This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I need to write something that interfaces with a .Net soap service. I've been given the WSDL file. This 3rd party service dictates the use of WSS tokens which are attached in the soap header. The username token will contain the username, password (sent as a digest), nonce and timestamp elements.
I'm using Weblogic 8.1.3 but there from the answer I got from BEA there is no inbuilt support for passing such a token which contains a password digest (only plain text passwords supported in WL). I'm therefore looking for an existing library / framework that can provide this.
I've been researching this on the internet and from what I found I have the following options below.
1. Use Apache Axis with WSS4J (although this seems very much in development at the moment.)
2. Use the Sun Web Service Developer Pack 1.5 (JWSDP)
3. Use a licensed application such as Glue
Has anyone got any previous experience with implementing token passing including nonce generation, creating password digests, with any of the options below. Is one of these a better implementation than the others or is there one missing from the list I should be considering???
Can you please explain more about WSS tokens fundamentals !
I have used XML Signatures/Encryption using IBM XSS, WSS4J, VeriSign TSIK. I guess some of these framework may support WSS tokens.
Please try them and let me know your experiences ...
Joined: Aug 29, 2004
Hi R Kumar,
The token passing is part of the OASIS WS-Security standard. It details a mechanism for authentication through passing tokens (xml elements) within the header of the soap envelope. The specification for this is available using the URL below (page 7 starts details the the UsernameToken) ----> OASIS WSS Username Token profile
Typically a username token is sent initially to authenticate a user in a SOAP request. Here is an example.
As per my original post, the latest version of weblogic does not have out-of-the-box functionality to create username tokens with a password digest (only supports plain text passwords).
I'm currently looking into using the Apache Axis libraries to interface with this webservice, based on this source code -->AXIS-WSSE
From my research it seems the apache project 'WSS4J' is aiming to fully implement these token passing standards but is still very much in development. I found very little documentation on WSS4J other than api javadocs.
R Kumar - you mention you've been using the WSS4J libraries. I'm guessing you downloaded the source code and built it yourself? What has your experience been with WSS4J?
Has anyone else implemented the WS-Security token passing mechanism in Java to communicate with a .Net (or other) web service that implements these standards?
Best Regards, Pete.
[ February 14, 2005: Message edited by: Pete Tibbster ] [ February 14, 2005: Message edited by: Pete Tibbster ]
Joined: Sep 17, 2001
Thanks for the response. So WS Tokens are used for authentication purpose.
I have experiementd with IBM XSS, WSS4J, VeriSign TSIK for implementing signing soap message and verify the xml signature in them but never used for WS Token implementation.
Did you try IBM XSS and VeriSign TSIK since it has good support for all aspects of WS Security.
Joined: Aug 29, 2004
I have previously looked at IBM XSS which does not seem to implement libraries to help with token passing. The verisign toolkit looks interesting and is not one i've come across before. However again appears nothing to aid token passing.
Joined: Aug 29, 2004
Here is a very recent article which references the WSS token passing mechanism and the need for a standard framework for implementing these standards - just what i'm after ! I've included it here in case anyone else might be interested and hasn't seen it.
This may be the answer to all my questions! - i look forward to the next part of the series : -