Werner, I've used the last days getting a basic Idea about the Apache XML Security implementation and what the different classes in wss4j does in regard to UsernameToken Signing. Based on an example from the xmlsec dist, I've reproduce the digest values but not the signature on an .NET example. If you could give me a hint on what you did different when you had success, it would be great.
The .NET request without signing is here: http://www.sweetxml.org/dotNET-requestWithOUTSignature.xml The .NET request with signing is here: http://www.sweetxml.org/dotNET-requestWithSignature.xml My Java code (an ugly mix of the original example and pasted code from wss4j dist - sorry): http://www.sweetxml.org/uts.java My current result: http://www.sweetxml.org/result.xml Regards Brian Nielsen -----Original Message----- From: Dittmann Werner [mailto:[EMAIL PROTECTED] Sent: 21. januar 2005 11:55 To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Cc: [email protected] Subject: AW: Signing with a UsernameToken - interop with WSE2 Brian, to check the username token signing I took the data you sent (the logged request) and fed it into a small test programm that used it to call the WSSecurity engine to verify the signature - thus it was not an online test. Your data had enough info to verify the signature. I have to look in my development environment to check how to setup an online interop test. IMO you just need to define the right action and username and password, I'll recheck this. According to your second question: the way to use the username token to sign and/or encrypt a request is not standardized by OASIS WSS. To the best of my knowledge this is a proprietary method used by WSE2 only. Regards, Werner > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 21. Januar 2005 10:56 > An: [EMAIL PROTECTED] > Cc: [email protected] > Betreff: Signing with a UsernameToken - interop with WSE2 > > > Werner, > > As you've seen on the list I've "resurfaced" after 3 months of > silence. I would really like to figure it out myself and contibute to > the project, but my knowledge/understanding is quite limited. I've > looked at the wsse Unittest number 13 - but as far as I can see It > doesn't do what you wrote about in your mail: > > "I was able to perform the Signature check with this request." > > http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED] apache.org&msgNo=2099 Is that code checked in or can you send it, so that I can reproduce it with a new dummy service that one of my colleague set up. Because eventhough you got success I'm stille no able to acces a WSE2 Web Service that requires signing the body and Timestamp with a key based on the UsernameToken. Since if I can reproduce the digest and signature given a UsernameToken (include nonce ect.) and several addressing elements. And a second question, I've looked through the WS-Trust specification and the WS-Secure Conversation, but I havn't spotted where the description for WSE2's "way of doing" is described. I would like to gather the facts and out assumptions and post it to the WSE2 team, to clear out any misunderstandings if we strike gound again. Thanks in advance. Brgds Brian
