09 20:51:14,974 [INFO] handler.authentication.WSSecurityUsernameAuthHandler 2149e780-1554-452aee82-155c-03bf19ce - Found a no-digest username token

Is transactionMinder not evaluating the password type?

Attached is the transactionminder log.


Solution:

This problem is fixed in TransactionMinder 6.0 CR17. This version requires the 6.0 SP5 CR06 Policy Server, Policy Server Option Pack, and the 6QMR5 CR06 Web Agent.