You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by "Nelis Bijl (JIRA)" <ji...@apache.org> on 2006/07/18 09:57:13 UTC
[jira] Created: (WSS-49) Allow digested password when using
SIGN_WITH_UT_KEY
Allow digested password when using SIGN_WITH_UT_KEY
---------------------------------------------------
Key: WSS-49
URL: http://issues.apache.org/jira/browse/WSS-49
Project: WSS4J
Issue Type: Improvement
Environment: Java client vs .NET WSE 2.0 SP3 server
Reporter: Nelis Bijl
Assigned To: Davanum Srinivas
Signing with UsernameToken (.NET feature supported through the SIGN_WITH_UT_KEY flag) hardcodes the password to be 'plain text'.
org.apache.ws.security.action.UsernameTokenSignedAction.java :
...
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setWsConfig(reqData.getWssConfig());
/* proposal: allow digested passwords when using UsernameToken signing
*
* replace:
*
* builder.setPasswordType(WSConstants.PASSWORD_TEXT);
*
* with:
*/
builder.setPasswordType(reqData.getPwType());
builder.setUserInfo(reqData.getUsername(), password);
builder.addCreated();
...
In case of a digested password however the signing is not recognized as valid by .NET WSE 2.0. This is caused by the fact that 'org.apache.ws.security.message.token.UsernameToken.getSecretKey(int keylen, String labelString)' uses the digested password for hashing whereas the 'plain text' password should be used to satisfy .NET.
public byte[] getSecretKey(int keylen, String labelString) {
byte[] key = null;
try {
Mac mac = Mac.getInstance("HMACSHA1");
/* proposal: use 'plain text' password for hashing
*
* replace:
*
* byte[] password = getPassword().getBytes("UTF-8");
*
* with:
*/
byte[] password = plainTextPwd.getBytes("UTF-8");
...
where plainTextPwd is a private String member that is set in 'setPassword'.
These changes work for me. However I can not oversee the full impact. I hope this feature will be implemented because customers won't like to be needing customized JARs to call our webservice.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-49) Allow digested password when using
SIGN_WITH_UT_KEY
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin reassigned WSS-49:
------------------------------
Assignee: Fred Dushin
> Allow digested password when using SIGN_WITH_UT_KEY
> ---------------------------------------------------
>
> Key: WSS-49
> URL: https://issues.apache.org/jira/browse/WSS-49
> Project: WSS4J
> Issue Type: Improvement
> Environment: Java client vs .NET WSE 2.0 SP3 server
> Reporter: Nelis Bijl
> Assignee: Fred Dushin
>
> Signing with UsernameToken (.NET feature supported through the SIGN_WITH_UT_KEY flag) hardcodes the password to be 'plain text'.
> org.apache.ws.security.action.UsernameTokenSignedAction.java :
> ...
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setWsConfig(reqData.getWssConfig());
> /* proposal: allow digested passwords when using UsernameToken signing
> *
> * replace:
> *
> * builder.setPasswordType(WSConstants.PASSWORD_TEXT);
> *
> * with:
> */
> builder.setPasswordType(reqData.getPwType());
> builder.setUserInfo(reqData.getUsername(), password);
> builder.addCreated();
> ...
> In case of a digested password however the signing is not recognized as valid by .NET WSE 2.0. This is caused by the fact that 'org.apache.ws.security.message.token.UsernameToken.getSecretKey(int keylen, String labelString)' uses the digested password for hashing whereas the 'plain text' password should be used to satisfy .NET.
> public byte[] getSecretKey(int keylen, String labelString) {
> byte[] key = null;
> try {
> Mac mac = Mac.getInstance("HMACSHA1");
> /* proposal: use 'plain text' password for hashing
> *
> * replace:
> *
> * byte[] password = getPassword().getBytes("UTF-8");
> *
> * with:
> */
> byte[] password = plainTextPwd.getBytes("UTF-8");
> ...
> where plainTextPwd is a private String member that is set in 'setPassword'.
> These changes work for me. However I can not oversee the full impact. I hope this feature will be implemented because customers won't like to be needing customized JARs to call our webservice.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-49) Allow digested password when using
SIGN_WITH_UT_KEY
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-49?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12587923#action_12587923 ]
Colm O hEigeartaigh commented on WSS-49:
----------------------------------------
This issue is a duplicate of:
https://issues.apache.org/jira/browse/WSS-83
Since a patch for WSS-83 has already been applied, this issue can be marked fixed and closed.
> Allow digested password when using SIGN_WITH_UT_KEY
> ---------------------------------------------------
>
> Key: WSS-49
> URL: https://issues.apache.org/jira/browse/WSS-49
> Project: WSS4J
> Issue Type: Improvement
> Environment: Java client vs .NET WSE 2.0 SP3 server
> Reporter: Nelis Bijl
>
> Signing with UsernameToken (.NET feature supported through the SIGN_WITH_UT_KEY flag) hardcodes the password to be 'plain text'.
> org.apache.ws.security.action.UsernameTokenSignedAction.java :
> ...
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setWsConfig(reqData.getWssConfig());
> /* proposal: allow digested passwords when using UsernameToken signing
> *
> * replace:
> *
> * builder.setPasswordType(WSConstants.PASSWORD_TEXT);
> *
> * with:
> */
> builder.setPasswordType(reqData.getPwType());
> builder.setUserInfo(reqData.getUsername(), password);
> builder.addCreated();
> ...
