Re: Encrypting and Signing SOAP Messages With UsernameToken - Anil Kumar Tappetla - net.java.dev.jwsdp.users

7 messages in net.java.dev.jwsdp.usersRe: Encrypting and Signing SOAP Messa...

From	Sent On	Attachments
mmes...@austin.rr.com	Jan 20, 2005 7:45 am
Vishal Mahajan	Jan 21, 2005 5:32 am
Mark Mesich	Jan 23, 2005 7:32 pm
Vishal Mahajan	Jan 27, 2005 4:54 am
Mark Mesich	Jan 27, 2005 6:46 pm
Anil Kumar Tappetla	Jan 27, 2005 9:21 pm
mmes...@austin.rr.com	Jan 28, 2005 6:59 am

Subject:	Re: Encrypting and Signing SOAP Messages With UsernameToken
From:	Anil Kumar Tappetla (Anil...@Sun.COM)
Date:	Jan 27, 2005 9:21:54 pm
List:	net.java.dev.jwsdp.users

The UsernameToken profile itself doesn't mention anything about inferring keys based on passwords. If that is what you are doing in your .Net application, please post the pseudo-code for the same. Thanks, Anil.

Hey Vishal,

Actually, the code below does more than encrypt and sign the token alone. It actually uses the UsernameToken to encrypt and sign the SOAP message itself. I do not need any X509 certificates at all! I have not seen anything in JWSDP that provides the same functionality. If I understand you correctly, the sample you provided simply encrypts and signs a the token rather than using the token to encrypt and sign the entire message. Is this correct, or am I missing something?

(If it would be helpful, I can provide the resulting SOAP message from the code below.)

Thanks,

-----Original Message----- *From:* Vishal Mahajan [mailto:Vish...@Sun.COM] *Sent:* Thursday, January 27, 2005 6:55 AM *To:* use...@jwsdp.dev.java.net *Subject:* Re: Encrypting and Signing SOAP Messages With UsernameToken

Hi Mark,

The code below indicates that your requirement is to be able to sign and encrypt the username token being sent along with the soap request. You can do this very easily using xws-security by associating the following security configuration file with the requester:

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" <http://java.sun.com/xml/ns/xwss/config>>

<xwss:UsernameToken name="m_userid" password="m_password" id="token"/>

<xwss:Sign> <Target type="uri">#token</Target> </xwss:Sign>

<xwss:Encrypt> <X509Token certificateAlias="receiver_cert_alias"/> <Target type="uri">#token</Target> </xwss:Encrypt>

</xwss:SecurityConfiguration>

For more details on the usage of security configuration files, please consult the JWSDP tutorial.

Vishal

Mark Mesich wrote:

Hey Vishal,

Thanks for getting back to me. In .Net you can use a UsernameToken to sign

and encrypt messages as well. The following code demonstrates what I would

like to do in Java. (I have changed the names of the service and methods

for readability.)

// Get a reference to the service.

Service service = new Service();

// Create a username token and add it to the service.

UsernameToken token = new UsernameToken( m_userID, m_password,

PasswordOption.SendHashed );

service.RequestSoapContext.Security.Tokens.Add(token);

service.RequestSoapContext.Security.Timestamp.TtlInSeconds = 60;

// Encrypt and sign the message with the UsernameToken.

service.RequestSoapContext.Security.Elements.Add( new EncryptedData(token)

);

service.RequestSoapContext.Security.Elements.Add( new

MessageSignature(token) );

// Make the method call.

bool result = service.MethodName( <parameters> );

Thanks,

-----Original Message-----

From: Vishal Mahajan [mailto:Vish...@Sun.COM]

Sent: Friday, January 21, 2005 7:33 AM

To: use...@jwsdp.dev.java.net <mailto:use...@jwsdp.dev.java.net>

Subject: Re: Encrypting and Signing SOAP Messages With UsernameToken

mmes...@austin.rr.com <mailto:mmes...@austin.rr.com> wrote:

Hey Guys,

I currently have a set of .Net/WSE2.0 based web services that require a

UsernameToken to be passed in with each request. I have been communicating

with these services from both .Net and Java clients. For the Java clients I

have been using JWSDP 1.4 and embedding the UsernameToken information into

the SOAP message programmatically with code similar to the following:

secCfg.addFilterForOutgoingMessages( new

ExportUsernameTokenFilter(SystemInfo.getUserName(),

SystemInfo.getUserPassword(), true, false));

Now, I would like to enhance the security by requiring the SOAP messages to

be both signed and encrypted with the UsernameToken as well. For my .Net

clients, this is pretty much a couple of lines of code. However, I am

having great difficulty in figuring out whether/how this can be done for my

Java clients. Is this something that is possible with JWSDP 1.4 or 1.5? If

so, can someone please point me in the right direction?

I have seen examples of signing and encrypting using X.509 certificates,

but nothing about using the UsernameToken to do this.

Can you elaborate more on your requirement. What do you mean when you

say - "Using UsernameToken for signing and encryption"?

Regards,

Vishal

I was hoping that (similar to .Net) there might be a way to add

additional filters that could sign and encrypt the messages as they go out.

Thanks for your help,

Mark.

---------------------------------------------------------------------

To unsubscribe, e-mail: user...@jwsdp.dev.java.net
<mailto:user...@jwsdp.dev.java.net>

For additional commands, e-mail: user...@jwsdp.dev.java.net
<mailto:user...@jwsdp.dev.java.net>

---------------------------------------------------------------------

To unsubscribe, e-mail: user...@jwsdp.dev.java.net
<mailto:user...@jwsdp.dev.java.net>

For additional commands, e-mail: user...@jwsdp.dev.java.net
<mailto:user...@jwsdp.dev.java.net>

---------------------------------------------------------------------

To unsubscribe, e-mail: user...@jwsdp.dev.java.net
<mailto:user...@jwsdp.dev.java.net>

For additional commands, e-mail: user...@jwsdp.dev.java.net
<mailto:user...@jwsdp.dev.java.net>

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets