You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Aleksander Adamowski (JIRA)" <ji...@apache.org> on 2009/05/22 18:56:45 UTC
[jira] Created: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
-----------------------------------------------------------------------------------------------------------------
Key: WSS-194
URL: https://issues.apache.org/jira/browse/WSS-194
Project: WSS4J
Issue Type: New Feature
Components: WSS4J Handlers
Affects Versions: 1.5.8
Reporter: Aleksander Adamowski
Assignee: Ruchith Udayanga Fernando
Attachments: wss4j-signature_keystore_alias.patch
Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
Some usage scenarios cannot make such an assumption.
E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
A user found a workaround for this problem for Apache Axis:
http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "George Stanchev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712240#action_12712240 ]
George Stanchev commented on WSS-194:
-------------------------------------
I am also interested to see this fixed/enhanced. I ran in the same issue as Aleksander is describing where the signature is applied by the application, not the user. I ended up creating and managing my own username token and attaching it manually to a wss header (also manually created by me) which is less ideal solution.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-signature_keystore_alias.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aleksander Adamowski updated WSS-194:
-------------------------------------
Attachment: wss4j-signature_keystore_alias2.patch
Improved patch.
The improvements relate strictly to JavaDOC - reformatted for common line length and cross-links added between related constants' JavaDOC comments.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-194:
------------------------------------
Affects Version/s: (was: 1.5.8)
1.5.7
Fix Version/s: 1.6
1.5.8
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12719502#action_12719502 ]
Colm O hEigeartaigh commented on WSS-194:
-----------------------------------------
Can this issue be closed?
Colm.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned WSS-194:
---------------------------------------
Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando)
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12719498#action_12719498 ]
Colm O hEigeartaigh commented on WSS-194:
-----------------------------------------
If Rampart uses the WSHandler.doSenderAction method to set up the configuration then it should just work without any changes. I'll try Rampart with 1.5.8-SNAPSHOT before it gets released anyway in case there are any issues.
Colm.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "George Stanchev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12719190#action_12719190 ]
George Stanchev commented on WSS-194:
-------------------------------------
Since axis2 rampart is a main consumer of wss4j, do we need to submit a JIRA for it to consume the new setting or its developers (Nandana, etc) monitor this list and will take care of it?
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712909#action_12712909 ]
Aleksander Adamowski commented on WSS-194:
------------------------------------------
Understood. However, AFAIK WS-SecurityPolicy requires support and cooperation both on the server side (to publish the security policy) and client (to parse and follow it).
Or is it enough to set ws-security.signature.username in the CXF client properties?
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-signature_keystore_alias.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aleksander Adamowski closed WSS-194.
------------------------------------
Resolution: Fixed
OK, I've tested the 1.5.8-SNAPSHOT and all works fine. Closing.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12717254#action_12717254 ]
Colm O hEigeartaigh commented on WSS-194:
-----------------------------------------
Have a look at the commit I did for this issue. I added a new config variable "WSHandlerConstants.SIGNATURE_USER" which selects the keystore alias to use for signature, and updated the SignatureAction class to get the user from RequestData.getSignatureUser() instead of RequestData.getUser().
So now you can use WSHandlerConstants.USER for the UsernameToken name, and WSHandlerConstants.SIGNATURE_USER for the keystore alias. I went for this approach instead of the submitted patch for consistency with WSHandlerConstants.ENCRYPTION_USER.
Can you let me know if this meets your requirements?
Colm.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aleksander Adamowski updated WSS-194:
-------------------------------------
Attachment: wss4j-signature_keystore_alias.patch
Attaching the patch.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-signature_keystore_alias.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12717677#action_12717677 ]
Colm O hEigeartaigh commented on WSS-194:
-----------------------------------------
You can point maven to here to get a SNAPSHOT of the 1_5_x-fixes branch that I built today:
http://people.apache.org/~coheigea/stage/wss4j/1.5.8-SNAPSHOT/maven/
Let me know if there are any problems.
Colm.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712175#action_12712175 ]
Aleksander Adamowski commented on WSS-194:
------------------------------------------
JIRA has mangled the links, here are alternative ones:
http://markmail.org/message/2e3upokfdznbck5p
http://markmail.org/message/fmatwaztvdvhrvzr
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-signature_keystore_alias.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712173#action_12712173 ]
Aleksander Adamowski commented on WSS-194:
------------------------------------------
BTW, there are other users affected by this issue, asking for help on mailing lists:
http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200807.mbox/<18...@talk.nabble.com>
http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/<35...@ord-mail.serena.com>
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-signature_keystore_alias.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712255#action_12712255 ]
Daniel Kulp commented on WSS-194:
---------------------------------
Just for reference.... the WS-SecurityPolicy implementation in CXF does allow different usernames for the UsernameToken and the aliases for the keystores and such.
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-signature_keystore_alias.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-194) Support overriding KeyStore alias for
signature so that it can be different than user name used for UsernameToken
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12717448#action_12717448 ]
Aleksander Adamowski commented on WSS-194:
------------------------------------------
Looks very reasonable and more consistent than ours.
When a new snapshot artifact with this commit in is going to be available in the Maven repo so that we could test it?
> Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WSS-194
> URL: https://issues.apache.org/jira/browse/WSS-194
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Handlers
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-signature_keystore_alias.patch, wss4j-signature_keystore_alias2.patch
>
>
> Currently, when signing a message, the KeyStore alias lookup is performed using the user name from userInfo (which is set in SignatureAction and comes from request data).
> This way, the alias in the KeyStore cannot be different from the user name used for UsernameToken authentication.
> Some usage scenarios cannot make such an assumption.
> E.g. a common configuration is to prompt the user for the username and password, but the KeyStore is distributed with the client application and contains a static entry with a static password for the signing keypair and certificate, and will be used by multiple users (the WS signature comes from the client application, not an individual user). The KeyStore, and signing certificate alias and password is part of application's configuration.
> The password for UsernameToken can be differentiated using a proper password callback handler (since the callback it receives specifies in the "usage" property what is the password needed for - e.g. WSPasswordCallback.USERNAME_TOKEN or WSPasswordCallback.SIGNATURE).
> A user found a workaround for this problem for Apache Axis:
> http://www.nabble.com/Signature-Alias-vs.-Username-Token-User-td21334511.html
> However, there's no simple method for differentiating the user name used by the Signature and UsernameToken actions if WSS4J is not used from Axis, but e.g. CXF.
> I've implemented a simple solution by introducing a new handler configuration property - SIG_KEYSTORE_ALIAS - which allows to override the KeyStore alias for the Signature action.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org