Bug #74296 for XML-Compile-WSS: Lack of "Type" attribute in "Password" element

Mon Jan 23 18:19:15 2012 mawasak [...] gmail.com - Ticket created

Subject:

Lack of "Type" attribute in "Password" element

Hi, Web service libraries (eg. Apache CXF require "Type" attribute in "Password" element when UsernameToken is used as authentication mechanism, described in "Web Services Security 3 UsernameToken Profile 1.1". So <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"> should be set. Following elements are generated currently (XML-Compile-WSS-0.12) in XML::Compile::WSS->wsseBasicAuth : <wsse:UsernameToken> <wsse:Username>USER</wsse:Username> <wsse:Password>PASS</wsse:Password> </wsse:UsernameToken> Proposed patch (also as attachment, diff v2.9 from Cygwin): diff -Naur XML-Compile-WSS-0.12.ORIG/examples/usertoken/with_help.pl XML-Compile-WSS-0.12/examples/usertoken/with_help.pl --- XML-Compile-WSS-0.12.ORIG/examples/usertoken/with_help.pl 2011-08-31 11:40:24.000000000 +0200 +++ XML-Compile-WSS-0.12/examples/usertoken/with_help.pl 2012-01-23 22:48:37.296875000 +0100 @@ -11,6 +11,7 @@ #use Log::Report mode => 3; use XML::Compile::SOAP::WSS; +use XML::Compile::WSS::Util qw/:wss_username_profile/; # Configuration @@ -30,7 +31,9 @@ ); # You can probably reuse the same security info for each call. -my $security = $wss->wsseBasicAuth($username, $password); +my $security = $wss->wsseBasicAuth($username, $password, WSS_UTOKEN_PROFILE_11_PTEXT); +#OR shortcut +#my $security = $wss->wsseBasicAuth($username, $password, "text"); # You will usually change the payload of the message. The explain() # will tell you how it looks. diff -Naur XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS/Util.pm XML-Compile-WSS-0.12/lib/XML/Compile/WSS/Util.pm --- XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS/Util.pm 2011-08-31 12:31:18.000000000 +0200 +++ XML-Compile-WSS-0.12/lib/XML/Compile/WSS/Util.pm 2012-01-23 15:40:45.064441900 +0100 @@ -65,9 +65,13 @@ DSP_NS /; +my @wss_username_profile = qw/ +WSS_UTOKEN_PROFILE_11 WSS_UTOKEN_PROFILE_11_PTEXT WSS_UTOKEN_PROFILE_11_PDIGEST + /; + our @EXPORT = 'WSS11MODULE'; our @EXPORT_OK - = (@wss11, @wsse, @dsig, @dsig_more, @dsig11, @xenc, @ghc, @dsp); + = (@wss11, @wsse, @dsig, @dsig_more, @dsig11, @xenc, @ghc, @dsp, @wss_username_profile); our %EXPORT_TAGS = ( wss11 => \@wss11 @@ -78,6 +82,7 @@ , xenc => \@xenc , ghc => \@ghc , dsp => \@dsp + , wss_username_profile => \@wss_username_profile ); @@ -100,6 +105,7 @@ { WSS_11 => WSS_BASE.'/oasis-wss-wssecurity-secext-1.1.xsd' , WSU_10 => WSS_BASE.'/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' , WSSE_10 => WSS_BASE.'/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' + , WSS_UTOKEN_PROFILE_11 => WSS_BASE.'/2004/01/oasis-200401-wss-username-token-profile-1.0' }; use constant WSS11MODULE => WSS_11; @@ -113,6 +119,10 @@ , WSSE_X509PKC => WSSE_10.'