Hi Fred, That is. It's not derived. It's simply a shared secret. It's a key generated randomly and shared between the client and the service.
2008/12/16 Fred Dushin <[email protected]> > I don't think it necessarily needs to be derived -- it could just be a > shared secret. > > Seems a worrhwile enhancement. > > - Fat fingered from my mobile - > > On Dec 16, 2008, at 10:35 AM, "Colm O hEigeartaigh" <<[email protected]> > [email protected]> wrote: > > Hi Benito, > > > > WSS4J only supports signing using HMAC in a limited set of circumstances, > for example signing using a key derived from a UsernameToken. The > implementation looks pretty limited though. What are your exact > requirements? How will your symmetric key be derived? > > > > Colm. > > > ------------------------------ > > *From:* Benito Ríos [ > <[email protected]>mailto:[email protected]<[email protected]>] > > *Sent:* 16 December 2008 09:49 > *To:* <[email protected]> <[email protected]> > [email protected] > *Subject:* Symmetric key signature > > > > Hi, > > I'd like to know if WSS4J provides symmetric key signatures. > > I need to develop a web service client in java which has to sign messages > with a symmetric key, using the algoritm HMAC-SHA1 > (<http://www.w3.org/2000/09/xmldsig#hmac-sha1><http://www.w3.org/2000/09/xmldsig#hmac-sha1> > http://www.w3.org/2000/09/xmldsig#hmac-sha1). The client also has also to > validate signed messages received from server which uses the same symmetric > key. This is imposed by the service and there is no > choice.<http://www.w3.org/2000/09/xmldsig#hmac-sha1> > > For example, I have seen that Sun's XWS Security framework doesn't provide > signing but yes validating de signature with symmetric keys. > > Does WSS4J provide both signing and validating? > > If yes, some guide about how to write WSS4J security xml configuration > would be very appreciated. How to inform the symmetric key to the framework? > I only have seen examples of how to inform keystores and certificates. > > Thank you very much. > >
