Re: Nonce and Created Values. General Questions
From: John Jenkins (john_Jenkins_at_yahoo.com)
Date: 09/29/04
- Previous message: Hervey Wilson [MSFT]: "Re: How can UsernameTokenManager know what Web Service method is being invoked?"
- In reply to: Hervey Wilson [MSFT]: "Re: Nonce and Created Values. General Questions"
- Next in thread: Hervey Wilson [MSFT]: "Re: Nonce and Created Values. General Questions"
- Reply: Hervey Wilson [MSFT]: "Re: Nonce and Created Values. General Questions"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 29 Sep 2004 07:13:56 GMT
I understand that it must be present if used with hashed password. My
question is how do I prevent the default of sending it!
I have tried the replayDetection setting server side to not require it, sent
a message without the nonce detail and still got an "invalid token". As part
of this I also commented out any detail in the config of my UsernameToken
Manager implementation. I assume this is correct.
"Hervey Wilson [MSFT]" <herveyw.nospam@nospam.microsoft.com> wrote in
message news:emjiu8dpEHA.2484@TK2MSFTNGP09.phx.gbl...
> John Jenkins wrote:
> > Hi,
> > I am using WSE2.0sp1 for my security implementation for web
services. A
> > customer is using WebLogic to implement their calls to my service.
> > The call fails with a "token could not be authenticated.." message. I
> > noticed the customer did not have
> > <wsse:Nonce></wsse:Nonce>
> > <wsu:Created></wsu:Created>
> > Tags in their security header. I took their message, and manually
added
> > a some nonce/created details to the header and submitted it with a soap
> > tool. The message got validated. Web Logic (or at least my customers
> > implemebntation using web logic) does not appear to add
> > nonce/created elements by default.
> >
> > The customer however pointed out (correctly ) that the
implementation of
> > Nonce etc is only recommended. So my question is, is there a setting I
can
> > turn on which will not require the client to supply a nonce and created
> > element?? The network is on a private, secure network.
> >
> > I had initially thought this may be the <replayDetection> element
but
> > this didn't work when I added to my config file.
> >
> > Also I have a couple of basic questions.
> >
> > 1. If users use a password (either plain text or digest), must a nonce
value
> > be included also?
> > 2. Why did WSE2.0 not have the appropriate namespaces i.e. the wsse, and
wsu
> > using the oasis uri?
> >
> >
> > Any help on this is greatly appreciated.
> >
> >
>
> 1. If you used SendHashed, the Nonce *must* be present since it part of
> the digest algorithm. If you have Username Token replay detection
> enabled, the WSE receiver will *always* demand that a Nonce be present
> in the token. Disabling this in your configuration file (see the
> wse.config file in the WSE install directory for details), should allow
> you to pass a PlainText or SendNone UsernameToken without a Nonce.
>
> 2. WSE 2.0 *does* use the OASIS WSS 1.0 Namespace URI's.
>
>
> --
> This posting is provided "AS IS", with no warranties, and confers no
rights.
- Previous message: Hervey Wilson [MSFT]: "Re: How can UsernameTokenManager know what Web Service method is being invoked?"
- In reply to: Hervey Wilson [MSFT]: "Re: Nonce and Created Values. General Questions"
- Next in thread: Hervey Wilson [MSFT]: "Re: Nonce and Created Values. General Questions"
- Reply: Hervey Wilson [MSFT]: "Re: Nonce and Created Values. General Questions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