#X509PKCS7' }; +use constant + { WSS_UTOKEN_PROFILE_11_PTEXT => WSS_UTOKEN_PROFILE_11.'#PasswordText' + , WSS_UTOKEN_PROFILE_11_PDIGEST => WSS_UTOKEN_PROFILE_11.'#PasswordDigest' + }; use constant { DSIG_NS => DSIG.'#' diff -Naur XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pm XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pm --- XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pm 2011-08-31 12:31:18.000000000 +0200 +++ XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pm 2012-01-23 22:43:21.484375000 +0100 @@ -12,7 +12,7 @@ use Log::Report 'xml-compile-wss'; -use XML::Compile::WSS::Util ':wss11'; +use XML::Compile::WSS::Util qw/:wss11 :wss_username_profile/; use XML::Compile::Util qw/SCHEMA2001/; use XML::Compile::C14N; @@ -58,7 +58,7 @@ #----------- sub wsseBasicAuth($$) -{ my ($self, $username, $password) = @_; +{ my ($self, $username, $password, $type) = @_; my $schema = $self->schema or panic; my $pwtype = $schema->findName('wsse:Password'); @@ -67,6 +67,15 @@ my $doc = XML::LibXML::Document->new('1.0', 'UTF-8'); my $pwnode = $schema->writer($pwtype, include_namespaces => 0) ->($doc, $password); + + if (($type eq WSS_UTOKEN_PROFILE_11_PTEXT) or ($type eq "text")) { + $pwnode->setAttribute("Type", WSS_UTOKEN_PROFILE_11_PTEXT); + } + + if (($type eq WSS_UTOKEN_PROFILE_11_PDIGEST) or ($type eq "digest")) { + $pwnode->setAttribute("Type", WSS_UTOKEN_PROFILE_11_PDIGEST); + } + my $token = $schema->writer($untype, include_namespaces => 0) ->($doc, { wsse_Username => $username, $pwtype => $pwnode } ); diff -Naur XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pod XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pod --- XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pod 2011-08-31 12:31:20.000000000 +0200 +++ XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pod 2012-01-23 16:24:31.895409800 +0100 @@ -75,12 +75,23 @@ =over 4 -=item $obj-E<gt>B<wsseBasicAuth>(USERNAME, PASSWORD) +=item $obj-E<gt>B<wsseBasicAuth>(USERNAME, PASSWORD [,TYPE]) Many SOAP applications require a username/password authentication, like HTTP's basic authentication. See F<examples/usertoken/manually.pl> for an example how to construct this by hand for any possible requirement. +TYPE - add "Type" attribute do "Password" element. + +TYPE is: + +WSS_UTOKEN_PROFILE_11_PTEXT (when use XML::Compile::WSS::Util qw/:wss_username_profile/;) or ("text" for shortcut) +then Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" is added to "Password" element. + +WSS_UTOKEN_PROFILE_11_PDIGEST (when use XML::Compile::WSS::Util qw/:wss_username_profile/;) or ("digest" for shortcut) +then Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest" is added to "Password" element. + + This method, however, offers a simplification for the usual case. See a working example in F<examples/usertoken/with_help.pl>

Subject:

XML_Compile_WSS.patch

diff -Naur XML-Compile-WSS-0.12.ORIG/examples/usertoken/with_help.pl XML-Compile-WSS-0.12/examples/usertoken/with_help.pl --- XML-Compile-WSS-0.12.ORIG/examples/usertoken/with_help.pl 2011-08-31 11:40:24.000000000 +0200 +++ XML-Compile-WSS-0.12/examples/usertoken/with_help.pl 2012-01-23 22:48:37.296875000 +0100 @@ -11,6 +11,7 @@ #use Log::Report mode => 3; use XML::Compile::SOAP::WSS; +use XML::Compile::WSS::Util qw/:wss_username_profile/; # Configuration @@ -30,7 +31,9 @@ ); # You can probably reuse the same security info for each call. -my $security = $wss->wsseBasicAuth($username, $password); +my $security = $wss->wsseBasicAuth($username, $password, WSS_UTOKEN_PROFILE_11_PTEXT); +#OR shortcut +#my $security = $wss->wsseBasicAuth($username, $password, "text"); # You will usually change the payload of the message. The explain() # will tell you how it looks. diff -Naur XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS/Util.pm XML-Compile-WSS-0.12/lib/XML/Compile/WSS/Util.pm --- XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS/Util.pm 2011-08-31 12:31:18.000000000 +0200 +++ XML-Compile-WSS-0.12/lib/XML/Compile/WSS/Util.pm 2012-01-23 15:40:45.064441900 +0100 @@ -65,9 +65,13 @@ DSP_NS /; +my @wss_username_profile = qw/ +WSS_UTOKEN_PROFILE_11 WSS_UTOKEN_PROFILE_11_PTEXT WSS_UTOKEN_PROFILE_11_PDIGEST + /; + our @EXPORT = 'WSS11MODULE'; our @EXPORT_OK - = (@wss11, @wsse, @dsig, @dsig_more, @dsig11, @xenc, @ghc, @dsp); + = (@wss11, @wsse, @dsig, @dsig_more, @dsig11, @xenc, @ghc, @dsp, @wss_username_profile); our %EXPORT_TAGS = ( wss11 => \@wss11 @@ -78,6 +82,7 @@ , xenc => \@xenc , ghc => \@ghc , dsp => \@dsp + , wss_username_profile => \@wss_username_profile ); @@ -100,6 +105,7 @@ { WSS_11 => WSS_BASE.'/oasis-wss-wssecurity-secext-1.1.xsd' , WSU_10 => WSS_BASE.'/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' , WSSE_10 => WSS_BASE.'/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' + , WSS_UTOKEN_PROFILE_11 => WSS_BASE.'/2004/01/oasis-200401-wss-username-token-profile-1.0' }; use constant WSS11MODULE => WSS_11; @@ -113,6 +119,10 @@ , WSSE_X509PKC => WSSE_10.'#X509PKCS7' }; +use constant + { WSS_UTOKEN_PROFILE_11_PTEXT => WSS_UTOKEN_PROFILE_11.'#PasswordText' + , WSS_UTOKEN_PROFILE_11_PDIGEST => WSS_UTOKEN_PROFILE_11.'#PasswordDigest' + }; use constant { DSIG_NS => DSIG.'#' diff -Naur XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pm XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pm --- XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pm 2011-08-31 12:31:18.000000000 +0200 +++ XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pm 2012-01-23 22:43:21.484375000 +0100 @@ -12,7 +12,7 @@ use Log::Report 'xml-compile-wss'; -use XML::Compile::WSS::Util ':wss11'; +use XML::Compile::WSS::Util qw/:wss11 :wss_username_profile/; use XML::Compile::Util qw/SCHEMA2001/; use XML::Compile::C14N; @@ -58,7 +58,7 @@ #----------- sub wsseBasicAuth($$) -{ my ($self, $username, $password) = @_; +{ my ($self, $username, $password, $type) = @_; my $schema = $self->schema or panic; my $pwtype = $schema->findName('wsse:Password'); @@ -67,6 +67,15 @@ my $doc = XML::LibXML::Document->new('1.0', 'UTF-8'); my $pwnode = $schema->writer($pwtype, include_namespaces => 0) ->($doc, $password); + + if (($type eq WSS_UTOKEN_PROFILE_11_PTEXT) or ($type eq "text")) { + $pwnode->setAttribute("Type", WSS_UTOKEN_PROFILE_11_PTEXT); + } + + if (($type eq WSS_UTOKEN_PROFILE_11_PDIGEST) or ($type eq "digest")) { + $pwnode->setAttribute("Type", WSS_UTOKEN_PROFILE_11_PDIGEST); + } + my $token = $schema->writer($untype, include_namespaces => 0) ->($doc, { wsse_Username => $username, $pwtype => $pwnode } ); diff -Naur XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pod XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pod --- XML-Compile-WSS-0.12.ORIG/lib/XML/Compile/WSS.pod 2011-08-31 12:31:20.000000000 +0200 +++ XML-Compile-WSS-0.12/lib/XML/Compile/WSS.pod 2012-01-23 16:24:31.895409800 +0100 @@ -75,12 +75,23 @@ =over 4 -=item $obj-E<gt>B<wsseBasicAuth>(USERNAME, PASSWORD) +=item $obj-E<gt>B<wsseBasicAuth>(USERNAME, PASSWORD [,TYPE]) Many SOAP applications require a username/password authentication, like HTTP's basic authentication. See F<examples/usertoken/manually.pl> for an example how to construct this by hand for any possible requirement. +TYPE - add "Type" attribute do "Password" element. + +TYPE is: + +WSS_UTOKEN_PROFILE_11_PTEXT (when use XML::Compile::WSS::Util qw/:wss_username_profile/;) or ("text" for shortcut) +then Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" is added to "Password" element. + +WSS_UTOKEN_PROFILE_11_PDIGEST (when use XML::Compile::WSS::Util qw/:wss_username_profile/;) or ("digest" for shortcut) +then Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest" is added to "Password" element. + + This method, however, offers a simplification for the usual case. See a working example in F<examples/usertoken/with_help.pl>

