Skip to main content

Metro Users Guide: Username with Digest Passwords example

23 replies [Last post]
Anonymous

Hello,

I'm really struggling getting the seemingly simple 'Username with Digest Passwords' example to work as documented here in the Metro Users Guide:
https://metro.dev.java.net/guide/Example_Applications.html#Example__User...

I run into a problem with step 1 of section 12.9.2 where the docs instruct to 'Click on Configure, select Support Hash Passwords'. This option is grayed out for me. I have downloaded metro 1.3.1, installed NetBeans 6.5 RC1 with JDK 1.6 update 7, glassfish v2 and Tomcat 6.

Could someone explain how to implement 'Username with Digest Passwords' - preferably on Tomcat. A pointer to a complete sample with client/server code would be ideal! There doesn't seem to be a clean example anywhere.

Thank you,
umk

[att1.html]

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Martin Grebac

Hi,
the tooling which supports Hash Password is NOT in NetBeans 6.1. It is
only in NetBeans 6.5. You can download latest NB6.5 release candidate at
http://www.netbeans.org.
MartinG

metro@javadesktop.org wrote:
> I have been trying to find any decent way of using the sun-java metro stack to implement ws-security with usernametoken with the option of username and digest password. I have found no working solution!! I browsed through numerous web-site and posted in several threads with no satisfactory answer. This thread looked like it might help. But no luck again! Here is what I did after going through the metro-guide and then all the emails here. I installed Netbeans6.1 on my laptop. I installed Tomcat 5.5.25. My jdk version is 1.6.03. I installed metro1.2 and made sure that the $catalina_home/shared//lib and the endorsed/lib contains the metro jars. I setup the target server as the installed tomcat 5.5.25. The server config window suggested that " the change will take effect next time the server starts." Which I interpreted as running the tomcat instance. i did that. exited netbeans and re-started netbeans. Then I created a webapplication project and then a web-service. added a trivial operation to it. Then I followed the metro-guide for setting up digest password. And again, after I chose the "symmetric key blah blah.." and then clicked configure I did not see any such option as "select Support Hash Password". At this point, I am seriously doubting that the metro-stack, with or without the use of NetBeans, at all allow developers to setup digest password for web-service. Is that a documentation error or a wish-list in metro?? Are there really any umabiguous instruction/example where it shows how to configure a WS-Security based UsernameToken with username/digest password with no symmetric key stuff (Sun should let the implementer be the judge of that. there is no requirement in ws-security standards that a web-service must follow symmetric key encryption where it uses username/digest)? Please can anybody point me to a documentation that works everytime on how to set this up in metro/tomcat combo?
> [Message sent by forum member 'santool123' (santool123)]
>
> http://forums.java.net/jive/thread.jspa?messageID=315081
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

--
Martin Grebac, http://blogs.sun.com/mgrebac

Web Technologies & Standards
Sun Microsystems Czech

ICQ: 93478885

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Glen Mazza

Why I would do, to save your sanity, is *not* use Tomcat within NetBeans and
*don't* put anything in your catalina/home/shared/lib folder. Just use
GlassFish when creating your web service in NetBeans, then place the Metro
JARs in the web-inf/lib of your web service WAR, and you should be able to
deploy the WAR manually to Tomcat. If you're using Tomcat, IMO NetBeans
should be just for creating the policy files.

http://www.jroller.com/gmazza/entry/implementing_ws_security_using_usern...
http://www.jroller.com/gmazza/date/20080814 (Step #4 and #5 are more
up-to-date than above).

