Securing a Proxy Service in WSO2 ESB -1 ( Using Hash passwords In Username Token)

WSO2 ESB is a popular proxy service engine that you can use to proxy the backend services and expose them as SOAP based web services. It provides QoS for proxy services that you can apply WS-Security policies in an easier manner.

There are several pre-defined WS-Security policies in the ESB, that you can apply for proxy services. Also it provides capabilities to apply custom policies as well. Here we are going to apply user name token policy with hash password (By default ESB has user name token policy with default password) in to the WSO2 ESB… Please note that, ESB is by default shipped with JDBC based user store with SHA-256 (with salt) passwords. If you are using SHA-256 passwords, It is not possible to validate the password in the user name tokens. Therefore you need to store password in plain text. (It is not recommend to use plain text password and  I guess it is better to encrypt them and use)

Lets go through step by step….

Step1. Download and Extract fresh distribution of WSO2ESB. You can download from here

Step2. Configure plain text password in the WSO2ESB.  Open user-mgt.xml file which can be found at <ESB_HOME>/repository/conf directory. Please comment following two properties under the org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager  user store configuration.

<Property name="PasswordDigest">SHA-256</Property>
 <Property name="StoreSaltedPassword">true</Property>

Step3. Deploy password callback class that supports for hash password validation. Please copy this jar file into <ESB_HOME>/repository/components/dropins directory. You can fine the source code of this password callback class from here.  You can do any changes that you wish and can build with Maven 3.

Step4. Start the server.

Step5. Login to ESB management console and upload custom policy file in to Registry. You can find the policy file from here. You can upload it using registry browser UI in to the governance or config registry collections

Step6. Create secure proxy.

Please select  Secure Proxy option when creating a proxy.

Create the policy service by pointing to the uploaded policy file.

Now you have create the  secured proxy service. You can invoke this service using SOAP UI.   Please use following parameters to create a user name token with hash password in SOAPUI

Username: admin
Password: admin
WSS-Password Type: PasswordDigest
WSS Time to Live: 2000

If you tract the message,  It would be as following

<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <wsu:Timestamp wsu:Id="TS-12">
 <wsu:Created>2014-03-19T18:27:10Z</wsu:Created>
 <wsu:Expires>2014-03-19T18:30:30Z</wsu:Expires>
 </wsu:Timestamp>
 <wsse:UsernameToken wsu:Id="UsernameToken-11">
 <wsse:Username>admin</wsse:Username>
 <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">wmIaYa/iWOwcUB52RkqL5IjL/Fw=</wsse:Password>
 <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">p7fuERBfoyPuHj0HRbSxnA==</wsse:Nonce>
 <wsu:Created>2014-03-19T18:27:10.433Z</wsu:Created>
 </wsse:UsernameToken>
 </wsse:Security>