Werner,
Perhaps I'm going about all this wrong. What I really
wanted, was assurance that the message originator is
as claimed and the token was not tampered with.
I thought that signing and encrypting the username
token was a convenient means to to this, but... I was
confused on the sequence and semantics of this
operation.
I should perhaps still use the username token to sign
an element, but sign something other than username
token itself.
Furthermore, this element that I sign should reside in
the SOAP body. ?
This way I still have assurance that the token was not
tampered with, and the originator is as claimed, but I
avoid the consequences of a chicken & egg senario.
Am I starting to track right here? ( finally )
--- Werner Dittmann <[EMAIL PROTECTED]>
wrote:
> Shawn,
>
> this is the way (the sequence) the WSS4J handler for
> Axis
> is performing. Not anything you have to deal with.
>
> The problem is some sort of a chicken and egg
> problem
> - first we the the UsernameToken to perform
> Signature
> based on UsernameToekn
> - but UsernameToken must be inserted into request
> _after_
> the Signature processing.
>
> Thus the WSS4J handler creates a half backed
> USernameTokne, uses
> this to perform Signature, the finishes the
> UsernameToken and
> insertes it into the request.
>
> If you really need to sign the UsernameToken with
> itself we
> have to solve this chicken/egg problem in some other
> way.
>
> Regards,
> Werner
>
> Shawn McKinney schrieb:
> > Werner, still confused -
> >
> >
> >>- first create the UsernameToken as internal DOM
> >>element with all
> >
> >
> > Do I do this with my own custom handler? A
> handler
> > that must fire before the DoAllSender?
> >
> >
> >>internal DOM element with all necessary data.
> >
> > - username
> > -password
> > -timestamp
> > - etc
> >
> > Then do I configure the DoAllSender like this:
> > <globalConfiguration >
> > <requestFlow >
> > <handler
> > type="java:my.new.custom.username.token.handler"/>
> > <handler
> >
>
type="java:org.apache.ws.axis.security.WSDoAllSender"
> >
> > <parameter name="action"
> > value="UsernameTokenSignature Encrypt"/>
> > <parameter name="passwordCallbackClass"
> >
>
value="com.fnf.xes.framework.axis.security.client.PWClientCallback"/>
> > <parameter name="passwordType"
> > value="PasswordText" />
> > <parameter name="addUTElements" value="Nonce
> > Created" />
> > <parameter name="encryptionPropFile"
> > value="crypto.client.properties" />
> > <parameter name="encryptionKeyIdentifier"
> > value="X509KeyIdentifier" />
> > <parameter name="encryptionUser"
> > value="xespublickey" />
> > <parameter name="encryptionParts"
> >
> >
>
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken";
> > />
> > </handler>
> > <requestFlow>
> > <handler type="soapmonitor"/>
> > </requestFlow>
> > <responseFlow>
> > <handler type="soapmonitor"/>
> > </responseFlow>
> > </requestFlow >
> > </globalConfiguration >
> >
> >
> > Then, my server-side will work the way I had it
> > originally configured, because then DoAllReceiver
> > handler has everything it needs to complete the
> > signature and encryption processing. ???
> >
> > Thanks Werner, this is helping a great deal!
> >
> >
> >
>
>
