You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Chuck Hinson <ch...@gestalt-llc.com> on 2007/04/24 23:17:27 UTC
wsse BinarySecurityToken
I see on the WSS4J project page, under the WS-Security features, the
statement "WSS4J supports X.509 binary certificates and certificate
paths"
After some experimentation, however, it would appear that the above
statement does not mean that wsse:BinarySecurityToken is actually
supported.
Is this correct (wsse:BinarySecurityToken is not supported)? And if so,
would anyone care to venture what my options might be if I need to be
able to handle wsse:BinarySecurityToken?
--Chuck
------------------------------------
Chuck Hinson
Gestalt LLC
phone: 610.994.2833
IM: chucking24 (Yahoo)
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: wsse BinarySecurityToken
Posted by Chuck Hinson <ch...@gestalt-llc.com>.
We're doing a sort of proxy, so I need to be able to validate the signature on an incoming request without removing the security header. I also need to be able to retrieve the principal from the accompanying certificate (hence BinarySecurityToken) so that I can determine whether the requester is authorized to have the request proxied.
Unfortunately, I can't even get past signature validation because wss4j doesnt understand the BinarySecurityToken.
--Chuck
-----Original Message-----
From: Fred Dushin [mailto:fred@dushin.net]
Sent: Tue 4/24/2007 7:25 PM
To: Chuck Hinson
Cc: wss4j-dev@ws.apache.org
Subject: Re: wsse BinarySecurityToken
I believe WSS4J will insert an X.509 certificate into a
BinarySecurityToken element in the security header, if you enable the
DirectReference key identifier, when signing.
Is that what you were after, or did you want to simply propagate a
security token through a WS-Security header, without consideration of
the security (or lack thereof) of doing so?
If you want to do that latter, then no, I don't think WSS4J supports
that at present, though I'm close to having a patch that supports
it. It's not clear, though, whether WSS4J needs to do this, as it
won't over-write a header, if it's already been inserted into a SOAP
message. So theoretically, at any rate, you should be able to do the
insertion and extraction of the binary token yourself, and WSS4J
shouldn't interfere.
Hope that helps, and anyone else please chime in with corrections!
-Fred
On Apr 24, 2007, at 5:17 PM, Chuck Hinson wrote:
>
> I see on the WSS4J project page, under the WS-Security features, the
> statement "WSS4J supports X.509 binary certificates and certificate
> paths"
>
> After some experimentation, however, it would appear that the above
> statement does not mean that wsse:BinarySecurityToken is actually
> supported.
>
> Is this correct (wsse:BinarySecurityToken is not supported)? And
> if so,
> would anyone care to venture what my options might be if I need to be
> able to handle wsse:BinarySecurityToken?
>
> --Chuck
>
> ------------------------------------
> Chuck Hinson
> Gestalt LLC
> phone: 610.994.2833
> IM: chucking24 (Yahoo)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: wsse BinarySecurityToken
Posted by Chuck Hinson <ch...@gestalt-llc.com>.
We're doing a sort of proxy, so I need to be able to validate the signature on an incoming request without removing the security header. I also need to be able to retrieve the principal from the accompanying certificate (hence BinarySecurityToken) so that I can determine whether the requester is authorized to have the request proxied.
Unfortunately, I can't even get past signature validation because wss4j doesnt understand the BinarySecurityToken.
--Chuck
-----Original Message-----
From: Fred Dushin [mailto:fred@dushin.net]
Sent: Tue 4/24/2007 7:25 PM
To: Chuck Hinson
Cc: wss4j-dev@ws.apache.org
Subject: Re: wsse BinarySecurityToken
I believe WSS4J will insert an X.509 certificate into a
BinarySecurityToken element in the security header, if you enable the
DirectReference key identifier, when signing.
Is that what you were after, or did you want to simply propagate a
security token through a WS-Security header, without consideration of
the security (or lack thereof) of doing so?
If you want to do that latter, then no, I don't think WSS4J supports
that at present, though I'm close to having a patch that supports
it. It's not clear, though, whether WSS4J needs to do this, as it
won't over-write a header, if it's already been inserted into a SOAP
message. So theoretically, at any rate, you should be able to do the
insertion and extraction of the binary token yourself, and WSS4J
shouldn't interfere.
Hope that helps, and anyone else please chime in with corrections!
-Fred
On Apr 24, 2007, at 5:17 PM, Chuck Hinson wrote:
>
> I see on the WSS4J project page, under the WS-Security features, the
> statement "WSS4J supports X.509 binary certificates and certificate
> paths"
>
> After some experimentation, however, it would appear that the above
> statement does not mean that wsse:BinarySecurityToken is actually
> supported.
