Announcement Announcement Module
No announcement yet.
Does Wss4jSecurityInterceptor allow securementPasswordType to be PasswordNone? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Does Wss4jSecurityInterceptor allow securementPasswordType to be PasswordNone?

    I've got a system that will be using an X.509 certificate for message-level signing, and our provider server (i.e. the service being requested) will then take the signed message and extract the username from the usernametoken element.

    However, it's auto-configured so that if the password is set, that will be used to authenticate the user (it's beyond my control and I don't expect to be able to change it).

    Wss4j should allow me to use the securementPasswordType to be PasswordNone, but this doesn't quite seem to work. The docs also imply that only PasswordText and PasswordDigest are the supported options.

    Now, the UsernameTokenSignature is supposed to take care of this sort of thing, but we want to use a single X.509 cert to authenticate the application, and set the UsernameToken to be the person using my web app, not the cert itself.

    I had planned on using two Wss4jSecurityInterceptors to do this, but that doesn't seem to work:
    <property name="interceptors"><list>
    <ref bean="Wss4jSecurityInterceptor-Username"/>
    <ref bean="Wss4jSecurityInterceptor-X509Signature"/>

    Where the first one does the username and the second one does the signing, but I can't get the first one to merely add the username with no password.

    I hope this makes sense. How can I configure the Wss4jSecurityInterceptor to only add a username, no password.


    Josh Peters

  • #2
    I continue to make myself look foolish on this forum :-/

    My issue is fixed in that I have to leave the securementPassword to be null when using PasswordNone.