Succes in interop with WSE2 on signing with a username token!

[Brian Nielsen <br...@sweetxml.org>]

Werner,

Thanx for all nice work you've done for me and all the other happy users of
wss4j and addressing. I finally got around it, and your implementation was
right on! My problems turned out to be with enough/the right (for wse)
addressing headers, and signing them (was that possible from the start in
autum last year?). The way I got around was to pick up my rusty C# and
reading the MS WSE2 stuff on policy, and then deploying several diffenrent
services on IIS with increasing usage of wss/wse, checkin first wse clients
and then wss4j clients.

Brgds Brian



-----Original Message-----
From: Dittmann Werner [mailto:werner.dittmann@siemens.com] 
Sent: 21. januar 2005 11:55
To: 'brian@sweetxml.org'; Werner.Dittmann@t-online.de
Cc: fx-dev@ws.apache.org
Subject: AW: Signing with a UsernameToken - interop with WSE2

Brian,

to check the username token signing I took the data you sent (the logged
request) and fed it into a small test programm that used it to call the
WSSecurity engine to verify the signature - thus it was not an online test.
Your data had enough info to verify the signature. I have to look in my
development environment to check how to setup an online interop test. IMO
you just need to define the right action and username and password, I'll
recheck this.

According to your second question: the way to use the username token to sign
and/or encrypt a request is not standardized by OASIS WSS. To the best of my
knowledge this is a proprietary method used by WSE2 only.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: brian@sweetxml.org [mailto:brian@sweetxml.org]
> Gesendet: Freitag, 21. Januar 2005 10:56
> An: Werner.Dittmann@t-online.de
> Cc: fx-dev@ws.apache.org
> Betreff: Signing with a UsernameToken - interop with WSE2
> 
> 
> Werner,
> 
> As you've seen on the list I've "resurfaced" after 3 months of 
> silence. I would really like to figure it out myself and contibute to 
> the project, but my knowledge/understanding is quite limited. I've 
> looked at the wsse Unittest number 13 - but as far as I can see It 
> doesn't do what you wrote about in your mail:
> 
> "I was able to perform the Signature check with this request."
> 
> http://nagoya.apache.org/eyebrowse/ReadMsg?listName=fx-dev@ws.
apache.org&msgNo=2099

Is that code checked in or can you send it, so that I can reproduce it with
a new dummy service that one of my colleague set up. Because eventhough you
got success I'm stille no able to acces a WSE2 Web Service that requires
signing the body and Timestamp with a key based on the UsernameToken. Since
if I can reproduce the digest and signature given a UsernameToken (include
nonce ect.) and several addressing elements.

And a second question, I've looked through the WS-Trust specification and
the WS-Secure Conversation, but I havn't spotted where the description for
WSE2's "way of doing" is described. I would like to gather the facts and out
assumptions and post it to the WSE2 team, to clear out any misunderstandings
if we strike gound again.

Thanks in advance.

Brgds Brian