Glen

metro-3 wrote:
>
> I have been trying to find any decent way of using the sun-java metro
> stack to implement ws-security with usernametoken with the option of
> username and digest password. I have found no working solution!! I browsed
> through numerous web-site and posted in several threads with no
> satisfactory answer. This thread looked like it might help. But no luck
> again! Here is what I did after going through the metro-guide and then
> all the emails here. I installed Netbeans6.1 on my laptop. I installed
> Tomcat 5.5.25. My jdk version is 1.6.03. I installed metro1.2 and made
> sure that the $catalina_home/shared//lib and the endorsed/lib contains the
> metro jars. I setup the target server as the installed tomcat 5.5.25. The
> server config window suggested that " the change will take effect next
> time the server starts." Which I interpreted as running the tomcat
> instance. i did that. exited netbeans and re-started netbeans. Then I
> created a webapplication project and then a web-service. added a trivial
> operation to it. Then I followed the metro-guide for setting up digest
> password. And again, after I chose the "symmetric key blah blah.." and
> then clicked configure I did not see any such option as "select Support
> Hash Password". At this point, I am seriously doubting that the
> metro-stack, with or without the use of NetBeans, at all allow developers
> to setup digest password for web-service. Is that a documentation error or
> a wish-list in metro?? Are there really any umabiguous instruction/example
> where it shows how to configure a WS-Security based UsernameToken with
> username/digest password with no symmetric key stuff (Sun should let the
> implementer be the judge of that. there is no requirement in ws-security
> standards that a web-service must follow symmetric key encryption where it
> uses username/digest)? Please can anybody point me to a documentation that
> works everytime on how to set this up in metro/tomcat combo?
> [Message sent by forum member 'santool123' (santool123)]
>
> http://forums.java.net/jive/thread.jspa?messageID=315081
>

--
View this message in context: http://www.nabble.com/Metro-Users-Guide%3A-Username-with-Digest-Password...
Sent from the Metro - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Martin Grebac

Hi,
there are three checks in NB which may be causing troubles to you:

First&Second checks are for METRO version installed on Tomcat. You must
have METRO 1.3 at least. Is it so? When METRO 1.3 and above is detected,
the combobox in the QoS dialog is enabled with two options: .NET
3.5/METRO1.3 or .NET3.0/METRO1.0. The Hash Password is enabled only for
.NET 3.5 ... version.

The other check is that the security profile has to be set to Username
Authentication but I believe you have that one selected fine.

MartinG

metro@javadesktop.org wrote:
> Fabian: the metro 1.3.1 metro-on-tomcat.xml Ant build doesn't work for Tomcat 6 because the Tomcat folders have changed since Tomcat 5.5 - but that's not really my problem.
>
> The real issue is that I cannot configure a web service for Username with Digest passwords using NetBeans. The metro docs are not in sync with NetBeans.
>
> I would really like to see a simple Username/Digest example. Why can I not find one? The only reason I was using NetBeans is because its the closest documentation I've found on this topic.
>
> Does anyone have a working Username/Digest example?
>
> Thank you.
> [Message sent by forum member 'umk' (umk)]
>
> http://forums.java.net/jive/thread.jspa?messageID=313434
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

--
Martin Grebac, http://blogs.sun.com/mgrebac

Web Technologies & Standards
Sun Microsystems Czech

ICQ: 93478885

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

umk
Offline
Joined: 2008-10-09
Points: 0

Martin: I really appreciate your reply and everyone else who is trying to help. I'm just surprised at how many folks have replied to my posting and I'm still no closer to an answer.

Let me address the points in your posting: I am running Metro v1.3.1, NetBeans 6.5 RC1, Tomcat 6.0.18 and JDK 1.6u7. In addition, the Tomcat install script doesn't support Tomcat 6 so the Metro libraries are not installed into the Tomcat lib folder. Even if I copy them manually to tomcat_home/lib (and restart NetBeans), the combox you mentioned still does not enable.

Please, someone help me! Thank you.

Martin Grebac

Hmm, when I tried it on my Tomcat 6, I had the Metro libraries in
shared/lib folder.
MartinG

metro@javadesktop.org wrote:
> Martin: I really appreciate your reply and everyone else who is trying to help. I'm just surprised at how many folks have replied to my posting and I'm still no closer to an answer.
>
> Let me address the points in your posting: I am running Metro v1.3.1, NetBeans 6.5 RC1, Tomcat 6.0.18 and JDK 1.6u7. In addition, the Tomcat install script doesn't support Tomcat 6 so the Metro libraries are not installed into the Tomcat lib folder. Even if I copy them manually to tomcat_home/lib (and restart NetBeans), the combox you mentioned still does not enable.
>
> Please, someone help me! Thank you.
> [Message sent by forum member 'umk' (umk)]
>
> http://forums.java.net/jive/thread.jspa?messageID=313719
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

