You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Javier Delgadillo <jd...@esri.com> on 2004/10/21 23:36:21 UTC

Username Token in the real world.

Hello Everyone,

I'm looking at WS-Security and how we can transition our Web Services to use
it for authentication.  We currently have a username/pwd system that issues
a proprietary token that expires after an hour.

We're looking at replacing this system with WS-Security and using the
Username Token Profile as the first step.  Does anyone have real world
stories of how Username Token is used in real world deployments?  For
PasswordText, are deployments using a hash of the password to send accross
the wire?  Or are people sending the plain-text password over an SSL
connection?  Would someone using SOAP and WS-Security have easy access to a
SHA1/MD5 hash engine for creating such passwords?

I want to get a sense of how Username Token deployments are happening and if
anything on top of adding a timestamp is used to prevent replay attacks.

Thanks.

---
Javier Delgadillo 
ESRI Internet Solutions Division 
(909) 793-2853 x1068 
http://www.esri.com/

Re: Username Token in the real world.

Posted by Werner Dittmann <We...@t-online.de>.

Javier,

besides of using PasswordText, have you checked to use PasswordDigest?
PasswordDigest automatically takes the clear text password, a created
time, and a nonce to produce a digested value. This prevents sending
of a password in clear text and including a nonce also prevents replay 
attackes (or at least makes them harder). PasswordDigest is fully
supported by WSS4J, pls have a look in the Javadoc of the handlers where
the various options are described.

The password digest is further explained in the OASIS WSS specifications 
(which hash algo to use, which values to include in the hash, etc.). 
This specification (the username token profile) also gives some hints 
about security and counter attacks.

The link to the OASIS docs:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

Regards,
Werner

Javier Delgadillo wrote:
> Hello Everyone,
> 
> I'm looking at WS-Security and how we can transition our Web Services to use
> it for authentication.  We currently have a username/pwd system that issues
> a proprietary token that expires after an hour.
> 
> We're looking at replacing this system with WS-Security and using the
> Username Token Profile as the first step.  Does anyone have real world
> stories of how Username Token is used in real world deployments?  For
> PasswordText, are deployments using a hash of the password to send accross
> the wire?  Or are people sending the plain-text password over an SSL
> connection?  Would someone using SOAP and WS-Security have easy access to a
> SHA1/MD5 hash engine for creating such passwords?
> 
> I want to get a sense of how Username Token deployments are happening and if
> anything on top of adding a timestamp is used to prevent replay attacks.
> 
> Thanks.
> 
> ---
> Javier Delgadillo 
> ESRI Internet Solutions Division 
> (909) 793-2853 x1068 
> http://www.esri.com/
> 
> 
>