We're using WSHandler::doSenderAction(); I understand your point about both authentication tokens (UNT and BST) being equally bad w/o SSL or signature. Our channel is of course SSL, and my goal was to at least get authentication, when the consumer was not able to properly generate a verifiable signature.
- Gene On Wed, May 27, 2015 at 5:14 AM, Colm O hEigeartaigh <[email protected]> wrote: > How are you using WSS4J, with Axis/CXF or just using the WSS4J APIs? It's > pretty straightforward to do this using the WSS4J APIs. For example see > here: > > > https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/token/BinarySecurityTokenTest.java > > If you are using CXF with a recent version of WSS4J, you have the option > of specifying a security action called "CustomToken". This will just query > a CallbackHandler to get a token (DOM Element) using > WSPasswordCallback.Usage.CUSTOM_TOKEN, and write it out in the security > header. > > I disagree that a BST token without signature is a better authentication > token than a UsernameToken without signature. Each are equally as bad if > TLS is not used, as there is no protection against eavesdropping and > subsequent replay attacks. At best it may be a little more difficult for > someone to forge a token as opposed to guessing a username/password. > > Colm. > > On Tue, May 26, 2015 at 9:29 PM, Gene Bezrukavyy < > [email protected]> wrote: > >> Team, >> >> I am not finding a way to add a BST token in WSS4j w/o adding a signature >> token as well. This restriction is not there for verification - each token >> has its own processor. Not sure why this is not an option for securement: >> having a BST token w/o signature is still a better authentication token >> than a UsernameToken w/o signature. Especially when a direct trust is used >> (and let's assume enforced) to authenticate the token... >> >> Please advise on this matter. >> >> >> Gene >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
