WS-Security 1.1 support ----------------------- Key: JBWS-1541 URL: http://jira.jboss.com/jira/browse/JBWS-1541 Project: JBoss Web Services Issue Type: Feature Request Security Level: Public(Everyone can see) Components: ws-security Reporter: William DeCoste Fix For: jbossws-3.x Intuit requirement. Notes: In JBossWS 1.2, WS-Security 1.0 is implemented and Username Token Profile 1.0 is partly implemented. WS-Security 1.1 is not implemented at all. Username Token Profile 1.0 describes how to use WS-Security 1.x to send a username and password over an unprotected link whilst maintaining confidentiality and preventing tampering and replay. Currently JBossWS 1.2 does not fully support Username Token Profile 1.0. This is due to lack of support for nonces. The "<wsse:UsernameToken>" can be signed and verified by using the current digital signature features of the JBossWS 1.2 implementation of WS-Security. However, transmitting digested passwords is not a suitable solution for Intuit as it requires that passwords be stored in plain text. This violates Intuit's company wide security policy. As far as I can tell, the main differences between WS-Security 1.0 and WS- Security 1.1 are to do with the signing of headers and with the addition of a new feature for preventing some man-in-the-middle attacks. The WS-Security 1.0 specification stated that you cannot encrypt the soap header, where as the WS-Security 1.1 specification states that you can. Despite this, JBossWS 1.2 allows you to encrypt the header. The WS-Security 1.1 specification prevents some man-in-the-middle attacks by mandating extra acknowledgements. Backward compatibility, e.g. security handler should recognize and consume WSS 1.0 and 1.1 respectively.