I don't think it necessarily needs to be derived -- it could just be a
shared secret.
Seems a worrhwile enhancement.
- Fat fingered from my mobile -
On Dec 16, 2008, at 10:35 AM, "Colm O hEigeartaigh" <[email protected]
> wrote:
Hi Benito,
WSS4J only supports signing using HMAC in a limited set of
circumstances, for example signing using a key derived from a
UsernameToken. The implementation looks pretty limited though. What
are your exact requirements? How will your symmetric key be derived?
Colm.
From: Benito Ríos [mailto:[email protected]]
Sent: 16 December 2008 09:49
To: [email protected]
Subject: Symmetric key signature
Hi,
I'd like to know if WSS4J provides symmetric key signatures.
I need to develop a web service client in java which has to sign
messages with a symmetric key, using the algoritm HMAC-SHA1 (http://www.w3.org/2000/09/xmldsig#hmac-sha1
). The client also has also to validate signed messages received
from server which uses the same symmetric key. This is imposed by
the service and there is no choice.
For example, I have seen that Sun's XWS Security framework doesn't
provide signing but yes validating de signature with symmetric keys.
Does WSS4J provide both signing and validating?
If yes, some guide about how to write WSS4J security xml
configuration would be very appreciated. How to inform the symmetric
key to the framework? I only have seen examples of how to inform
keystores and certificates.
Thank you very much.
