[jira] Created: (WSS-49) Allow digested password when using SIGN_WITH_UT_KEY

Tue, 18 Jul 2006 00:59:23 -0700 

Allow digested password when using SIGN_WITH_UT_KEY
---------------------------------------------------

                 Key: WSS-49
                 URL: http://issues.apache.org/jira/browse/WSS-49
             Project: WSS4J
          Issue Type: Improvement
         Environment: Java client vs .NET WSE 2.0 SP3 server
            Reporter: Nelis Bijl
         Assigned To: Davanum Srinivas


Signing with UsernameToken (.NET feature supported through the SIGN_WITH_UT_KEY 
flag) hardcodes the password to be 'plain text'.

org.apache.ws.security.action.UsernameTokenSignedAction.java :

...
        WSSecUsernameToken builder = new WSSecUsernameToken();
        builder.setWsConfig(reqData.getWssConfig());
        /* proposal: allow digested passwords when using UsernameToken signing
         * 
         * replace:
         * 
         * builder.setPasswordType(WSConstants.PASSWORD_TEXT);
         * 
         * with:
         */
        builder.setPasswordType(reqData.getPwType());
        builder.setUserInfo(reqData.getUsername(), password);
        builder.addCreated();
...

In case of a digested password however the signing is not recognized as valid 
by .NET WSE 2.0. This is caused by the fact that 
'org.apache.ws.security.message.token.UsernameToken.getSecretKey(int keylen, 
String labelString)' uses the digested password for hashing whereas the 'plain 
text' password should be used to satisfy .NET.

    public byte[] getSecretKey(int keylen, String labelString) {
        byte[] key = null;
        try {
            Mac mac = Mac.getInstance("HMACSHA1");
            /* proposal: use 'plain text' password for hashing
             * 
             * replace:
             *  
             * byte[] password = getPassword().getBytes("UTF-8");
             * 
             * with:
             */
            byte[] password = plainTextPwd.getBytes("UTF-8");
...

where plainTextPwd is a private String member that is set in 'setPassword'.

These changes work for me. However I can not oversee the full impact. I hope 
this feature will be implemented because customers won't like to be needing 
customized JARs to call our webservice.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to