ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gene Bezrukavyy <gene.bezruka...@gmail.com>
Subject Re: BSR security token w/o signature
Date Wed, 27 May 2015 13:30:50 GMT
We're using WSHandler::doSenderAction(); I understand your point about both
authentication tokens (UNT and BST) being equally bad w/o SSL or signature.
Our channel is of course SSL, and my goal was to at least get
authentication, when the consumer was not able to properly generate a
verifiable signature.


- Gene

On Wed, May 27, 2015 at 5:14 AM, Colm O hEigeartaigh <coheigea@apache.org>
wrote:

> How are you using WSS4J, with Axis/CXF or just using the WSS4J APIs? It's
> pretty straightforward to do this using the WSS4J APIs. For example see
> here:
>
>
> https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/token/BinarySecurityTokenTest.java
>
> If you are using CXF with a recent version of WSS4J, you have the option
> of specifying a security action called "CustomToken". This will just query
> a CallbackHandler to get a token (DOM Element) using
> WSPasswordCallback.Usage.CUSTOM_TOKEN, and write it out in the security
> header.
>
> I disagree that a BST token without signature is a better authentication
> token than a UsernameToken without signature. Each are equally as bad if
> TLS is not used, as there is no protection against eavesdropping and
> subsequent replay attacks. At best it may be a little more difficult for
> someone to forge a token as opposed to guessing a username/password.
>
> Colm.
>
> On Tue, May 26, 2015 at 9:29 PM, Gene Bezrukavyy <
> gene.bezrukavyy@gmail.com> wrote:
>
>> Team,
>>
>> I am not finding a way to add a BST token in WSS4j w/o adding a signature
>> token as well. This restriction is not there for verification - each token
>> has its own processor. Not sure why this is not an option for securement:
>> having a BST token w/o signature is still a better authentication token
>> than a UsernameToken w/o signature. Especially when a direct trust is used
>> (and let's assume enforced) to authenticate the token...
>>
>> Please advise on this matter.
>>
>>
>> Gene
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
View raw message