[
https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated WSS-127:
------------------------------------
Attachment: wss4j_wss127.patch
This patch adds functionality to derive a secret key from a UsernameToken to
use with a HMAC, as detailed in the UsernameToken profile 1.1. This
functionality is only available programmatically, and not through WS-Handler.
See the test in test\wssec\TestWSSecurityUTDK for more details.
e.g. on the outbound side:
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);
byte[] derivedKey = builder.getDerivedKey();
WSSecSignature sign = new WSSecSignature();
sign.setSecretKey(derivedKey);
sign.setCustomTokenId(builder.getId());
sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
Document signedDoc = sign.build(doc, null, secHeader);
builder.prependToHeader(secHeader);
On the inbound side:
WSSConfig cfg = WSSConfig.getNewInstance();
cfg.setHandleCustomPasswordTypes(true);
secEngine.setWssConfig(cfg);
secEngine.processSecurityHeader(doc, null, this, null);
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Reporter: Sérgio Patrício
> Assignee: Ruchith Udayanga Fernando
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send
> the password.
> For example in the UsernameTokenSignedAction is used a secret key from
> UsernameToken.
> When building the security header the password goes on the UsernameToken,
> this way all the required elements to create the secret key
> (password+nonce+created) go in the soap message and then the signature can be
> easily faked.
> My suggestion is that in the following example code when setting the password
> type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something
> in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
