Re: Nonce and Created Values. General Questions

From: John Jenkins (john_Jenkins_at_yahoo.com)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 23:09:52 GMT

Why does wse2.0sp1 create them by default?
Why do my web service method calls fail if I don't include them from any
soap tool?

Are you saying that in theory if I submit a message that just has a username
in the username token it should be ok?

I tried this. I commented out the part of web.config where I had referenced
my UsernameToken Manager implementation, submitted a simple request from a
soap tool with no nonce value and it ALWAYS fails.

What precisely do I need to do to just accept a username in the
usernameToken. I had originally thought it was through submitting the
XMLElement to the username token object, but again I had problems with this.

Any help again is greatly appreciated, this issue has set me WAY back.

"Fraser" <Fraser@discussions.microsoft.com> wrote in message
news:C8A53DF0-7AD4-4B17-8DA7-65701CB0ADBF@microsoft.com...
> 1. Nonce and Created are only required for a password that is hashed, that
> is, they form part of the hash algorithm Base64(SHA-1(Nonce + Created +
> Password))
>
> 2. Don't know what you mean. WSE2 does use the correct namespaces for wsse
> and wsu ??
>
> "John Jenkins" wrote:
>
> > Hi,
> > I am using WSE2.0sp1 for my security implementation for web
services. A
> > customer is using WebLogic to implement their calls to my service.
> > The call fails with a "token could not be authenticated.." message. I
> > noticed the customer did not have
> > <wsse:Nonce></wsse:Nonce>
> > <wsu:Created></wsu:Created>
> > Tags in their security header. I took their message, and manually
added
> > a some nonce/created details to the header and submitted it with a soap
> > tool. The message got validated. Web Logic (or at least my customers
> > implemebntation using web logic) does not appear to add
> > nonce/created elements by default.
> >
> > The customer however pointed out (correctly ) that the
implementation of
> > Nonce etc is only recommended. So my question is, is there a setting I
can
> > turn on which will not require the client to supply a nonce and created
> > element?? The network is on a private, secure network.
> >
> > I had initially thought this may be the <replayDetection> element
but
> > this didn't work when I added to my config file.
> >
> > Also I have a couple of basic questions.
> >
> > 1. If users use a password (either plain text or digest), must a nonce
value
> > be included also?
> > 2. Why did WSE2.0 not have the appropriate namespaces i.e. the wsse, and
wsu
> > using the oasis uri?
> >
> >
> > Any help on this is greatly appreciated.
> >
> >
> >

Relevant Pages

  • Re: PLUG: PMAS
    ... it returns a "temporary failure" and logs the triplet. ... check_user: User malcsue is apparently a username but has no account: FAIL ...
    (comp.os.vms)
  • Re: PLUG: PMAS
    ... check_user: User xnwvcqvf is apparently a username but has no account: FAIL ... check_user: User antalyaivr is apparently a username but has no account: FAIL ...
    (comp.os.vms)
  • OTP with SOAP messages and swing client
    ... At the moment we use a dodgy WS-Security header with username and base64 encoded password in the soap header. ... User requests OTP via some mechanism where they provide username/password, server creates a nonce and a secret and sends it to their pre-configured mobile number via SMS ...
    (Security-Basics)
  • Re: PLUG: PMAS
    ... check_user: User xnwvcqvf is apparently a username but has no account: FAIL ... check_user: User antalyaivr is apparently a username but has no account: FAIL ...
    (comp.os.vms)
  • Re: Nonce and Created Values. General Questions
    ... a message without the nonce detail and still got an "invalid token". ... The network is on a private, secure network. ... >> this didn't work when I added to my config file. ... If you have Username Token replay detection ...
    (microsoft.public.dotnet.framework.webservices.enhancements)