public class UsernameToken extends WSSElement implements WSSecurityToken
UsernameToken
element. Conforms to Username Token Profile 1.1
UsernameToken ut = new UsernameToken(doc); ut.setUsername("Zoe"); ut.setPassword("IloveDogs");2) Whereas if you want to use digested passwords
SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); byte nonce[] = new byte[20]; random.nextBytes(nonce); // compute a 20 byte random nonce UsernameToken ut = new UsernameToken(doc); ut.setUsername("Zoe"); ut.setNonce(nonce); ut.setCreatedDate(new Date()); // Set the date to now ut.setPasswordDigest("IloveDogs"); // will compute the digest from this clear text password3) You should not put passwords at all, if you are username tokens for key derivation
SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); byte salt[] = new byte[15]; random.nextBytes(salt); // compute a 15 byte random salt UsernameToken ut = new UsernameToken(doc); ut.setUsername("Zoe"); ut.setSalt(1, salt); SecretKey key = ut.deriveKey("IloveDogs"); // Use this key for signing or encryption
UsernameToken ut = new UsernameToken(utElement); String username = ut.getUsername(); // extract the user name char expectedPassword[]; // get the expected password for this user // Check if this a plain text password if (ut.getPasswordType().equals(UsernameToken.PASSWORD_TEXT) { char password[] = ut.getPassword(); // extract the plain text password // Check if the password matches if (!Arrays.equals(password, expectedPassword)) { } } // Check if this a digested password else if (ut.getPasswordType().equals(UsernameToken.PASSWORD_DIGEST) { String password = ut.getPasswordDigest(); // extract the digested password byte nonce[] = ut.getNonce(); // can be null Date createdDate = ut.getCreatedDate(); // can be null // Following is the RECOMMENDED processing from the spec: // if both nonce and createdDate are null reject this token // if createDate is not null, reject if it is stale // (guideline: older then 5 mins is stale) // if nonce is not null, reject if this nonce has already been used before // (need to maintain a cache of used nonces) // After doing the above checks, check if the digested password matches if (!isValid(username, expectedPassword)) { } }
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
PASSWORD_DIGEST
Specifies that the type of password is a digest of the password.
|
static java.lang.String |
PASSWORD_TEXT
Specifies that the type of password is a plaintext password, derived password or a password hash.
|
Constructor and Description |
---|
UsernameToken(org.w3c.dom.Document owner)
Create a new
UsernameToken instance. |
UsernameToken(org.w3c.dom.Element element)
Create a new
UsernameToken instance from the given XML element. |
UsernameToken(org.w3c.dom.Element element, java.lang.String systemId)
Create a new
UsernameToken instance from the given XML element. |
Modifier and Type | Method and Description |
---|---|
static void |
addKeyDerivator(KeyDerivator resolver)
Deprecated.
|
static void |
addPasswordRetriever(PasswordRetriever resolver)
Register a
PasswordRetriever instance to lookup the password. |
byte[] |
computePasswordDigest(byte[] nonce, WSUCreated created, char[] passwd)
Creates the SHA-1 digest of the the given password and optionally nonce and/or creation timpstamp.
|
byte[] |
createSecretKey()
Deprecated.
|
byte[] |
createSecretKey(char[] passwd)
Deprecated.
|
javax.crypto.SecretKey |
deriveKey()
Uses the password retriever to get this user's password, and then extracts the salt and iteration from this token and calls
deriveKey(char passwd[], byte salt[], int iteration) |
javax.crypto.SecretKey |
deriveKey(char[] passwd)
Extracts the salt and iteration from this token and calls
deriveKey(char passwd[], byte salt[], int iteration) |
static javax.crypto.SecretKey |
deriveKey(char[] passwd, byte[] salt, int iteration)
Derive a key from the passwd using the algorithm mentioned in the WSS 1.1 UsernameToken profile.
|
WSUCreated |
getCreated()
Returns the token creation timestamp.
|
java.util.Date |
getCreatedDate()
Returns the token creation timestamp.
|
int |
getIteration()
get the iteration count for derived keys
|
javax.crypto.SecretKey |
getKey()
Deprecated.
|
byte[] |
getNonce()
Returns the nonce.
