Werner, Thanx for all nice work you've done for me and all the other happy users of wss4j and addressing. I finally got around it, and your implementation was right on! My problems turned out to be with enough/the right (for wse) addressing headers, and signing them (was that possible from the start in autum last year?). The way I got around was to pick up my rusty C# and reading the MS WSE2 stuff on policy, and then deploying several diffenrent services on IIS with increasing usage of wss/wse, checkin first wse clients and then wss4j clients.
Brgds Brian -----Original Message----- From: Dittmann Werner [mailto:[EMAIL PROTECTED] Sent: 21. januar 2005 11:55 To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Cc: [email protected] Subject: AW: Signing with a UsernameToken - interop with WSE2 Brian, to check the username token signing I took the data you sent (the logged request) and fed it into a small test programm that used it to call the WSSecurity engine to verify the signature - thus it was not an online test. Your data had enough info to verify the signature. I have to look in my development environment to check how to setup an online interop test. IMO you just need to define the right action and username and password, I'll recheck this. According to your second question: the way to use the username token to sign and/or encrypt a request is not standardized by OASIS WSS. To the best of my knowledge this is a proprietary method used by WSE2 only. Regards, Werner > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 21. Januar 2005 10:56 > An: [EMAIL PROTECTED] > Cc: [email protected] > Betreff: Signing with a UsernameToken - interop with WSE2 > > > Werner, > > As you've seen on the list I've "resurfaced" after 3 months of > silence. I would really like to figure it out myself and contibute to > the project, but my knowledge/understanding is quite limited. I've > looked at the wsse Unittest number 13 - but as far as I can see It > doesn't do what you wrote about in your mail: > > "I was able to perform the Signature check with this request." > > http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED] apache.org&msgNo=2099 Is that code checked in or can you send it, so that I can reproduce it with a new dummy service that one of my colleague set up. Because eventhough you got success I'm stille no able to acces a WSE2 Web Service that requires signing the body and Timestamp with a key based on the UsernameToken. Since if I can reproduce the digest and signature given a UsernameToken (include nonce ect.) and several addressing elements. And a second question, I've looked through the WS-Trust specification and the WS-Secure Conversation, but I havn't spotted where the description for WSE2's "way of doing" is described. I would like to gather the facts and out assumptions and post it to the WSE2 team, to clear out any misunderstandings if we strike gound again. Thanks in advance. Brgds Brian
