No way of signing with UsernameToken without sending the password
-----------------------------------------------------------------
Key: WSS-127
URL: https://issues.apache.org/jira/browse/WSS-127
Project: WSS4J
Issue Type: Bug
Reporter: Sérgio Patrício
Assignee: Ruchith Udayanga Fernando
When signing a message using a UsernameToken should be possible to don't send
the password.
For example in the UsernameTokenSignedAction is used a secret key from
UsernameToken.
When building the security header the password goes on the UsernameToken, this
way all the required elements to create the secret key (password+nonce+created)
go in the soap message and then the signature can be easily faked.
My suggestion is that in the following example code when setting the password
type to null be allowed to set the password (currently has to be null)
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("user", "password");
builder.setPasswordType(null);
builder.build(doc, secHeader);
Some additional coments on this are on JIRA WSS-68
Note: I started working with WSS4J just a few weeks ago, sorry if something in
the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
