You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Ashok Shah <as...@sfu.ca> on 2005/06/10 00:09:55 UTC

Signature and UsernameToken's reqData.username problem

Hello,

I have a use case where a client (SOAP Client) have to send secure SOAP  
messages to web services using "UsernameToken Signature" profile. The  
Signature is used for signing UsernameToken as well as certain parts of  
the body. Client have a different set of username and password for each  
web services it is sending request to.

I have learnt from the WSS4J code that the performSIGAction and  
performUTAction both look into reqData.username to get the password. For a  
given SOAP request WSS4J uses same username to attach UsernameToken and to  
get password for the Privatekey for the Signature. Given the fact that the  
client is going to contact multiple web services and have different set of  
username password, it is difficult to have client's private key under the  
same alias as the username for each request. I was wondering if I could  
configure WSS4J properties to change this behaviour so that WSS4J could  
use different usernames to attach the UsernameToken and retrive privatekey.

Appereciate any help.

Thanks,

Ashok.

Re: Signature and UsernameToken's reqData.username problem

Posted by Werner Dittmann <We...@t-online.de>.

Ashok,

in this case you may use the "handler chaining" feature, that is you
can configure the WSS4J handler several times in the deployment
file, every handler uses its own set of properties.

There is an example in the interop directory (OASIS interop tests) where
we do this to perform mutliple signature. There is also a short
description about that feature in the package.html file of the Axis
handlers. One hint: every handler but the last must have a special
action defined as the last action (NoSerialization?). Pls have a
look in the client_deploy.wsdd files of the WS Security interop, AFAIK
there is one setup for this.

Regards,
Werner


Ashok Shah schrieb:
> Hello,
> 
> I have a use case where a client (SOAP Client) have to send secure SOAP  
> messages to web services using "UsernameToken Signature" profile. The  
> Signature is used for signing UsernameToken as well as certain parts of  
> the body. Client have a different set of username and password for each  
> web services it is sending request to.
> 
> I have learnt from the WSS4J code that the performSIGAction and  
> performUTAction both look into reqData.username to get the password. For 
> a  given SOAP request WSS4J uses same username to attach UsernameToken 
> and to  get password for the Privatekey for the Signature. Given the 
> fact that the  client is going to contact multiple web services and have 
> different set of  username password, it is difficult to have client's 
> private key under the  same alias as the username for each request. I 
> was wondering if I could  configure WSS4J properties to change this 
> behaviour so that WSS4J could  use different usernames to attach the 
> UsernameToken and retrive privatekey.
> 
> Appereciate any help.
> 
> Thanks,
> 
> Ashok.
>