You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Sérgio Patrício (JIRA)" <ji...@apache.org> on 2008/06/06 17:11:45 UTC
[jira] Created: (WSS-127) No way of signing with UsernameToken
without sending the password
No way of signing with UsernameToken without sending the password
-----------------------------------------------------------------
Key: WSS-127
URL: https://issues.apache.org/jira/browse/WSS-127
Project: WSS4J
Issue Type: Bug
Reporter: Sérgio Patrício
Assignee: Ruchith Udayanga Fernando
When signing a message using a UsernameToken should be possible to don't send the password.
For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("user", "password");
builder.setPasswordType(null);
builder.build(doc, secHeader);
Some additional coments on this are on JIRA WSS-68
Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-127) No way of signing with UsernameToken
without sending the password
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-127:
------------------------------------
Fix Version/s: (was: 1.5.4)
1.5.5
Affects Version/s: (was: 1.5.5)
1.5.4
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Sérgio Patrício
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-127) No way of signing with UsernameToken
without sending the password
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-127.
-------------------------------------
Resolution: Fixed
There are now two different ways of using a derived key to sign a message, without sending the password, as the old UT_SIGN functionality does, so I'm closing this issue.
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Sérgio Patrício
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-127) No way of signing with UsernameToken
without sending the password
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-127:
------------------------------------
Attachment: wss4j_wss127.patch
This patch adds functionality to derive a secret key from a UsernameToken to use with a HMAC, as detailed in the UsernameToken profile 1.1. This functionality is only available programmatically, and not through WS-Handler. See the test in test\wssec\TestWSSecurityUTDK for more details.
e.g. on the outbound side:
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);
byte[] derivedKey = builder.getDerivedKey();
WSSecSignature sign = new WSSecSignature();
sign.setSecretKey(derivedKey);
sign.setCustomTokenId(builder.getId());
sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
Document signedDoc = sign.build(doc, null, secHeader);
builder.prependToHeader(secHeader);
On the inbound side:
WSSConfig cfg = WSSConfig.getNewInstance();
cfg.setHandleCustomPasswordTypes(true);
secEngine.setWssConfig(cfg);
secEngine.processSecurityHeader(doc, null, this, null);
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Reporter: Sérgio Patrício
> Assignee: Ruchith Udayanga Fernando
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-127) No way of signing with UsernameToken
without sending the password
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned WSS-127:
---------------------------------------
Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando)
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.5
> Reporter: Sérgio Patrício
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.4
>
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-127) No way of signing with UsernameToken
without sending the password
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-127.
-----------------------------------
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Sérgio Patrício
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-127) No way of signing with UsernameToken
without sending the password
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-127:
------------------------------------
Fix Version/s: 1.5.4
Affects Version/s: 1.5.5
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.5
> Reporter: Sérgio Patrício
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.4
>
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-127) No way of signing with UsernameToken
without sending the password
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-127:
------------------------------------
Attachment: ut_key_deriv.xml
A sample output of a SOAP request created using the attached patch.
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Reporter: Sérgio Patrício
> Assignee: Ruchith Udayanga Fernando
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org