>
> Is this correct (wsse:BinarySecurityToken is not supported)? And
> if so,
> would anyone care to venture what my options might be if I need to be
> able to handle wsse:BinarySecurityToken?
>
> --Chuck
>
> ------------------------------------
> Chuck Hinson
> Gestalt LLC
> phone: 610.994.2833
> IM: chucking24 (Yahoo)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: wsse BinarySecurityToken
Posted by Fred Dushin <fr...@dushin.net>.
I believe WSS4J will insert an X.509 certificate into a
BinarySecurityToken element in the security header, if you enable the
DirectReference key identifier, when signing.
Is that what you were after, or did you want to simply propagate a
security token through a WS-Security header, without consideration of
the security (or lack thereof) of doing so?
If you want to do that latter, then no, I don't think WSS4J supports
that at present, though I'm close to having a patch that supports
it. It's not clear, though, whether WSS4J needs to do this, as it
won't over-write a header, if it's already been inserted into a SOAP
message. So theoretically, at any rate, you should be able to do the
insertion and extraction of the binary token yourself, and WSS4J
shouldn't interfere.
Hope that helps, and anyone else please chime in with corrections!
-Fred
On Apr 24, 2007, at 5:17 PM, Chuck Hinson wrote:
>
> I see on the WSS4J project page, under the WS-Security features, the
> statement "WSS4J supports X.509 binary certificates and certificate
> paths"
>
> After some experimentation, however, it would appear that the above
> statement does not mean that wsse:BinarySecurityToken is actually
> supported.
>
> Is this correct (wsse:BinarySecurityToken is not supported)? And
> if so,
> would anyone care to venture what my options might be if I need to be
> able to handle wsse:BinarySecurityToken?
>
> --Chuck
>
> ------------------------------------
> Chuck Hinson
> Gestalt LLC
> phone: 610.994.2833
> IM: chucking24 (Yahoo)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: wsse BinarySecurityToken
Posted by Fred Dushin <fr...@dushin.net>.
I believe WSS4J will insert an X.509 certificate into a
BinarySecurityToken element in the security header, if you enable the
DirectReference key identifier, when signing.
Is that what you were after, or did you want to simply propagate a
security token through a WS-Security header, without consideration of
the security (or lack thereof) of doing so?
If you want to do that latter, then no, I don't think WSS4J supports
that at present, though I'm close to having a patch that supports
it. It's not clear, though, whether WSS4J needs to do this, as it
won't over-write a header, if it's already been inserted into a SOAP
message. So theoretically, at any rate, you should be able to do the
insertion and extraction of the binary token yourself, and WSS4J
shouldn't interfere.
Hope that helps, and anyone else please chime in with corrections!
-Fred
On Apr 24, 2007, at 5:17 PM, Chuck Hinson wrote:
>
> I see on the WSS4J project page, under the WS-Security features, the
> statement "WSS4J supports X.509 binary certificates and certificate
> paths"
>
> After some experimentation, however, it would appear that the above
> statement does not mean that wsse:BinarySecurityToken is actually
> supported.
>
> Is this correct (wsse:BinarySecurityToken is not supported)? And
> if so,
> would anyone care to venture what my options might be if I need to be
> able to handle wsse:BinarySecurityToken?
>
> --Chuck
>
> ------------------------------------
> Chuck Hinson
> Gestalt LLC
> phone: 610.994.2833
> IM: chucking24 (Yahoo)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
AW: wsse BinarySecurityToken
Posted by "Dittmann, Werner" <we...@nsn.com>.
OASIS specified as part of the X.509 profile a mechanism
to send certificate path, this however was not implemented in WSS4J,
also there were no test cases and interoperability tests define
for this specific mechanism. AFAIK this is not used.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: ext Guillaume Aubert [mailto:guillaume.aubert@gmail.com]
> Gesendet: Mittwoch, 25. April 2007 10:47
> An: Chuck Hinson; wss4j-dev@ws.apache.org
> Betreff: Re: wsse BinarySecurityToken
>
> Hi,
>
> I have question regarding the same topic.
> Using the DirectReference key identifier I could pass a single X509
> certificate but I didn't manage to pass certificate paths (a full
> chain of certificates).
> I could not find some documentation explaining how to do it. Is there
> a key similar to DirectReference to have the certificate paths
> travelling in the WSSec Header ?
>
> Thanks a lot for answering my question.
>
> Cheers Guillaume
>
> On 4/24/07, Chuck Hinson <ch...@gestalt-llc.com> wrote:
> >
> > I see on the WSS4J project page, under the WS-Security features, the
> > statement "WSS4J supports X.509 binary certificates and certificate
> > paths"
> >
> > After some experimentation, however, it would appear that the above
> > statement does not mean that wsse:BinarySecurityToken is actually
> > supported.
> >
> > Is this correct (wsse:BinarySecurityToken is not
> supported)? And if so,
> > would anyone care to venture what my options might be if I
> need to be
> > able to handle wsse:BinarySecurityToken?
> >
> > --Chuck
> >
> > ------------------------------------
> > Chuck Hinson
> > Gestalt LLC
> > phone: 610.994.2833
> > IM: chucking24 (Yahoo)
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
AW: wsse BinarySecurityToken
Posted by "Dittmann, Werner" <we...@nsn.com>.
OASIS specified as part of the X.509 profile a mechanism
to send certificate path, this however was not implemented in WSS4J,
also there were no test cases and interoperability tests define
for this specific mechanism. AFAIK this is not used.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: ext Guillaume Aubert [mailto:guillaume.aubert@gmail.com]
> Gesendet: Mittwoch, 25. April 2007 10:47
> An: Chuck Hinson; wss4j-dev@ws.apache.org
> Betreff: Re: wsse BinarySecurityToken
>
> Hi,
>
> I have question regarding the same topic.
> Using the DirectReference key identifier I could pass a single X509
> certificate but I didn't manage to pass certificate paths (a full
> chain of certificates).
> I could not find some documentation explaining how to do it. Is there
> a key similar to DirectReference to have the certificate paths
> travelling in the WSSec Header ?
>
> Thanks a lot for answering my question.
>
> Cheers Guillaume
>
> On 4/24/07, Chuck Hinson <ch...@gestalt-llc.com> wrote:
> >
> > I see on the WSS4J project page, under the WS-Security features, the
> > statement "WSS4J supports X.509 binary certificates and certificate
> > paths"
> >
> > After some experimentation, however, it would appear that the above
> > statement does not mean that wsse:BinarySecurityToken is actually
> > supported.
> >
> > Is this correct (wsse:BinarySecurityToken is not
> supported)? And if so,
> > would anyone care to venture what my options might be if I
> need to be
> > able to handle wsse:BinarySecurityToken?
> >
> > --Chuck
> >
> > ------------------------------------
> > Chuck Hinson
> > Gestalt LLC
> > phone: 610.994.2833
> > IM: chucking24 (Yahoo)
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: wsse BinarySecurityToken
Posted by Guillaume Aubert <gu...@gmail.com>.
Hi,
I have question regarding the same topic.
Using the DirectReference key identifier I could pass a single X509
certificate but I didn't manage to pass certificate paths (a full
chain of certificates).
I could not find some documentation explaining how to do it. Is there
a key similar to DirectReference to have the certificate paths
travelling in the WSSec Header ?
Thanks a lot for answering my question.
Cheers Guillaume
On 4/24/07, Chuck Hinson <ch...@gestalt-llc.com> wrote:
>
> I see on the WSS4J project page, under the WS-Security features, the
> statement "WSS4J supports X.509 binary certificates and certificate
> paths"
>
> After some experimentation, however, it would appear that the above
> statement does not mean that wsse:BinarySecurityToken is actually
> supported.
>
> Is this correct (wsse:BinarySecurityToken is not supported)? And if so,
> would anyone care to venture what my options might be if I need to be
> able to handle wsse:BinarySecurityToken?
>
> --Chuck
>
> ------------------------------------
> Chuck Hinson
> Gestalt LLC
> phone: 610.994.2833
> IM: chucking24 (Yahoo)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: wsse BinarySecurityToken
Posted by Guillaume Aubert <gu...@gmail.com>.
Hi,
I have question regarding the same topic.
Using the DirectReference key identifier I could pass a single X509
certificate but I didn't manage to pass certificate paths (a full
chain of certificates).
I could not find some documentation explaining how to do it. Is there
a key similar to DirectReference to have the certificate paths
travelling in the WSSec Header ?
Thanks a lot for answering my question.
Cheers Guillaume
On 4/24/07, Chuck Hinson <ch...@gestalt-llc.com> wrote:
>
> I see on the WSS4J project page, under the WS-Security features, the
> statement "WSS4J supports X.509 binary certificates and certificate
> paths"
>
> After some experimentation, however, it would appear that the above
> statement does not mean that wsse:BinarySecurityToken is actually
> supported.
>
> Is this correct (wsse:BinarySecurityToken is not supported)? And if so,
> would anyone care to venture what my options might be if I need to be
> able to handle wsse:BinarySecurityToken?
>
> --Chuck
>
> ------------------------------------
> Chuck Hinson
> Gestalt LLC
> phone: 610.994.2833
> IM: chucking24 (Yahoo)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org