|
char[] |
getPassword()
Gets the plaintext password (or password equivalent) stored in the
Password child element in this structure. |
byte[] |
getPasswordDigest()
Gets the digest of the password stored in the
Password child element in this structure. |
java.lang.String |
getPasswordType()
Returns the type of password.
|
byte[] |
getSalt()
get the salt for derived keys.
|
java.lang.Object |
getToken()
Get the token contents.
|
oracle.security.xmlsec.util.QName |
getTokenName()
Returns the token name.
|
java.lang.String |
getUsername()
Returns the username value.
|
boolean |
isValid()
Checks if the information stored in this token is valid.
|
boolean |
isValid(java.lang.String userName, char[] passwd)
Checks if the information stored in this token is valid against the given user name and password pair.
|
void |
setCreated(WSUCreated created)
Set the token creation timestamp.
|
void |
setCreatedDate(java.util.Date created)
Set the token creation timestamp.
|
void |
setIteration(int iteration)
sets the iteration count for derived keys.
|
void |
setNonce(byte[] nonce)
Sets the
Nonce element with the specified value and the default Base64 encoding. |
void |
setNonce(byte[] nonce, java.lang.String encType)
Sets the
Nonce element with the specified value and encoding type of the nonce. |
void |
setPassword(char[] passwd)
Sets the
Password element with the plain text text password (or password equivalent) of the user. |
void |
setPassword(char[] password, java.lang.String passwordType)
Sets the
Password element. |
void |
setPasswordDigest(char[] passwd)
Computes the password digest, and sets the
Password element with the digested password of the user. |
void |
setSalt(byte[] salt)
Set the salt for derived keys Removes any password, nonce and created date in this token
|
void |
setSalt(byte type, byte[] salt)
Set the salt for derived keys.
|
void |
setUsername(java.lang.String userName)
Sets the username value.
|
getId, getWsuId, setId, setWsuId
addNSPrefixAttr, addNSPrefixAttr, addNSPrefixAttrDefault, addNSPrefixAttrDefault, getAttribute, getAttributeNode, getAttributeNodeNS, getAttributeNS, getChildElementsByTagName, getChildElementsByTagName, getChildElementsByTagNameNS, getChildElementsByTagNameNS, getDefaultNSPrefix, getElement, getElementsByTagName, getElementsByTagNameNS, getTagName, hasAttribute, hasAttributeNS, removeAttribute, removeAttributeNode, removeAttributeNS, setAttribute, setAttributeNode, setAttributeNodeNS, setAttributeNS, setDefaultNSPrefix
appendChild, appendChild, appendTo, cloneNode, getAttributes, getChildNodes, getFirstChild, getLastChild, getLocalName, getNamespaceURI, getNextSibling, getNode, getNodeName, getNodeType, getNodeValue, getOwnerDocument, getParentNode, getPrefix, getPreviousSibling, getSystemId, hasAttributes, hasChildNodes, insertBefore, insertBefore, isSupported, normalize, removeChild, removeChild, replaceChild, replaceChild, setNodeValue, setPrefix, setSystemId, toBytesXML, toStringXML
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
getNode
public static final java.lang.String PASSWORD_TEXT
public static final java.lang.String PASSWORD_DIGEST
public UsernameToken(org.w3c.dom.Element element)
UsernameToken
instance from the given XML element.element
- A wsse:UsernameToken element.public UsernameToken(org.w3c.dom.Element element, java.lang.String systemId)
UsernameToken
instance from the given XML element.element
- A wsse:UsernameToken element.systemId
- The URI string system ID for this element.public UsernameToken(org.w3c.dom.Document owner)
UsernameToken
instance.owner
- A XML Document to be used as the owner document of this structure.public void setUsername(java.lang.String userName)
userName
- The username string.public java.lang.String getUsername()
public void setNonce(byte[] nonce)
Nonce
element with the specified value and the default Base64 encoding.nonce
- The nonce bytes.public void setNonce(byte[] nonce, java.lang.String encType)
Nonce
element with the specified value and encoding type of the nonce.nonce
- The nonce bytes.encType
- The encoding type of the nonce.public byte[] getNonce()
public void setCreatedDate(java.util.Date created)
created
-public void setCreated(WSUCreated created)
created
- The creation timestamp.public WSUCreated getCreated()
public java.util.Date getCreatedDate()
public void setPassword(char[] passwd)
Password
