[jbossws-issues] [JBoss JIRA] Updated: (JBWS-1541) WS-Security 1.1 support

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Tue Mar 11 10:35:58 EDT 2008 

     [ http://jira.jboss.com/jira/browse/JBWS-1541?page=all ]

Darran Lofthouse updated JBWS-1541:
-----------------------------------

    Assignee:     (was: Darran Lofthouse)

> WS-Security 1.1 support
> -----------------------
>
>                 Key: JBWS-1541
>                 URL: http://jira.jboss.com/jira/browse/JBWS-1541
>             Project: JBoss Web Services
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: ws-security
>            Reporter: William DeCoste
>             Fix For: jbossws-3.x
>
>
> Intuit requirement. Notes:
> In JBossWS 1.2, WS-Security 1.0 is implemented and Username Token Profile 1.0 is partly implemented. WS-Security 1.1 is not implemented at all. 
> Username Token Profile 1.0 describes how to use WS-Security 1.x to send a username and password over an unprotected link whilst maintaining confidentiality and preventing tampering and replay. Currently JBossWS 1.2 does not fully support Username Token Profile 1.0. This is due to lack of support for nonces. The "<wsse:UsernameToken>" can be signed and verified by using the current digital signature features of the JBossWS 1.2 implementation of WS-Security.
> However, transmitting digested passwords is not a suitable solution for Intuit as it requires that passwords be stored in plain text. This violates Intuit's company wide security policy.
> As far as I can tell, the main differences between WS-Security 1.0 and WS- Security 1.1 are to do with the signing of headers and with the addition of a new feature for preventing some man-in-the-middle attacks. The WS-Security 1.0 specification stated that you cannot encrypt the soap header, where as the WS-Security 1.1 specification states that you can. Despite this, JBossWS 1.2 allows you to encrypt the header. The WS-Security 1.1 specification prevents some man-in-the-middle attacks by mandating extra acknowledgements. 
> Backward compatibility, e.g. security handler should recognize and consume WSS 1.0 and 1.1 respectively.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list