Mon Jan 23 18:25:57 2012 secretaris [...] nluug.nl - Correspondence added

Subject:	Re: [rt.cpan.org #74296] Lack of "Type" attribute in "Password" element
Date:	Tue, 24 Jan 2012 00:25:28 +0100
To:	via RT <bug-XML-Compile-WSS [...] rt.cpan.org>
From:	Mark Overmeer <secretaris [...] nluug.nl>

* via RT (bug-XML-Compile-WSS@rt.cpan.org) [120123 23:19]: Show quoted text

> Mon Jan 23 18:19:15 2012: Request 74296 was acted upon. > Transaction: Ticket created by MarWas > Queue: XML-Compile-WSS > Subject: Lack of "Type" attribute in "Password" element > Requestors: mawasak@gmail.com > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > > Web service libraries (eg. Apache CXF require "Type" attribute in > "Password" element when UsernameToken is used as authentication > mechanism, described in "Web Services Security > 3 UsernameToken Profile 1.1".

ok. Show quoted text

> +my $security = $wss->wsseBasicAuth($username, $password, > WSS_UTOKEN_PROFILE_11_PTEXT); > +#OR shortcut > +#my $security = $wss->wsseBasicAuth($username, $password, "text");

I prefer to offer the user only the second: those long constants may change in future versions of the specifications, but the abstract names can be reused. Can we pick a good default? In that case, we do not break existing implementations... -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Mon Jan 23 18:25:58 2012 The RT System itself - Status changed from 'new' to 'open'

Mon Jan 23 18:34:31 2012 secretaris [...] nluug.nl - Correspondence added

Subject:	Re: [rt.cpan.org #74296] Lack of "Type" attribute in "Password" element
Date:	Tue, 24 Jan 2012 00:34:18 +0100
To:	via RT <bug-XML-Compile-WSS [...] rt.cpan.org>
From:	Mark Overmeer <secretaris [...] nluug.nl>

* via RT (bug-XML-Compile-WSS@rt.cpan.org) [120123 23:19]: Show quoted text

> Mon Jan 23 18:19:15 2012: Request 74296 was acted upon. > Transaction: Ticket created by MarWas > Queue: XML-Compile-WSS > Subject: Lack of "Type" attribute in "Password" element > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > > + , WSS_UTOKEN_PROFILE_11 =>

All thos names are long and extremely abbreviated. Should we simplify this into WSS_UP11? -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Mon Jan 23 18:42:18 2012 mawasak [...] gmail.com - Correspondence added

From:

mawasak [...] gmail.com

On Pon 23 Sty 2012, 18:34:31, secretaris@nluug.nl wrote: Show quoted text

> * via RT (bug-XML-Compile-WSS@rt.cpan.org) [120123 23:19]:

> > Mon Jan 23 18:19:15 2012: Request 74296 was acted upon. > > Transaction: Ticket created by MarWas > > Queue: XML-Compile-WSS > > Subject: Lack of "Type" attribute in "Password" element > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > > > > + , WSS_UTOKEN_PROFILE_11 =>

> > All thos names are long and extremely abbreviated. Should we > simplify this into WSS_UP11?