--
Martin Grebac, http://blogs.sun.com/mgrebac

Web Technologies & Standards
Sun Microsystems Czech

ICQ: 93478885

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

umk
Offline
Joined: 2008-10-09
Points: 0

> Hmm, when I tried it on my Tomcat 6, I had the Metro
> libraries in
> shared/lib folder.
> MartinG

You must have created shared/lib?? Tomcat by default doesn't install with a shared/lib folder. I'm not the only one who has noticed this. See this posting, paragraph 3: http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x

Martin Grebac

In order to let NB recognize the Metro installation in Tomcat, you have
to put the jars into the shared/lib folder. Don't need to register the
folder anywhere in Tomcat if you have the files in lib folder as well.
MartinG

metro@javadesktop.org wrote:
>> Hmm, when I tried it on my Tomcat 6, I had the Metro
>> libraries in
>> shared/lib folder.
>> MartinG
>>
>
> You must have created shared/lib?? Tomcat by default doesn't install with a shared/lib folder. I'm not the only one who has noticed this. See this posting, paragraph 3: http://blogs.sun.com/arungupta/entry/metro_on_tomcat_6_x
> [Message sent by forum member 'umk' (umk)]
>
> http://forums.java.net/jive/thread.jspa?messageID=313729
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

--
Martin Grebac, http://blogs.sun.com/mgrebac

Web Technologies & Standards
Sun Microsystems Czech

ICQ: 93478885

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

umk
Offline
Joined: 2008-10-09
Points: 0

Martin: I just wanted to leave a note that your were correct about NB allowing me to check the Hash Passwords checkbox once I manually created the Tomcat6/shared/lib folder and copied the metro JARs to it. Thanks.

> In order to let NB recognize the Metro installation
> in Tomcat, you have
> o put the jars into the shared/lib folder. Don't need
> to register the
> folder anywhere in Tomcat if you have the files in
> lib folder as well.
> MartinG

Martin Grebac

Cool, thanks for update. I'll file an issue for NB to improve it's T6
support.
MartinG

metro@javadesktop.org wrote:
> Martin: I just wanted to leave a note that your were correct about NB allowing me to check the Hash Passwords checkbox once I manually created the Tomcat6/shared/lib folder and copied the metro JARs to it. Thanks.
>
>
>> In order to let NB recognize the Metro installation
>> in Tomcat, you have
>> o put the jars into the shared/lib folder. Don't need
>> to register the
>> folder anywhere in Tomcat if you have the files in
>> lib folder as well.
>> MartinG
>>
> [Message sent by forum member 'umk' (umk)]
>
> http://forums.java.net/jive/thread.jspa?messageID=314544
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

--
Martin Grebac, http://blogs.sun.com/mgrebac

Web Technologies & Standards
Sun Microsystems Czech

ICQ: 93478885

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

santool123
Offline
Joined: 2004-04-21
Points: 0

I have been trying to find any decent way of using the sun-java metro stack to implement ws-security with usernametoken with the option of username and digest password. I have found no working solution!! I browsed through numerous web-site and posted in several threads with no satisfactory answer. This thread looked like it might help. But no luck again! Here is what I did after going through the metro-guide and then all the emails here. I installed Netbeans6.1 on my laptop. I installed Tomcat 5.5.25. My jdk version is 1.6.03. I installed metro1.2 and made sure that the $catalina_home/shared//lib and the endorsed/lib contains the metro jars. I setup the target server as the installed tomcat 5.5.25. The server config window suggested that " the change will take effect next time the server starts." Which I interpreted as running the tomcat instance. i did that. exited netbeans and re-started netbeans. Then I created a webapplication project and then a web-service. added a trivial operation to it. Then I followed the metro-guide for setting up digest password. And again, after I chose the "symmetric key blah blah.." and then clicked configure I did not see any such option as "select Support Hash Password". At this point, I am seriously doubting that the metro-stack, with or without the use of NetBeans, at all allow developers to setup digest password for web-service. Is that a documentation error or a wish-list in metro?? Are there really any umabiguous instruction/example where it shows how to configure a WS-Security based UsernameToken with username/digest password with no symmetric key stuff (Sun should let the implementer be the judge of that. there is no requirement in ws-security standards that a web-service must follow symmetric key encryption where it uses username/digest)? Please can anybody point me to a documentation that works everytime on how to set this up in metro/tomcat combo?

jdg6688
Offline
Joined: 2005-11-02
Points: 0

Currently you have to have a SymmetricBindling, AsymmetricKey or a TransportBinding.

