[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: Re: BSR security token w/o signature
From: Gene Bezrukavyy <gene.bezrukavyy () gmail ! com>
Date: 2015-05-27 13:30:50
Message-ID: CALE2OQByyCWEk4k230vBC36Ob=LUGKrF=8esKrogLEimBn-mSQ () mail ! gmail ! com
[Download RAW message or body]
We're using WSHandler::doSenderAction(); I understand your point about both
authentication tokens (UNT and BST) being equally bad w/o SSL or signature.
Our channel is of course SSL, and my goal was to at least get
authentication, when the consumer was not able to properly generate a
verifiable signature.
- Gene
On Wed, May 27, 2015 at 5:14 AM, Colm O hEigeartaigh <coheigea@apache.org>
wrote:
> How are you using WSS4J, with Axis/CXF or just using the WSS4J APIs? It's
> pretty straightforward to do this using the WSS4J APIs. For example see
> here:
>
>
> https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/token/BinarySecurityTokenTest.java
>
> If you are using CXF with a recent version of WSS4J, you have the option
> of specifying a security action called "CustomToken". This will just query
> a CallbackHandler to get a token (DOM Element) using
> WSPasswordCallback.Usage.CUSTOM_TOKEN, and write it out in the security
> header.
>
> I disagree that a BST token without signature is a better authentication
> token than a UsernameToken without signature. Each are equally as bad if
> TLS is not used, as there is no protection against eavesdropping and
> subsequent replay attacks. At best it may be a little more difficult for
> someone to forge a token as opposed to guessing a username/password.
>
> Colm.
>
> On Tue, May 26, 2015 at 9:29 PM, Gene Bezrukavyy <
> gene.bezrukavyy@gmail.com> wrote:
>
> > Team,
> >
> > I am not finding a way to add a BST token in WSS4j w/o adding a signature
> > token as well. This restriction is not there for verification - each token
> > has its own processor. Not sure why this is not an option for securement:
> > having a BST token w/o signature is still a better authentication token
> > than a UsernameToken w/o signature. Especially when a direct trust is used
> > (and let's assume enforced) to authenticate the token...
> >
> > Please advise on this matter.
> >
> >
> > Gene
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
[Attachment #3 (text/html)]
<div dir="ltr"><div>We're using WSHandler::doSenderAction(); I understand your \
point about both authentication tokens (UNT and BST) being equally bad w/o SSL
or signature. Our channel is of course SSL, and my goal was to at least
get authentication, when the consumer was not able to properly generate
a verifiable signature. <br><br><br></div>- Gene</div><div \
class="gmail_extra"><br><div class="gmail_quote">On Wed, May 27, 2015 at 5:14 AM, \
Colm O hEigeartaigh <span dir="ltr"><<a href="mailto:coheigea@apache.org" \
target="_blank">coheigea@apache.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div><div>How are you using WSS4J, with \
Axis/CXF or just using the WSS4J APIs? It's pretty straightforward to do this \
using the WSS4J APIs. For example see here:<br><br><a \
href="https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/token/BinarySecurityTokenTest.java" \
target="_blank">https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-d \
om/src/test/java/org/apache/wss4j/dom/message/token/BinarySecurityTokenTest.java</a><br><br></div>If \
you are using CXF with a recent version of WSS4J, you have the option of specifying a \
security action called "CustomToken". This will just query a \
CallbackHandler to get a token (DOM Element) using \
WSPasswordCallback.Usage.CUSTOM_TOKEN, and write it out in the security header. \
<br><br></div>I disagree that a BST token without signature is a better \
authentication token than a UsernameToken without signature. Each are equally as bad \
if TLS is not used, as there is no protection against eavesdropping and subsequent \
replay attacks. At best it may be a little more difficult for someone to forge a \
token as opposed to guessing a username/password.<br><br></div>Colm.<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, May 26, 2015 at 9:29 PM, \
Gene Bezrukavyy <span dir="ltr"><<a href="mailto:gene.bezrukavyy@gmail.com" \
target="_blank">gene.bezrukavyy@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div><div>Team,<br></div><div><br></div>I \
am not finding a way to add a BST token in WSS4j w/o adding a signature token as \
well. This restriction is not there for verification - each token has its own \
processor. Not sure why this is not an option for securement: having a BST token w/o \
signature is still a better authentication token than a UsernameToken w/o signature. \
Especially when a direct trust is used (and let's assume enforced) to \
authenticate the token...<br><br></div>Please advise on this matter.<span><font \
color="#888888"><br><br><br></font></span></div><span><font color="#888888">Gene<span \
class="HOEnZb"><font color="#888888"><br></font></span></font></span></div><span \
class="HOEnZb"><font color="#888888"> </font></span></blockquote></div><span \
class="HOEnZb"><font color="#888888"><br></font></span></div><span \
class="HOEnZb"><font color="#888888"><br clear="all"><br>-- <br><div>Colm O \
hEigeartaigh<br><br>Talend Community Coder<br><a href="http://coders.talend.com" \
target="_blank">http://coders.talend.com</a><br></div> \
</font></span></blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic