You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2008/07/23 12:45:31 UTC

[jira] Updated: (WSS-127) No way of signing with UsernameToken without sending the password

     [ https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated WSS-127:
------------------------------------

    Attachment: wss4j_wss127.patch


This patch adds functionality to derive a secret key from a UsernameToken to use with a HMAC, as detailed in the UsernameToken profile 1.1. This functionality is only available programmatically, and not through WS-Handler. See the test in test\wssec\TestWSSecurityUTDK for more details.

e.g. on the outbound side:

WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);
byte[] derivedKey = builder.getDerivedKey();

WSSecSignature sign = new WSSecSignature();
sign.setSecretKey(derivedKey);
sign.setCustomTokenId(builder.getId());
sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
Document signedDoc = sign.build(doc, null, secHeader);
builder.prependToHeader(secHeader);

On the inbound side:

WSSConfig cfg = WSSConfig.getNewInstance();
cfg.setHandleCustomPasswordTypes(true);
secEngine.setWssConfig(cfg);
secEngine.processSecurityHeader(doc, null, this, null);


> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
>                 Key: WSS-127
>                 URL: https://issues.apache.org/jira/browse/WSS-127
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Sérgio Patrício
>            Assignee: Ruchith Udayanga Fernando
>         Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send the password.
> For example in the UsernameTokenSignedAction is used a secret key from UsernameToken.
> When building the security header the password goes on the UsernameToken, this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked.
> My suggestion is that in the following example code when setting the password type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something in the JIRA is wrong.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org