As I understand the reason why a nonce is used for Password Digest but not Password Text (Metro's password text doesn't do the nonce either), is that the nonce, along with the password and the create timestamp, is jumbled together when calculating the digest. It's called a "Password Digest" but its really a "Password/Timestamp/Nonce" digest. Adding the nonce and timestamp to the digest helps to guard against replay attacks (an intermediary strips out the SOAP header and reuses it in its encrypted form for his own SOAP calls.)
Glen O hEigeartaigh, Colm wrote: > > > Not by default, but it can be configured to do so e.g. > > http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand > lerConstants.html#ADD_UT_ELEMENTS > > Colm. > > -----Original Message----- > From: Maciej Kwiecien [mailto:[EMAIL PROTECTED] > Sent: 21 July 2008 14:01 > To: [email protected] > Subject: Re: CXF support for wsse:Nonce (client side) > > Thanks Colm for information. > > I'd like to check one more thing: Does CXF generate nonces when > PasswordText > is used instead of Password digest? > > Regards, > Maciej > > On Mon, Jul 21, 2008 at 1:12 PM, O hEigeartaigh, Colm < > [EMAIL PROTECTED]> wrote: > >> >> On the client side, a nonce is automatically created and inserted into >> the Username Token when password digest is used. CXF currently has no >> support on the server side for caching/processing nonces. >> >> Colm. >> >> -----Original Message----- >> From: Maciej Kwiecien [mailto:[EMAIL PROTECTED] >> Sent: 21 July 2008 12:09 >> To: [email protected] >> Subject: CXF support for wsse:Nonce (client side) >> >> Hello All, >> >> I am working on client who is supposed to invoke web service requiring >> UserNameToken authentication and wsse:Nonce. >> Please let me know if CXF framework provides support for that feature. >> >> I am little confused because I found on CXF project site information >> that it >> is not supported by CXF 2.0 >> http://cwiki.apache.org/confluence/display/CXF20DOC/WS-Security >> >> but on the other hand there is tutorial available: >> http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to >> >> where wsse:Nonce is present in reqeust header content... >> >> Any clarification would be appreciated. >> >> Regards, >> Maciej >> >> ---------------------------- >> IONA Technologies PLC (registered in Ireland) >> Registered Number: 171387 >> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, > Ireland >> > > ---------------------------- > IONA Technologies PLC (registered in Ireland) > Registered Number: 171387 > Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland > > -- View this message in context: http://www.nabble.com/CXF-support-for-wsse%3ANonce-%28client-side%29-tp18566449p18569456.html Sent from the cxf-user mailing list archive at Nabble.com.
