ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] Commented: (WSS-68) No way to create a UsernameToken with absent <Password> element
Date Thu, 05 Jun 2008 10:29:44 GMT

    [ https://issues.apache.org/jira/browse/WSS-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12602608#action_12602608
] 

Colm O hEigeartaigh commented on WSS-68:
----------------------------------------


Yes, you must have a password when deriving a secret key from a Username Token to sign a message.
Take a look at:

TestWSSecurityUTDK#testDerivedKeySignature.

The correct way to use a Username Token for key derivation is something like:

WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);

In this case, the password is used to derive a key, but the password itself is not attached
to the Username Token.

> No way to create a UsernameToken with absent <Password> element
> ---------------------------------------------------------------
>
>                 Key: WSS-68
>                 URL: https://issues.apache.org/jira/browse/WSS-68
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: George Stanchev
>             Fix For: 1.5.4
>
>         Attachments: UsernameToken.java, wss4j-1.5.3.patch, WSSecUsernameToken.java
>
>
> We should be able to create UsernameTokens without <Password> in them if needed.
Password is an optional element

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message