[
https://issues.apache.org/jira/browse/WSS-127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved WSS-127.
-------------------------------------
Resolution: Fixed
There are now two different ways of using a derived key to sign a message,
without sending the password, as the old UT_SIGN functionality does, so I'm
closing this issue.
> No way of signing with UsernameToken without sending the password
> -----------------------------------------------------------------
>
> Key: WSS-127
> URL: https://issues.apache.org/jira/browse/WSS-127
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Sérgio Patrício
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
> Attachments: ut_key_deriv.xml, wss4j_wss127.patch
>
>
> When signing a message using a UsernameToken should be possible to don't send
> the password.
> For example in the UsernameTokenSignedAction is used a secret key from
> UsernameToken.
> When building the security header the password goes on the UsernameToken,
> this way all the required elements to create the secret key
> (password+nonce+created) go in the soap message and then the signature can be
> easily faked.
> My suggestion is that in the following example code when setting the password
> type to null be allowed to set the password (currently has to be null)
> WSSecUsernameToken builder = new WSSecUsernameToken();
> builder.setUserInfo("user", "password");
> builder.setPasswordType(null);
> builder.build(doc, secHeader);
> Some additional coments on this are on JIRA WSS-68
> Note: I started working with WSS4J just a few weeks ago, sorry if something
> in the JIRA is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