An issue has been filed for this restriction:

https://wsit.dev.java.net/issues/show_bug.cgi?id=1054

Glen Mazza

I have username and clear password (over ssl though) example with Tomcat, but
not password digest:
http://www.jroller.com/gmazza/entry/implementing_ws_security_using_usern...

Perhaps you can modify what I have, with NetBeans, to get a
username/password digest version.

HTH,
Glen

Parham, Clinton wrote:
>
> Could someone explain how to implement 'Username with Digest Passwords' -
> preferably on Tomcat. A pointer to a complete sample with client/server
> code would be ideal! There doesn't seem to be a clean example anywhere.
>

--
View this message in context: http://www.nabble.com/Metro-Users-Guide%3A-Username-with-Digest-Password...
Sent from the Metro - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

umk
Offline
Joined: 2008-10-09
Points: 0

Glen: thanks for the suggestion but I've already spent quite a bit of time on this and keep running into problems when taking code that is 'almost what I need' and modifying it. You seem more competent and I'm still very much a newbie. Any chance you could take a shot at it? I'm sure others would be grateful too.

(BTW: I'm not looking for the policy to require SSL either. During development, we need to see the HTTP traffic to help with possible troubleshooting. SSL will be enabled during testing/deployment)

Message was edited by: umk

Glen Mazza

Sorry, haven't had a need to research it. Are you sure you want password
digest over just encrypting the cleartext password with the service's public
key? Using digest would appear to require that your web service provider
announce (via the wsp:Policy) the hash method used to store passwords in
your data store and does incur some processing overhead.

Glen

metro-3 wrote:
>
> Glen: thanks for the suggestion but I've already spent quite a bit of time
> on this and keep running into problems when taking code that is 'almost
> what I need' and modifying it. You seem more competent and I'm still very
> much a newbie. Any chance you could take a shot at it? I'm sure others
> would be grateful too.
> [Message sent by forum member 'umk' (umk)]
>
> http://forums.java.net/jive/thread.jspa?messageID=313546
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

--
View this message in context: http://www.nabble.com/Metro-Users-Guide%3A-Username-with-Digest-Password...
Sent from the Metro - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

umk
Offline
Joined: 2008-10-09
Points: 0

Glen: you make a good point regarding the hash approach. Here's my goal: I need to authenticate web service users with minimal client side requirements ie. avoid client side keystores. During development, its often useful to see the actual SOAP going over the wire - I cannot enforce SSL at this stage. I thought the simplest approach would be to use username/digest password and once working, secure it by turning on SSL.

I took another look at your blog posting referenced earlier (http://www.jroller.com/gmazza/entry/implementing_ws_security_using_usern...), but it appears that SSL must be enabled for it to work. right?

>
> Sorry, haven't had a need to research it. Are you
> sure you want password
> digest over just encrypting the cleartext password
> with the service's public
> key? Using digest would appear to require that your
> web service provider
> announce (via the wsp:Policy) the hash method used to
> store passwords in
> your data store and does incur some processing
> overhead.
>
> Glen

Glen Mazza

metro-3 wrote:
>
> Glen: you make a good point regarding the hash approach. Here's my goal: I
> need to authenticate web service users with minimal client side
> requirements ie. avoid client side keystores. During development, its
> often useful to see the actual SOAP going over the wire - I cannot enforce
> SSL at this stage. I thought the simplest approach would be to use
> username/digest password and once working, secure it by turning on SSL.
>
> I took another look at your blog posting referenced earlier
> (http://www.jroller.com/gmazza/entry/implementing_ws_security_using_usern...),
> but it appears that SSL must be enabled for it to work. right?
>

With Metro, yes--as it should. It's just a safety mechanism--they don't
want newbies to be programming username tokens but forgetting to turn on the
SSL once they get to production. AFAIK even digest is going to require SSL.

My read is that you don't need digest authentication--just use clear
passwords encrypted with the public key of the web service provider.

My recommendation is to make sure your web service, pre-security, is working
properly--search my blog for "wireshark" as a nice debugging tool--and then
turn on the SSL with the username tokens.

