]
Darran Lofthouse updated JBWS-1541:
-----------------------------------
Assignee: (was: Darran Lofthouse)
WS-Security 1.1 support
-----------------------
Key: JBWS-1541
URL:
http://jira.jboss.com/jira/browse/JBWS-1541
Project: JBoss Web Services
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: ws-security
Reporter: William DeCoste
Fix For: jbossws-3.x
Intuit requirement. Notes:
In JBossWS 1.2, WS-Security 1.0 is implemented and Username Token Profile 1.0 is partly
implemented. WS-Security 1.1 is not implemented at all.
Username Token Profile 1.0 describes how to use WS-Security 1.x to send a username and
password over an unprotected link whilst maintaining confidentiality and preventing
tampering and replay. Currently JBossWS 1.2 does not fully support Username Token Profile
1.0. This is due to lack of support for nonces. The "<wsse:UsernameToken>"
can be signed and verified by using the current digital signature features of the JBossWS
1.2 implementation of WS-Security.
However, transmitting digested passwords is not a suitable solution for Intuit as it
requires that passwords be stored in plain text. This violates Intuit's company wide
security policy.
As far as I can tell, the main differences between WS-Security 1.0 and WS- Security 1.1
are to do with the signing of headers and with the addition of a new feature for
preventing some man-in-the-middle attacks. The WS-Security 1.0 specification stated that
you cannot encrypt the soap header, where as the WS-Security 1.1 specification states that
you can. Despite this, JBossWS 1.2 allows you to encrypt the header. The WS-Security 1.1
specification prevents some man-in-the-middle attacks by mandating extra acknowledgements.
Backward compatibility, e.g. security handler should recognize and consume WSS 1.0 and
1.1 respectively.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: