[Fedora-suds-list] Question about WSSE
Frank Millman
frank at chagford.com
Wed Mar 3 06:03:32 UTC 2010
Hi all
I posted this 3 weeks ago but got no reply. Hope it is ok to repost.
I have a question regarding Web Services Security (wsse).
>From what I can find out, there are two main sources for this -
1. Web Services Security - Username Token Profile 1.0 - Oasis Standard
200401, March 2004
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profi
le-1.0.pdf
2. Web Services Security: SOAP Message Security 1.1 (WS-Security 2004) -
Oasis Standard incorporating Approved Errata, 01 November 2006
http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecur
ity.pdf
AFAICT, suds.wsse implements the first of these. However, I am not sure that
it is implemented correctly.
According to the document, there are two mandatory elements - UserName and
Password, and two optional elements - Nonce and Created.
If Nonce and Created are not used, then Password contains the actual
password, sent in the clear.
If Nonce and Created are used, then Password must be constructed as follows
-
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
This gives some degree of protection over the password.
It seems to me that suds allows use of Nonce and Created, but still sends
the password in the clear, which rather defeats the object.
Does this sound right, or am I missing something?
Thanks
Frank Millman
More information about the suds
mailing list