[jira] Commented: (WSS-239) Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data

[Colm O hEigeartaigh (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12927459#action_12927459
 ] 

Colm O hEigeartaigh commented on WSS-239:
-----------------------------------------


Hi Patrick,

Apologies, I misunderstood the intent of your patch. I think your approach is 
the best way to go to solve this problem, for the reasons Jim outlined above. 
Please take a look at a revised patch that I prepared from your patch, with 
some minor alterations for consistency, and a WSHandlerConstants config value 
so that this feature can be added via configuration. If there are no 
objections, I will merge this patch to 1_5_x-fixes and trunk.

Colm.

> Need ability to handle password "equivalent" between WSPasswordCallback and 
> UsernameToken when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-239
>                 URL: https://issues.apache.org/jira/browse/WSS-239
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 1.5.8
>            Reporter: Jim Utter
>            Assignee: Colm O hEigeartaigh
>         Attachments: WSS-239-1_5_x-fixes.patch, wss-239-revised.patch, 
> wss4j-1.5.9-password-equivalence.patch
>
>
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
>    base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 
> hash
> of them.  The oasis spec allows this via what they claim as "..password
> equivalent".  The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
>    base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
> This was originally posted in the mailing list below where Colm suggested I 
> provide a patch:
> http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/201006.mbox/%3caanlktilndi8ijophc6lgv3mkp5_i_utrcfendkdk1...@mail.gmail.com%3e

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.