Hello, I have a similar request for interoperability with other software like Websphere, but also to be able to implement WS-I BSP 1.0 sample application (See this doc, paragraph 3.3 http://www.ws-i.org/SampleApplications/SupplyChainManagement/2006-04/SCMSecurityArchitectureWGD5.00.doc) This is also a use case for WS-SecurityPolicy.
There is already a BUG (WSS-68) filled for, this but without reaction. And I am ready to develop a patch if there is any interest. Note that UsernameToken class is foresee the possibility and the bug is in the issue system. Marc On Fri, 2007-08-31 at 10:22 +0200, [EMAIL PROTECTED] wrote: > Hi, > Microsoft offer a third way to send a password in a SOAP request "SENDNONE" > that actually don't send the password at all... > This is a valid choice if you are also signing the request. > > The idea behind this scenrio is: > > if I'm signing the request with a key generated using the password and other > data on the client, I don't need to to send the password with the message > because the server has the shared secret and so can control the signature > using it... if the signature is valid, the password is valid too. > > It would be very simple to implement this in wss4j beacuse, actually, the > only step required at the client side is to remove the password tag from the > request... > > on the server side instead we would have to skip the password check relyng > beacause the signature verification would tell us also if the password used > is the right one. > > bye > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
