[jira] Updated: (WSS-49) Allow digested password when using SIGN_WITH_UT_KEY

Fri, 28 Sep 2007 05:56:05 -0700 

     [ 
https://issues.apache.org/jira/browse/WSS-49?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Davanum Srinivas updated WSS-49:
--------------------------------

    Assignee:     (was: Davanum Srinivas)

> Allow digested password when using SIGN_WITH_UT_KEY
> ---------------------------------------------------
>
>                 Key: WSS-49
>                 URL: https://issues.apache.org/jira/browse/WSS-49
>             Project: WSS4J
>          Issue Type: Improvement
>         Environment: Java client vs .NET WSE 2.0 SP3 server
>            Reporter: Nelis Bijl
>
> Signing with UsernameToken (.NET feature supported through the 
> SIGN_WITH_UT_KEY flag) hardcodes the password to be 'plain text'.
> org.apache.ws.security.action.UsernameTokenSignedAction.java :
> ...
>         WSSecUsernameToken builder = new WSSecUsernameToken();
>         builder.setWsConfig(reqData.getWssConfig());
>         /* proposal: allow digested passwords when using UsernameToken signing
>          * 
>          * replace:
>          * 
>          * builder.setPasswordType(WSConstants.PASSWORD_TEXT);
>          * 
>          * with:
>          */
>         builder.setPasswordType(reqData.getPwType());
>         builder.setUserInfo(reqData.getUsername(), password);
>         builder.addCreated();
> ...
> In case of a digested password however the signing is not recognized as valid 
> by .NET WSE 2.0. This is caused by the fact that 
> 'org.apache.ws.security.message.token.UsernameToken.getSecretKey(int keylen, 
> String labelString)' uses the digested password for hashing whereas the 
> 'plain text' password should be used to satisfy .NET.
>     public byte[] getSecretKey(int keylen, String labelString) {
>         byte[] key = null;
>         try {
>             Mac mac = Mac.getInstance("HMACSHA1");
>             /* proposal: use 'plain text' password for hashing
>              * 
>              * replace:
>              *        
>              * byte[] password = getPassword().getBytes("UTF-8");
>              * 
>              * with:
>              */
>             byte[] password = plainTextPwd.getBytes("UTF-8");
> ...
> where plainTextPwd is a private String member that is set in 'setPassword'.
> These changes work for me. However I can not oversee the full impact. I hope 
> this feature will be implemented because customers won't like to be needing 
> customized JARs to call our webservice.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to