Yes, it can be simplified.... in Util.pm all names are much shorter.

Mon Jan 23 18:49:18 2012 mawasak [...] gmail.com - Correspondence added

From:

mawasak [...] gmail.com

On Pon 23 Sty 2012, 18:25:57, secretaris@nluug.nl wrote: Show quoted text

> * via RT (bug-XML-Compile-WSS@rt.cpan.org) [120123 23:19]:

> > Mon Jan 23 18:19:15 2012: Request 74296 was acted upon. > > Transaction: Ticket created by MarWas > > Queue: XML-Compile-WSS > > Subject: Lack of "Type" attribute in "Password" element > > Requestors: mawasak@gmail.com > > Status: new > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > > > > Web service libraries (eg. Apache CXF require "Type" attribute in > > "Password" element when UsernameToken is used as authentication > > mechanism, described in "Web Services Security > > 3 UsernameToken Profile 1.1".

> > ok. >

> > +my $security = $wss->wsseBasicAuth($username, $password, > > WSS_UTOKEN_PROFILE_11_PTEXT); > > +#OR shortcut > > +#my $security = $wss->wsseBasicAuth($username, $password, "text");

> > I prefer to offer the user only the second: those long constants may > change in future versions of the specifications, but the abstract > names can be reused. > > Can we pick a good default? In that case, we do not break existing > implementations...

The second form is much simpler, but I could not decide:) some kind of constant can be seen as part of API much cleaner then "text". I think that there is no risk to break existing impl but I am not native Perl...

Tue Jan 24 05:22:31 2012 Mark [...] Overmeer.net - Correspondence added

Subject:	Re: [rt.cpan.org #74296] Lack of "Type" attribute in "Password" element
Date:	Tue, 24 Jan 2012 11:22:13 +0100
To:	via RT <bug-XML-Compile-WSS [...] rt.cpan.org>
From:	Mark Overmeer <mark [...] overmeer.net>

* via RT (bug-XML-Compile-WSS@rt.cpan.org) [120123 23:49]: Show quoted text

> Queue: XML-Compile-WSS > The second form is much simpler, but I could not decide:) some kind of > constant can be seen as part of API much cleaner then "text". > I think that there is no risk to break existing impl but I am not native > Perl...

The sorter the constants, the small the need for these 'text' and 'digest' strings. Can you live with the attached? -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Download XML-Compile-WSS-0.13.tar.gz
application/x-tar-gz 22.3k

Message body not shown because it is not plain text.

Tue Jan 24 07:34:46 2012 mawasak [...] gmail.com - Correspondence added

From:

mawasak [...] gmail.com

On Wt 24 Sty 2012, 05:22:31, Mark@Overmeer.net wrote: Show quoted text

> * via RT (bug-XML-Compile-WSS@rt.cpan.org) [120123 23:49]:

> > Queue: XML-Compile-WSS > > The second form is much simpler, but I could not decide:) some kind of > > constant can be seen as part of API much cleaner then "text". > > I think that there is no risk to break existing impl but I am not native > > Perl...

> > The sorter the constants, the small the need for these 'text' and > 'digest' strings. Can you live with the attached?

