ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Re: BSR security token w/o signature
Date Wed, 27 May 2015 09:14:29 GMT
How are you using WSS4J, with Axis/CXF or just using the WSS4J APIs? It's
pretty straightforward to do this using the WSS4J APIs. For example see

If you are using CXF with a recent version of WSS4J, you have the option of
specifying a security action called "CustomToken". This will just query a
CallbackHandler to get a token (DOM Element) using
WSPasswordCallback.Usage.CUSTOM_TOKEN, and write it out in the security

I disagree that a BST token without signature is a better authentication
token than a UsernameToken without signature. Each are equally as bad if
TLS is not used, as there is no protection against eavesdropping and
subsequent replay attacks. At best it may be a little more difficult for
someone to forge a token as opposed to guessing a username/password.


On Tue, May 26, 2015 at 9:29 PM, Gene Bezrukavyy <>

> Team,
> I am not finding a way to add a BST token in WSS4j w/o adding a signature
> token as well. This restriction is not there for verification - each token
> has its own processor. Not sure why this is not an option for securement:
> having a BST token w/o signature is still a better authentication token
> than a UsernameToken w/o signature. Especially when a direct trust is used
> (and let's assume enforced) to authenticate the token...
> Please advise on this matter.
> Gene

Colm O hEigeartaigh

Talend Community Coder

View raw message