Personalize
Events

Webinars

Live Online Training

Conferences
ADS
Products

WSO2 mercury

0.9

WSO2 Mercury is a WS-ReliableMessaging specification implementation that uses Apache Axis2/Java as the SOAP engine.

WSO2 Identity Solution

1.5

WSO2 Identity Solution is a set of Relying Party components and an Identity Provider to enable CardSpace and OpenID authentication.

WSO2 Web Services Framework for Spring

1.0

WSO2 WSF/Spring integrates Apache Axis2 into Spring and provides a Code First approach to create Web Services for the Spring user.

WSO2 WSF/PHP

1.2.1

WSO2 WSF/PHP, a PHP extension used to provide and consume Web services in PHP.

WSO2 Mashup Server

1.0.2

WSO2 Mashup Server is a platform for creating, deploying, and consuming Web services Mashups.

WSO2 WSAS 2.2.1

2.2.1

WSO2 WSAS is an enterprise ready Web services engine powered by Apache Axis2. It is a lightweight, high performing platform for SOA

WSO2 Registry

1.0

WSO2 Registry is a Web 2.0 style registry and repository for storing resources and metadata.

WSO2 ESB

1.6

WSO2 ESB is a lightweight, XML and Web services centric ESB, based on Apache Synapse and Axis2.

WSO2 WSF C++

1.0.0

WSO2 WSF C++, a binding of WSO2 WSF/C into C++ is an extension for consuming Web Services in C++.

WSO2 User Manager

0.6

WSO2 User Manager is a library enabling user authentication and authorization in applications to be handled in a homogeneous manner.

WSO2 WSF/C

1.2.0

WSO2 WSF/C is a framework based on Apache Axis2/C, Rampart/C and Sandesha2/C for providing and consuming Web services in C.

WSO2 WSF/Ruby

1.0.0

WSO2 WSF/Ruby, a binding of WSO2 WSF/C into Ruby is an extension for consuming Web Services in Ruby.

WSO2 WSF/Perl

1.0.0

WSO2 WSF/Perl, a binding of WSO2 WSF/C into Perl is a Perl extension for consuming Web Services in Perl.

wsse:UsernameToken + Authorisation

Submitted by skraft2 on May 7, 2008 - 03:06. Forums :

Hi there,

i am experimenting with the WSSecurityToken "Username". As far as i've understood the OASIS-specification for this token (oasis-200401-wss-username-token-profile-1.0.pdf), it provides secure user-authentification. It's more or less "safe" against replay-attacks if used with the timestamp and ttl option and if some recommendations are follwed.

1.  It is RECOMMENDED that web service producers reject any UsernameToken not
using both nonce and creation timestamps.
2.  It is RECOMMENDED that web service producers provide a timestamp “freshness” 
limitation, and that any UsernameToken with “stale” timestamps be rejected.  As a 
guideline, a value of five minutes can be used as a minimum to detect, and thus 
reject, replays.   125
3.  It is RECOMMENDED that used nonces be cached for a period at least as long as 
the timestamp freshness limitation period, above, and that UsernameToken with 
nonces that have already been used (and are thus in the cache) be rejected.

Does WSO2 implement this recommendations?

 

Another question related to the WSSecurityToken "Username":

Is it possible to extract the username from the Usernametoken and use it for authorization.

e.g. user "Tom" authenticated himself by UsernametToken and is allowed to access the method "addUser", but user "Sam" isn't allowed to access the method "addUser". Is it possible to restrict the access to some methods by Username (while using the information provided by the UsernameToken)?

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
‹ RPM for CentOS 5- x86_64 arch WSDL generation doesn't work with Apache 2.2 ›

Re: wsse:UsernameToken + Authorisation

Submitted by kaushalye on May 8, 2008 - 03:24.

Q1. (1) No. WSF/PHP allows username tokens without nonce and timestamps. It's for the interoperability reasons. But it doesnt allow multiple nonce/timestamps as per the Basic Security Profile

     (2) For this we use timestamp tokens.

     (3) Replay detection is not supported yet in WSF/PHP.

Q2. Right now there is no such way to pass the username to the service for authorization purposes. But in future releases we are plannig to pass security processed results to the service.

»