You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Jim Utter (JIRA)" <ji...@apache.org> on 2010/08/03 00:58:15 UTC
[jira] Created: (WSS-239) Need ability to handle password
"equivalent" between WSPasswordCallback and UsernameToken when it's binary
data
Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
---------------------------------------------------------------------------------------------------------------
Key: WSS-239
URL: https://issues.apache.org/jira/browse/WSS-239
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Core
Affects Versions: 1.5.8
Reporter: Jim Utter
Assignee: Ruchith Udayanga Fernando
Attachments: WSS-239.diff
Per the oasis spec, the UsernamePassword is summarized by the algorithm:
base64(sha-1(nonce+created+password))
But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
of them. The oasis spec allows this via what they claim as "..password
equivalent". The problem I'm running into is that the password equivalent
is sha-1(password) or ultimately this equivalent:
base64(sha-1(nonce+created+sha-1(password)))
When the applicability of this approach was questioned to the oasis list,
they confirmed it:
http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
But, when using the wss4j WSPasswordCallback mechanism, the call expects the
password to be a string but the binary output of the digest if converted to
a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
not result in the original byte array - causing any digest calculations to
fail.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-239) Need ability to handle password
"equivalent" between WSPasswordCallback and UsernameToken when it's binary
data
Posted by "Jim Utter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Utter updated WSS-239:
--------------------------
Attachment: (was: WSS-239.diff)
> Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WSS-239
> URL: https://issues.apache.org/jira/browse/WSS-239
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Jim Utter
> Assignee: Ruchith Udayanga Fernando
> Attachments: WSS-239-1_5_x-fixes.patch
>
>
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
> base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
> of them. The oasis spec allows this via what they claim as "..password
> equivalent". The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
> base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-239) Need ability to handle password
"equivalent" between WSPasswordCallback and UsernameToken when it's binary
data
Posted by "Jim Utter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Utter updated WSS-239:
--------------------------
Attachment: WSS-239.diff
Attached is a diff for added functionality that allows the password to be set as either a byte[] or cleartext string - allowing consumers of this api to resolve the issue above with custom callback handlers that can set binary passwords (bypassing string.getBytes("UTF-8")).
> Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WSS-239
> URL: https://issues.apache.org/jira/browse/WSS-239
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Jim Utter
> Assignee: Ruchith Udayanga Fernando
> Attachments: WSS-239.diff
>
>
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
> base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
> of them. The oasis spec allows this via what they claim as "..password
> equivalent". The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
> base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-239) Need ability to handle password
"equivalent" between WSPasswordCallback and UsernameToken when it's binary
data
Posted by "Jim Utter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Utter updated WSS-239:
--------------------------
Attachment: WSS-239-1_5_x-fixes.patch
Attaching the patch file for 1.5.x..
> Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WSS-239
> URL: https://issues.apache.org/jira/browse/WSS-239
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Jim Utter
> Assignee: Ruchith Udayanga Fernando
> Attachments: WSS-239-1_5_x-fixes.patch, WSS-239.diff
>
>
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
> base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
> of them. The oasis spec allows this via what they claim as "..password
> equivalent". The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
> base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-239) Need ability to handle password
"equivalent" between WSPasswordCallback and UsernameToken when it's binary
data
Posted by "Jim Utter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Utter updated WSS-239:
--------------------------
Comment: was deleted
(was: The patch/diff I submitted was for the trunk (1.6?). I'll add another for the 1.5.x-fixes branch.)
> Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WSS-239
> URL: https://issues.apache.org/jira/browse/WSS-239
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Jim Utter
> Assignee: Ruchith Udayanga Fernando
> Attachments: WSS-239-1_5_x-fixes.patch
>
>
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
> base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
> of them. The oasis spec allows this via what they claim as "..password
> equivalent". The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
> base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-239) Need ability to handle password
"equivalent" between WSPasswordCallback and UsernameToken when it's binary
data
Posted by "Jim Utter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Utter updated WSS-239:
--------------------------
Description:
Per the oasis spec, the UsernamePassword is summarized by the algorithm:
base64(sha-1(nonce+created+password))
But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
of them. The oasis spec allows this via what they claim as "..password
equivalent". The problem I'm running into is that the password equivalent
is sha-1(password) or ultimately this equivalent:
base64(sha-1(nonce+created+sha-1(password)))
When the applicability of this approach was questioned to the oasis list,
they confirmed it:
http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
But, when using the wss4j WSPasswordCallback mechanism, the call expects the
password to be a string but the binary output of the digest if converted to
a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
not result in the original byte array - causing any digest calculations to
fail.
This was originally posted in the mailing list below where Colm suggested I provide a patch:
http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/201006.mbox/%3CAANLkTilnDI8iJOpHC6Lgv3mkP5_I_UtrcFeNdkDK1BA0@mail.gmail.com%3E
was:
Per the oasis spec, the UsernamePassword is summarized by the algorithm:
base64(sha-1(nonce+created+password))
But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
of them. The oasis spec allows this via what they claim as "..password
equivalent". The problem I'm running into is that the password equivalent
is sha-1(password) or ultimately this equivalent:
base64(sha-1(nonce+created+sha-1(password)))
When the applicability of this approach was questioned to the oasis list,
they confirmed it:
http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
But, when using the wss4j WSPasswordCallback mechanism, the call expects the
password to be a string but the binary output of the digest if converted to
a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
not result in the original byte array - causing any digest calculations to
fail.
> Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WSS-239
> URL: https://issues.apache.org/jira/browse/WSS-239
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Jim Utter
> Assignee: Ruchith Udayanga Fernando
> Attachments: WSS-239-1_5_x-fixes.patch
>
>
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
> base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
> of them. The oasis spec allows this via what they claim as "..password
> equivalent". The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
> base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
> This was originally posted in the mailing list below where Colm suggested I provide a patch:
> http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/201006.mbox/%3CAANLkTilnDI8iJOpHC6Lgv3mkP5_I_UtrcFeNdkDK1BA0@mail.gmail.com%3E
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-239) Need ability to handle password
"equivalent" between WSPasswordCallback and UsernameToken when it's binary
data
Posted by "Jim Utter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12894894#action_12894894 ]
Jim Utter commented on WSS-239:
-------------------------------
The patch/diff I submitted was for the trunk (1.6?). I'll add another for the 1.5.x-fixes branch.
> Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WSS-239
> URL: https://issues.apache.org/jira/browse/WSS-239
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Jim Utter
> Assignee: Ruchith Udayanga Fernando
> Attachments: WSS-239.diff
>
>
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
> base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
> of them. The oasis spec allows this via what they claim as "..password
> equivalent". The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
> base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org