Glen

--
View this message in context: http://www.nabble.com/Metro-Users-Guide%3A-Username-with-Digest-Password...
Sent from the Metro - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

umk
Offline
Joined: 2008-10-09
Points: 0

> With Metro, yes--as it should. It's just a safety
> mechanism--they don't
> want newbies to be programming username tokens but
> forgetting to turn on the
> SSL once they get to production. AFAIK even digest
> is going to require SSL.

I'm not sure I like this. In my experience its been useful to see the web service traffic, pre-encryption, to prove that things are working as expected. In the past I've seen how Axis doesn't execute MTOM properly when its security module is also enabled. With encryption turned on, it may have taken longer to figure it out.

> My read is that you don't need digest
> authentication--just use clear
> passwords encrypted with the public key of the web
> service provider.
>
> My recommendation is to make sure your web service,
> pre-security, is working
> properly--search my blog for "wireshark" as a nice
> debugging tool--and then
> turn on the SSL with the username tokens.
>
> Glen

I'll run with your suggestion. Thank you.

Fabian Ritzmann

On 23. Oct 2008, at 23:48, Parham, Clinton wrote:

> I’m really struggling getting the seemingly simple ‘Username with
> Digest Passwords’ example to work as documented here in the Metro
> Users Guide:
> https://metro.dev.java.net/guide/
> Example_Applications.html#Example__Username_with_Digest_Passwords
>
> I run into a problem with step 1 of section 12.9.2 where the docs
> instruct to ‘Click on Configure, select Support Hash Passwords’.
> This option is grayed out for me. I have downloaded metro 1.3.1,
> installed NetBeans 6.5 RC1 with JDK 1.6 update 7, glassfish v2 and
> Tomcat 6.
>
> Could someone explain how to implement ‘Username with Digest
> Passwords’ – preferably on Tomcat. A pointer to a complete sample
> with client/server code would be ideal! There doesn’t seem to be a
> clean example anywhere.

First install Metro into Tomcat by running the metro-on-tomcat.xml Ant
build file that comes with the Metro distribution. Then register your
installation of Tomcat with NetBeans (in the Services tab on the left-
hand side right-click on Servers and select Add Server...). Then make
sure your project in NetBeans has this server configured (go to the
Projects tab, right-click on the project, select Properties and
somewhere there you should be able to select your instance of Tomcat
for this project).

FWIW, it's not impossible that you've bumped into a NetBeans bug. I've
found two minor issues myself.

Fabian

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

umk
Offline
Joined: 2008-10-09
Points: 0

Fabian: the metro 1.3.1 metro-on-tomcat.xml Ant build doesn't work for Tomcat 6 because the Tomcat folders have changed since Tomcat 5.5 - but that's not really my problem.

The real issue is that I cannot configure a web service for Username with Digest passwords using NetBeans. The metro docs are not in sync with NetBeans.

I would really like to see a simple Username/Digest example. Why can I not find one? The only reason I was using NetBeans is because its the closest documentation I've found on this topic.

Does anyone have a working Username/Digest example?

Thank you.

jdg6688
Offline
Joined: 2005-11-02
Points: 0

Hi,

There is an sample here:

http://fisheye5.cenqua.com/browse/wsit/wsit/test/e2e/testcases/xwss/s17

You may find the client side configuration: wsit-client.xml
the server wsdl, and a sample password validator.

umk
Offline
Joined: 2008-10-09
Points: 0

jdg6688: I have taken a look at that code and the section in the PingServices17.wsdl about keystore/truststore is confusing me. Why are keystores/truststores needed for Username/Digest authentication? Thanks.

jdg6688
Offline
Joined: 2005-11-02
Points: 0

For this particular example, there is a ProtectionToken policy in the wsdl which state that
you need to use the server and client certicificates to protect the messages (do the encryption and signature for integrity and configentiality). The username/password is only
for authentication purpose. This is what the keystores/truststores.

You may choose other ways to pprotect the message like SSL.

What is your requirement?

umk
Offline
Joined: 2008-10-09
Points: 0

That's weird, I don't see ProtectionToken anywhere in the wsdl...

During development, I would like to use plain HTTP to make troubleshooting easier. Once we get to testing/deployment, the web service will operate over SSL. So, the only policy I would like to have in place initially is Username and Digest password.

Thanks.