You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "al-col@libero.it" <al...@libero.it> on 2007/08/31 10:22:08 UTC
again on UsernameToken and Microsoft interoperability
Hi,
Microsoft offer a third way to send a password in a SOAP request "SENDNONE" that actually don't send the password at all...
This is a valid choice if you are also signing the request.
The idea behind this scenrio is:
if I'm signing the request with a key generated using the password and other data on the client, I don't need to to send the password with the message because the server has the shared secret and so can control the signature using it... if the signature is valid, the password is valid too.
It would be very simple to implement this in wss4j beacuse, actually, the only step required at the client side is to remove the password tag from the request...
on the server side instead we would have to skip the password check relyng beacause the signature verification would tell us also if the password used is the right one.
bye
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: again on UsernameToken and Microsoft interoperability
Posted by Marc Jadoul <ma...@auth-o-matic.com>.
Hello,
I have a similar request for interoperability with other software like
Websphere, but also to be able to implement WS-I BSP 1.0 sample
application (See this doc, paragraph 3.3
http://www.ws-i.org/SampleApplications/SupplyChainManagement/2006-04/SCMSecurityArchitectureWGD5.00.doc)
This is also a use case for WS-SecurityPolicy.
There is already a BUG (WSS-68) filled for, this but without reaction.
And I am ready to develop a patch if there is any interest.
Note that UsernameToken class is foresee the possibility and the bug is
in the issue system.
Marc
On Fri, 2007-08-31 at 10:22 +0200, al-col@libero.it wrote:
> Hi,
> Microsoft offer a third way to send a password in a SOAP request "SENDNONE" that actually don't send the password at all...
> This is a valid choice if you are also signing the request.
>
> The idea behind this scenrio is:
>
> if I'm signing the request with a key generated using the password and other data on the client, I don't need to to send the password with the message because the server has the shared secret and so can control the signature using it... if the signature is valid, the password is valid too.
>
> It would be very simple to implement this in wss4j beacuse, actually, the only step required at the client side is to remove the password tag from the request...
>
> on the server side instead we would have to skip the password check relyng beacause the signature verification would tell us also if the password used is the right one.
>
> bye
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org