[
https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated WSS-127:
------------------------------------
Attachment: ut_key_deriv.xml
A sample output of a SOAP request created using the attached patch.
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Reporter: Sérgio Patrício
> Assignee: Ruchith Udayanga Fernando
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send
> the password.
> For example in the UsernameTokenSignedAction is used a secret key from
> UsernameToken.
> When building the security header the password goes on the UsernameToken,
> this way all the required elements to create the secret key
> (password+nonce+created) go in the soap message and then the signature can be
> easily faked.
> My suggestion is that in the following example code when setting the password
> type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something
> in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
