cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <glen.ma...@gmail.com>
Subject RE: CXF support for wsse:Nonce (client side)
Date Mon, 21 Jul 2008 14:12:18 GMT

As I understand the reason why a nonce is used for Password Digest but not
Password Text (Metro's password text doesn't do the nonce either), is that
the nonce, along with the password and the create timestamp, is jumbled
together when calculating the digest.  It's called a "Password Digest" but
its really a "Password/Timestamp/Nonce" digest.  Adding the nonce and
timestamp to the digest helps to guard against replay attacks (an
intermediary strips out the SOAP header and reuses it in its encrypted form
for his own SOAP calls.)

Glen


O hEigeartaigh, Colm wrote:
> 
> 
> Not by default, but it can be configured to do so e.g.
> 
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
> lerConstants.html#ADD_UT_ELEMENTS
> 
> Colm.
> 
> -----Original Message-----
> From: Maciej Kwiecien [mailto:maciej.kwiecien@gmail.com] 
> Sent: 21 July 2008 14:01
> To: users@cxf.apache.org
> Subject: Re: CXF support for wsse:Nonce (client side)
> 
> Thanks Colm for information.
> 
> I'd like to check one more thing: Does CXF generate nonces when
> PasswordText
> is used instead of Password digest?
> 
> Regards,
> Maciej
> 
> On Mon, Jul 21, 2008 at 1:12 PM, O hEigeartaigh, Colm <
> Colm.OhEigeartaigh@iona.com> wrote:
> 
>>
>> On the client side, a nonce is automatically created and inserted into
>> the Username Token when password digest is used. CXF currently has no
>> support on the server side for caching/processing nonces.
>>
>> Colm.
>>
>> -----Original Message-----
>> From: Maciej Kwiecien [mailto:maciej.kwiecien@gmail.com]
>> Sent: 21 July 2008 12:09
>> To: users@cxf.apache.org
>> Subject: CXF support for wsse:Nonce (client side)
>>
>> Hello All,
>>
>> I am working on client who is supposed to invoke web service requiring
>> UserNameToken authentication and wsse:Nonce.
>> Please let me know if CXF framework provides support for that feature.
>>
>> I am little confused because I found on CXF project site information
>> that it
>> is not supported by CXF 2.0
>> http://cwiki.apache.org/confluence/display/CXF20DOC/WS-Security
>>
>> but on the other hand there is tutorial available:
>> http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
>>
>> where wsse:Nonce is present in reqeust header content...
>>
>> Any clarification would be appreciated.
>>
>> Regards,
>> Maciej
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
> Ireland
>>
> 
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
> 
> 

-- 
View this message in context: http://www.nabble.com/CXF-support-for-wsse%3ANonce-%28client-side%29-tp18566449p18569456.html
Sent from the cxf-user mailing list archive at Nabble.com.


Mime
View raw message