You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/02/12 14:58:28 UTC

svn commit: r1567626 - in /webservices/wss4j/site/src/site/xdoc: best_practice.xml config.xml migration.xml

Author: coheigea
Date: Wed Feb 12 13:58:27 2014
New Revision: 1567626

URL: http://svn.apache.org/r1567626
Log:
Updated migration guide

Modified:
    webservices/wss4j/site/src/site/xdoc/best_practice.xml
    webservices/wss4j/site/src/site/xdoc/config.xml
    webservices/wss4j/site/src/site/xdoc/migration.xml

Modified: webservices/wss4j/site/src/site/xdoc/best_practice.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/src/site/xdoc/best_practice.xml?rev=1567626&r1=1567625&r2=1567626&view=diff
==============================================================================
--- webservices/wss4j/site/src/site/xdoc/best_practice.xml (original)
+++ webservices/wss4j/site/src/site/xdoc/best_practice.xml Wed Feb 12 13:58:27 2014
@@ -35,13 +35,24 @@ WS-SecurityPolicy requirement.
 </subsection>
 <subsection name="Use RSA-OAEP for the Key Transport Algorithm">
 <p>
-WSS4J supports two key transport algorithms, RSA v1.5 and RSA-OAEP. A number of attacks
-exist on RSA v1.5. Therefore, you should always use RSA-OAEP as the key transport algorithm,
-and enforce this decision. For WS-SecurityPolicy, this means to avoid using any AlgorithmSuite
-that ends with "Rsa15" (e.g. "Basic128Rsa15"). For the direct configuration case, you should
-explicitly configure WSHandlerConstants.ENC_KEY_TRANSPORT ("encryptionKeyTransportAlgorithm")
-to be "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p". This latter point requires the
-web services stack to set this property on the Request (it is known that Apache CXF does this).
+WSS4J supports two key transport algorithms, RSA v1.5 and RSA-OAEP. A number
+of attacks exist on RSA v1.5. Therefore, you should always use RSA-OAEP as the
+key transport algorithm, and enforce this decision. For WS-SecurityPolicy,
+this means to avoid using any AlgorithmSuite that ends with "Rsa15" (e.g.
+"Basic128Rsa15").
+</p>
+<p>
+For the "Action" based approach, there are different ways of enforcing that
+RSA v1.5 cannot be used for key transport depending on the version of WSS4J.
+In WSS4J 2.0.0, it is not allowed by default and no action is required. If you
+wish to allow it, then you must set the
+WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM property to "true". For
+WSS4J 1.6.x, the RSA v1.5 key transport algorithm is allowed by default. In
+this case, you should explicitly configure WSHandlerConstants.ENC_KEY_TRANSPORT
+("encryptionKeyTransportAlgorithm") to be
+"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p". This latter point requires
+the web services stack to set this property on the Request (it is known that
+Apache CXF does this).
 </p>
 </subsection>
 <subsection name="Avoid using a cbc Symmetric Encryption Algorithm">

Modified: webservices/wss4j/site/src/site/xdoc/config.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/src/site/xdoc/config.xml?rev=1567626&r1=1567625&r2=1567626&view=diff
==============================================================================
--- webservices/wss4j/site/src/site/xdoc/config.xml (original)
+++ webservices/wss4j/site/src/site/xdoc/config.xml Wed Feb 12 13:58:27 2014
@@ -533,7 +533,7 @@ construct a BinarySecurityToken. Default
 "true".</td>
 </tr>
 <tr>
-<td>ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM</td>
+<td><b>WSS4J 2.0.0</b> ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM</td>
 <td>allowRSA15KeyTransportAlgorithm</td>
 <td>Whether to allow the RSA v1.5 Key Transport Algorithm or not. Default is
 "false".</td>

Modified: webservices/wss4j/site/src/site/xdoc/migration.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/src/site/xdoc/migration.xml?rev=1567626&r1=1567625&r2=1567626&view=diff
==============================================================================
--- webservices/wss4j/site/src/site/xdoc/migration.xml (original)
+++ webservices/wss4j/site/src/site/xdoc/migration.xml Wed Feb 12 13:58:27 2014
@@ -198,6 +198,12 @@ the Crypto Properties object for Signatu
 </td>
 </tr>
 <tr>
+<td>ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM</td>
+<td>allowRSA15KeyTransportAlgorithm</td>
+<td>Whether to allow the RSA v1.5 Key Transport Algorithm or not. Default is
+"false".</td>
+</tr>
+<tr>
 <td>ADD_INCLUSIVE_PREFIXES</td>
 <td>addInclusivePrefixes</td>
 <td> Whether to add an InclusiveNamespaces PrefixList as a
@@ -356,6 +362,17 @@ need to disable a particular cache.
 </p>
 </subsection>
 
+<subsection name="RSA v1.5 Key Transport algorithm not allowed by default">
+<p>
+WSS4J supports two key transport algorithms, RSA v1.5 and RSA-OAEP. A number
+of attacks exist on RSA v1.5. Therefore, you should always use RSA-OAEP as the
+key transport algorithm. In WSS4J 2.0.0, the RSA v1.5 Key Transport algorithm
+is not allowed by default (as opposed to previous versions of WSS4J, where it
+is allowed). If you wish to allow it, then you must set the
+WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM property to "true".
+</p>
+</subsection>
+
 </section>            
 </body>
 </document>