element with the plain text text password (or password equivalent) of the user.passwd
- The clear text password (or password equivalent) of the user.public void setPasswordDigest(char[] passwd)
Password
element with the digested password of the user.passwd
- The clear text password (or password equivalent) of the user.public void setPassword(char[] password, java.lang.String passwordType)
Password
element. The actual value stored in this element depends on the password type provided.password
- The clear text password (or password equivalent) of the user. If the password is null
, the PasswordRetriever will be used to lookup the passwd.passwordType
- The value for the Type
attribute which specifies the type of password being provided in this token.public java.lang.String getPasswordType()
public char[] getPassword()
Password
child element in this structure. Returns null if PasswordDigest
type is used.public byte[] getPasswordDigest()
Password
child element in this structure. Returns null if PasswordDigest type is not used.public boolean isValid()
true
if the supplied credentials match the token credentials or false
otherwise.public boolean isValid(java.lang.String userName, char[] passwd)
userName
- The user name value.passwd
- The password value. If the password is null
, the PasswordRetriever will be used to lookup the passwd.true
if the supplied credentials match the token credentials or false
otherwise.public byte[] getSalt()
public void setSalt(byte[] salt)
salt
- Must be 128 bits - first byte should be 1 for MAC or 2 for Encryptionpublic void setSalt(byte type, byte[] salt)
setSalt(byte[] salt)
;type
- 1 for MAC or 2 for Encryptionsalt
- Must be 120 bits.java.lang.IllegalArgumentException
- is salt is not 120 bits, or type is not 1 or 2public int getIteration()
public void setIteration(int iteration)
iteration
-public byte[] createSecretKey()
null
if the Password child element is not available.public byte[] createSecretKey(char[] passwd)
passwd
- The password to use in the secret key generation. If the password is null
, the PasswordRetriever will be used to lookup the passwd.null
.public byte[] computePasswordDigest(byte[] nonce, WSUCreated created, char[] passwd)
nonce
- The nonce bytes.created
- The token creation timestamppasswd
- The password bytes. If the password is null
, the PasswordRetriever will be used to lookup the passwd.public oracle.security.xmlsec.util.QName getTokenName()
getTokenName
in interface WSSecurityToken
public java.lang.Object getToken()
Returns a java.lang.String containing the Username from the Username token.
getToken
in interface WSSecurityToken
public javax.crypto.SecretKey getKey() throws WSSException
Returns the secret HMAC or Key byte[]
derived from the supplied password.
WSSException
public static void addPasswordRetriever(PasswordRetriever resolver)
PasswordRetriever
instance to lookup the password.resolver
- The resolver to use to lookup the password.public static void addKeyDerivator(KeyDerivator resolver)
KeyDerivatorResolver
instance for use in key identifier resolver operations.resolver
- The resolver to use for key derivation.public static javax.crypto.SecretKey deriveKey(char[] passwd, byte[] salt, int iteration)
Note: the key derivation mechanisms supported by prior versions of this toolkit are now deprecated
The key is derived as follows. The password (which is UTF-8 encoded) and Salt are concatenated in that order. Only the actual octets of the password are used, it is not padded or zero terminated. This value is hashed using the SHA1 algorithm. The result of this operation is also hashed using SHA1. This process is repeated until the total number of hash operations equals the Iteration count.
In other words: K1 = SHA1( password + Salt)
K2 = SHA1( K1 )
...
Kn = SHA1 ( Kn-1)
Where + means concatenation and n is the iteration count.
The resulting 160 bit value is used in a MAC function or truncated to the appropriate length for encryption
passwd
- the passwordsalt
- a 16 byte salt. first byte should be 1 for MAC or 2 for encryptioniteration
- the iteration count. should be at least a 1000public javax.crypto.SecretKey deriveKey(char[] passwd)
deriveKey(char passwd[], byte salt[], int iteration)
passwd
- The user's password, the password retriever is used if null is passed inpublic javax.crypto.SecretKey deriveKey()
deriveKey(char passwd[], byte salt[], int iteration)