> In case of a digested password however the signing is not recognized as valid by .NET WSE 2.0. This is caused by the fact that 'org.apache.ws.security.message.token.UsernameToken.getSecretKey(int keylen, String labelString)' uses the digested password for hashing whereas the 'plain text' password should be used to satisfy .NET.
> public byte[] getSecretKey(int keylen, String labelString) {
> byte[] key = null;
> try {
> Mac mac = Mac.getInstance("HMACSHA1");
> /* proposal: use 'plain text' password for hashing
> *
> * replace:
> *
> * byte[] password = getPassword().getBytes("UTF-8");
> *
> * with:
> */
> byte[] password = plainTextPwd.getBytes("UTF-8");
> ...
> where plainTextPwd is a private String member that is set in 'setPassword'.
> These changes work for me. However I can not oversee the full impact. I hope this feature will be implemented because customers won't like to be needing customized JARs to call our webservice.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-49) Allow digested password when using
SIGN_WITH_UT_KEY
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin resolved WSS-49.
----------------------------
Resolution: Duplicate
> Allow digested password when using SIGN_WITH_UT_KEY
> ---------------------------------------------------
>
> Key: WSS-49
> URL: https://issues.apache.org/jira/browse/WSS-49
> Project: WSS4J
> Issue Type: Improvement
> Environment: Java client vs .NET WSE 2.0 SP3 server
> Reporter: Nelis Bijl
> Assignee: Fred Dushin
>
> Signing with UsernameToken (.NET feature supported through the SIGN_WITH_UT_KEY flag) hardcodes the password to be 'plain text'.
> org.apache.ws.security.action.UsernameTokenSignedAction.java :
> ...
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setWsConfig(reqData.getWssConfig());
> /* proposal: allow digested passwords when using UsernameToken signing
> *
> * replace:
> *
> * builder.setPasswordType(WSConstants.PASSWORD_TEXT);
> *
> * with:
> */
> builder.setPasswordType(reqData.getPwType());
> builder.setUserInfo(reqData.getUsername(), password);
> builder.addCreated();
> ...
> In case of a digested password however the signing is not recognized as valid by .NET WSE 2.0. This is caused by the fact that 'org.apache.ws.security.message.token.UsernameToken.getSecretKey(int keylen, String labelString)' uses the digested password for hashing whereas the 'plain text' password should be used to satisfy .NET.
> public byte[] getSecretKey(int keylen, String labelString) {
> byte[] key = null;
> try {
> Mac mac = Mac.getInstance("HMACSHA1");
> /* proposal: use 'plain text' password for hashing
> *
> * replace:
> *
> * byte[] password = getPassword().getBytes("UTF-8");
> *
> * with:
> */
> byte[] password = plainTextPwd.getBytes("UTF-8");
> ...
> where plainTextPwd is a private String member that is set in 'setPassword'.
> These changes work for me. However I can not oversee the full impact. I hope this feature will be implemented because customers won't like to be needing customized JARs to call our webservice.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-49) Allow digested password when using
SIGN_WITH_UT_KEY
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Davanum Srinivas updated WSS-49:
--------------------------------
Assignee: (was: Davanum Srinivas)
> Allow digested password when using SIGN_WITH_UT_KEY
> ---------------------------------------------------
>
> Key: WSS-49
> URL: https://issues.apache.org/jira/browse/WSS-49
> Project: WSS4J
> Issue Type: Improvement
> Environment: Java client vs .NET WSE 2.0 SP3 server
> Reporter: Nelis Bijl
>
> Signing with UsernameToken (.NET feature supported through the SIGN_WITH_UT_KEY flag) hardcodes the password to be 'plain text'.
> org.apache.ws.security.action.UsernameTokenSignedAction.java :
> ...
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setWsConfig(reqData.getWssConfig());
> /* proposal: allow digested passwords when using UsernameToken signing
> *
> * replace:
> *
> * builder.setPasswordType(WSConstants.PASSWORD_TEXT);
> *
> * with:
> */
> builder.setPasswordType(reqData.getPwType());
> builder.setUserInfo(reqData.getUsername(), password);
> builder.addCreated();
> ...
> In case of a digested password however the signing is not recognized as valid by .NET WSE 2.0. This is caused by the fact that 'org.apache.ws.security.message.token.UsernameToken.getSecretKey(int keylen, String labelString)' uses the digested password for hashing whereas the 'plain text' password should be used to satisfy .NET.
> public byte[] getSecretKey(int keylen, String labelString) {
> byte[] key = null;
> try {
> Mac mac = Mac.getInstance("HMACSHA1");
> /* proposal: use 'plain text' password for hashing
> *
> * replace:
> *
> * byte[] password = getPassword().getBytes("UTF-8");
> *
> * with:
> */
> byte[] password = plainTextPwd.getBytes("UTF-8");
> ...
> where plainTextPwd is a private String member that is set in 'setPassword'.
> These changes work for me. However I can not oversee the full impact. I hope this feature will be implemented because customers won't like to be needing customized JARs to call our webservice.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org