[
https://issues.apache.org/jira/browse/WSS-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12602608#action_12602608
]
Colm O hEigeartaigh commented on WSS-68:
----------------------------------------
Yes, you must have a password when deriving a secret key from a Username Token
to sign a message. Take a look at:
TestWSSecurityUTDK#testDerivedKeySignature.
The correct way to use a Username Token for key derivation is something like:
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("bob", "security");
builder.addDerivedKey(true, null, 1000);
builder.prepare(doc);
In this case, the password is used to derive a key, but the password itself is
not attached to the Username Token.
> No way to create a UsernameToken with absent <Password> element
> ---------------------------------------------------------------
>
> Key: WSS-68
> URL: https://issues.apache.org/jira/browse/WSS-68
> Project: WSS4J
> Issue Type: Bug
> Reporter: George Stanchev
> Fix For: 1.5.4
>
> Attachments: UsernameToken.java, wss4j-1.5.3.patch,
> WSSecUsernameToken.java
>
>
> We should be able to create UsernameTokens without <Password> in them if
> needed. Password is an optional element
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
