Oracle Web Services Security 10-5
10.2.3.1 Creating a Username Token
First, create a UsernameToken and place it inside your WSSecurity header. The only mandatory field in the UsernameToken is the username:
create a Username token WSSecurity ws = ...
UsernameToken ut = new UsernameTokendoc; ut.setUserNameZoe;
remember to put this inside your WSSecurity header. addUserNameToken puts it at the beginning, you can also
use a regular DOM method appendChild or insertChild to put it in. ws.addUsernameTokenut;
optionally add an wsu:Id, so you can refer to it ut.setWsuIdMyUser;
Next, decide how to put the password into this token. There are several choices:
1.
Add a clear text password. Consider using this technique only when the whole message is being sent over a secure channel like SSL.
2.
Add a digest of the password or some other kind of derived password. A digest is not necessarily more secure than a clear text password, as it can also be replayed
unless it is protected by a nonce and time.
3.
Add a digest of the password using the digest mechanism given in the WS Security specification. This uses the nonce and the createdDate.
4.
Do not add the password or its digest at all. Instead derive a key from the password and use that to sign the message, to demonstrate knowledge of the key.
For options 1 and 2, use the setPassword method ut.setPasswordIloveDogs;
With this mechanism, the reciever should simply call UsernameToken.getPassword to check if the password is as expected.
For option 3, use the setPasswordDigest method, but before doing thatfor that you have to at first set a nonce and a created date.
SecureRandom random = SecureRandom.getInstanceSHA1PRNG; byte nonce[] = new byte[20];
random.nextBytesnonce; compute a 20 byte random nonce ut.setNoncenonce;
ut.setCreatedDatenew Date; Set the date to now ut.setPasswordDigestIloveDogs; will compute the digest from
this clear text password using
SAML Assertion 1.1 oracle.security.xmlsec.wss.sa
ml.SAMLAssertionToken
SAML Assertion 2.0 oracle.security.xmlsec.wss.sa
ml2. SAML2AssertionToken
■
holder_of_key
■
sender_vouchers
■
bearer For holder_of_key the
subject’s key is used – this is, the key inside the
saml:SubjectConfirmation which is inside the
saml:Assertion.
For sender_vouches, the key of the attesting entity is used.
Keys are not extracted from bearer tokens.
Table 10–2 Cont. Security Tokens for Oracle Web Services Security
Type of Token Java Class Variations
Keys
10-6 Oracle Fusion Middleware Reference for Oracle Security Developer Tools
nonce and createdDate For this mechanism, the reciever should use the following
byte nonce[] = ut.getNonce; .. check against the used nonces, to make sure this is a new nonce
Date createdDate = ut.getCreated; .. check that this createdDate is within an expected clock skew
boolean valid = ut.isValiduserName, passwd, above call will recompute the digest from the passwd
and the nonce and created date, and check if this digest matches the digest in the username token
For option 4, set the salt and iteration count SecureRandom random = SecureRandom.getInstanceSHA1PRNG;
byte salt[] = new byte[15]; random.nextBytessalt; compute a 15 byte random salt
ut.setSalt1, salt; ut.setIteration1000;
SecretKey key = ut.deriveKeyIloveDogs;
Now you can use this secret key to sign or encrypt data.
10.2.3.2 Creating an X509 Token