Re: Nonce and Created Values. General Questions
From: Hervey Wilson [MSFT] (herveyw.nospam_at_nospam.microsoft.com)
Date: 09/29/04
- Next message: Hervey Wilson [MSFT]: "Re: FaultTo endpoint does not work with "soap.tcp""
- Previous message: Hervey Wilson [MSFT]: "Re: Policy settings tool and username tokens (not x509)"
- In reply to: John Jenkins: "Nonce and Created Values. General Questions"
- Next in thread: John Jenkins: "Re: Nonce and Created Values. General Questions"
- Reply: John Jenkins: "Re: Nonce and Created Values. General Questions"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 28 Sep 2004 21:47:10 -0700
John Jenkins wrote:
> Hi,
> I am using WSE2.0sp1 for my security implementation for web services. A
> customer is using WebLogic to implement their calls to my service.
> The call fails with a "token could not be authenticated.." message. I
> noticed the customer did not have
> <wsse:Nonce></wsse:Nonce>
> <wsu:Created></wsu:Created>
> Tags in their security header. I took their message, and manually added
> a some nonce/created details to the header and submitted it with a soap
> tool. The message got validated. Web Logic (or at least my customers
> implemebntation using web logic) does not appear to add
> nonce/created elements by default.
>
> The customer however pointed out (correctly ) that the implementation of
> Nonce etc is only recommended. So my question is, is there a setting I can
> turn on which will not require the client to supply a nonce and created
> element?? The network is on a private, secure network.
>
> I had initially thought this may be the <replayDetection> element but
> this didn't work when I added to my config file.
>
> Also I have a couple of basic questions.
>
> 1. If users use a password (either plain text or digest), must a nonce value
> be included also?
> 2. Why did WSE2.0 not have the appropriate namespaces i.e. the wsse, and wsu
> using the oasis uri?
>
>
> Any help on this is greatly appreciated.
>
>
1. If you used SendHashed, the Nonce *must* be present since it part of
the digest algorithm. If you have Username Token replay detection
enabled, the WSE receiver will *always* demand that a Nonce be present
in the token. Disabling this in your configuration file (see the
wse.config file in the WSE install directory for details), should allow
you to pass a PlainText or SendNone UsernameToken without a Nonce.
2. WSE 2.0 *does* use the OASIS WSS 1.0 Namespace URI's.
-- This posting is provided "AS IS", with no warranties, and confers no rights.
- Next message: Hervey Wilson [MSFT]: "Re: FaultTo endpoint does not work with "soap.tcp""
- Previous message: Hervey Wilson [MSFT]: "Re: Policy settings tool and username tokens (not x509)"
- In reply to: John Jenkins: "Nonce and Created Values. General Questions"
- Next in thread: John Jenkins: "Re: Nonce and Created Values. General Questions"
- Reply: John Jenkins: "Re: Nonce and Created Values. General Questions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
