Also, usernames and passwords are inherently weak, and do not provide
nearly the same level of authentication as a digital signature. If
you are anything like me, you have 1 password for n accounts, which
kind of defeats the idea of a "shared secret".
-Fred
On Jun 23, 2008, at 6:23 AM, Robert Wierschke wrote:
Hi,
when you additionally sign the SOAP message the recipient can be
sure that the message was not altered in transit. This cannot be
achieved with just adding a UsernameToken.
regards
robert
2008/6/23 Glen Mazza <[EMAIL PROTECTED]>:
Hello, I have an architectural question about using UsernameTokens
(which I'm
trying to do with CXF, which of course uses WSS4J behind the
scenes). If we
are using the UsernameToken profile, I can see why we need to
encrypt the
message with the server's public key (for confidentiality), but am
unsure if
we need to also sign the message with the client's private key. Is it
redundant with UsernameToken profile to also sign the SOAP request?
My
first guess, is that by definition, one is using Usernames and
Passwords for
authentication, and hence would not need signing of the message as
well, but
am unsure here.
Thanks,
Glen
--
View this message in context:
http://www.nabble.com/Using-UsernameTokens--also-need-to-sign-the-SOAP-message--tp18059742p18059742.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
