Return-Path: 
 <wss4j-dev-return-3500-apmail-ws-wss4j-dev-archive=ws.apache.org@ws.apache.org>
Delivered-To: apmail-ws-wss4j-dev-archive@www.apache.org
Received: (qmail 70417 invoked from network); 5 Jun 2008 10:30:08 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 5 Jun 2008 10:30:08 -0000
Received: (qmail 78706 invoked by uid 500); 5 Jun 2008 10:30:10 -0000
Delivered-To: apmail-ws-wss4j-dev-archive@ws.apache.org
Received: (qmail 78659 invoked by uid 500); 5 Jun 2008 10:30:10 -0000
Mailing-List: contact wss4j-dev-help@ws.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:wss4j-dev-help@ws.apache.org>
List-Unsubscribe: <mailto:wss4j-dev-unsubscribe@ws.apache.org>
List-Post: <mailto:wss4j-dev@ws.apache.org>
List-Id: <wss4j-dev.ws.apache.org>
Delivered-To: mailing list wss4j-dev@ws.apache.org
Received: (qmail 78645 invoked by uid 99); 5 Jun 2008 10:30:10 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jun 2008 03:30:10 -0700
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jun 2008 10:29:23 +0000
Received: from brutus (localhost [127.0.0.1])
	by brutus.apache.org (Postfix) with ESMTP id F043F234C12E
	for <wss4j-dev@ws.apache.org>; Thu,  5 Jun 2008 03:29:44 -0700 (PDT)
Message-ID: <445318482.1212661784969.JavaMail.jira@brutus>
Date: Thu, 5 Jun 2008 03:29:44 -0700 (PDT)
From: "Colm O hEigeartaigh (JIRA)" <jira@apache.org>
To: wss4j-dev@ws.apache.org
Subject: [jira] Commented: (WSS-68) No way to create a UsernameToken with
 absent <Password> element
In-Reply-To: <16935535.1168644687513.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org


    [ https://issues.apache.org/jira/browse/WSS-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12602608#action_12602608 ] 

Colm O hEigeartaigh commented on WSS-68:
----------------------------------------


Yes, you must have a password when deriving a secret key from a Username Token to sign a message. Take a look at:

TestWSSecurityUTDK#testDerivedKeySignature.

The correct way to use a Username Token for key derivation is something like:

WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);

In this case, the password is used to derive a key, but the password itself is not attached to the Username Token.

> No way to create a UsernameToken with absent <Password> element
> ---------------------------------------------------------------
>
>                 Key: WSS-68
>                 URL: https://issues.apache.org/jira/browse/WSS-68
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: George Stanchev
>             Fix For: 1.5.4
>
>         Attachments: UsernameToken.java, wss4j-1.5.3.patch, WSSecUsernameToken.java
>
>
> We should be able to create UsernameTokens without <Password> in them if needed. Password is an optional element

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org