[
https://issues.apache.org/jira/browse/WSS-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12603052#action_12603052
]
Sérgio Patrício commented on WSS-68:
------------------------------------
I confused UsernameToken derived key and secret key.
When using a derived key the password is not attached.
In the UsernameTokenSignedAction is used a secret key from UsernameToken and
not a derived key.
But in this case the password is attached, isn't this wrong? It seems to me
that this way all the required elements to create the secret key
(password+nonce+created) go in the soap message and then the signature can be
easily faked.
> No way to create a UsernameToken with absent <Password> element
> ---------------------------------------------------------------
>
> Key: WSS-68
> URL: https://issues.apache.org/jira/browse/WSS-68
> Project: WSS4J
> Issue Type: Bug
> Reporter: George Stanchev
> Fix For: 1.5.4
>
> Attachments: UsernameToken.java, wss4j-1.5.3.patch,
> WSSecUsernameToken.java
>
>
> We should be able to create UsernameTokens without <Password> in them if
> needed. Password is an optional element
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
