You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Ashok Shah <as...@sfu.ca> on 2005/06/10 00:09:55 UTC
Signature and UsernameToken's reqData.username problem
Hello,
I have a use case where a client (SOAP Client) have to send secure SOAP
messages to web services using "UsernameToken Signature" profile. The
Signature is used for signing UsernameToken as well as certain parts of
the body. Client have a different set of username and password for each
web services it is sending request to.
I have learnt from the WSS4J code that the performSIGAction and
performUTAction both look into reqData.username to get the password. For a
given SOAP request WSS4J uses same username to attach UsernameToken and to
get password for the Privatekey for the Signature. Given the fact that the
client is going to contact multiple web services and have different set of
username password, it is difficult to have client's private key under the
same alias as the username for each request. I was wondering if I could
configure WSS4J properties to change this behaviour so that WSS4J could
use different usernames to attach the UsernameToken and retrive privatekey.
Appereciate any help.
Thanks,
Ashok.
Re: Signature and UsernameToken's reqData.username problem
Posted by Werner Dittmann <We...@t-online.de>.
Ashok,
in this case you may use the "handler chaining" feature, that is you
can configure the WSS4J handler several times in the deployment
file, every handler uses its own set of properties.
There is an example in the interop directory (OASIS interop tests) where
we do this to perform mutliple signature. There is also a short
description about that feature in the package.html file of the Axis
handlers. One hint: every handler but the last must have a special
action defined as the last action (NoSerialization?). Pls have a
look in the client_deploy.wsdd files of the WS Security interop, AFAIK
there is one setup for this.
Regards,
Werner
Ashok Shah schrieb:
> Hello,
>
> I have a use case where a client (SOAP Client) have to send secure SOAP
> messages to web services using "UsernameToken Signature" profile. The
> Signature is used for signing UsernameToken as well as certain parts of
> the body. Client have a different set of username and password for each
> web services it is sending request to.
>
> I have learnt from the WSS4J code that the performSIGAction and
> performUTAction both look into reqData.username to get the password. For
> a given SOAP request WSS4J uses same username to attach UsernameToken
> and to get password for the Privatekey for the Signature. Given the
> fact that the client is going to contact multiple web services and have
> different set of username password, it is difficult to have client's
> private key under the same alias as the username for each request. I
> was wondering if I could configure WSS4J properties to change this
> behaviour so that WSS4J could use different usernames to attach the
> UsernameToken and retrive privatekey.
>
> Appereciate any help.
>
> Thanks,
>
> Ashok.
>