-it works for me, thanks -in Util.pod there is info that :utp tag is exported whereas :utp11 is in Util.pm and in in WSS.pod -in Util.pod link for spec can be used eg. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf -in WSS.pod (example) should by written explicity that when UTP11_PTEXT is used Type attribute is used in Password element with value...., then UTP11_PDIG is used then Type attribute has value .... and when two args wsseBasicAuth is used Type attribute is not used at all.... IMHO

Tue Jan 24 08:08:51 2012 secretaris [...] nluug.nl - Correspondence added

Subject:	Re: [rt.cpan.org #74296] Lack of "Type" attribute in "Password" element
Date:	Tue, 24 Jan 2012 13:59:48 +0100
To:	via RT <bug-XML-Compile-WSS [...] rt.cpan.org>
From:	Mark Overmeer <secretaris [...] nluug.nl>

* via RT (bug-XML-Compile-WSS@rt.cpan.org) [120124 12:35]: Show quoted text

> Queue: XML-Compile-WSS > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > > -it works for me, thanks

Glad, because it was unteted ;-) Show quoted text

> -in Util.pod there is info that :utp tag is exported whereas :utp11 is > in Util.pm and in in WSS.pod

Ah, you got me on a last minute change. Show quoted text

> -in Util.pod link for spec can be used eg. > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf

I used docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf which is version 1.1 (without changing the constants). That document itself refers to the indicated directory. I'll add the path. Show quoted text

> -in WSS.pod (example) should by written explicity that when UTP11_PTEXT > is used Type attribute is used in Password element with value...., then > UTP11_PDIG is used then Type attribute has value .... and when two args > wsseBasicAuth is used Type attribute is not used at all.... IMHO

That long explanation could be added to any module on CPAN: that's not needed for the average Perl programmer. The text which I have added is The optional PWTYPE parameter contains either the UTP11_PTEXT or UTP11_PDIGEST constant. The PTEXT is the plain-text version of the password. When PDIGEST is used, the field must be a base64 encoded sha1 of the utf8 encoded version of the password. Question: should we do the encoding of the password when PDIGEST, or should the application do that? The code is simple: sha1_base64 encode($password, 'utf8'); But what is smart? -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Tue Jan 24 10:25:18 2012 mawasak [...] gmail.com - Correspondence added

From:

mawasak [...] gmail.com

On Wt 24 Sty 2012, 08:08:51, secretaris@nluug.nl wrote: Show quoted text

> * via RT (bug-XML-Compile-WSS@rt.cpan.org) [120124 12:35]:

> > Queue: XML-Compile-WSS > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > > > > -it works for me, thanks

> > Glad, because it was unteted ;-) >

> > -in Util.pod there is info that :utp tag is exported whereas :utp11

> is

> > in Util.pm and in in WSS.pod

> > Ah, you got me on a last minute change. >

> > -in Util.pod link for spec can be used eg. > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-

> token-profile-1.0.pdf > > I used docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os- > UsernameTokenProfile.pdf > which is version 1.1 (without changing the constants). That document > itself refers to the indicated directory. I'll add the path. >

> > -in WSS.pod (example) should by written explicity that when

> UTP11_PTEXT

> > is used Type attribute is used in Password element with value....,

> then

> > UTP11_PDIG is used then Type attribute has value .... and when two

> args

> > wsseBasicAuth is used Type attribute is not used at all.... IMHO

> > That long explanation could be added to any module on CPAN: that's not > needed for the average Perl programmer. The text which I have added > is > > The optional PWTYPE parameter contains either the UTP11_PTEXT or > UTP11_PDIGEST constant. The PTEXT is the plain-text version of the > password. When PDIGEST is used, the field must be a base64 encoded > sha1 of the utf8 encoded version of the password. > > Question: should we do the encoding of the password when PDIGEST, or > should the application do that? The code is simple: > sha1_base64 encode($password, 'utf8'); > But what is smart?

I think that is better to encode given clear text password (eg. in soapUI is similar process - user get clear text and check PasswordDigest as password type and application encode it).

Tue Jan 24 15:22:27 2012 secretaris [...] nluug.nl - Correspondence added

Subject:	Re: [rt.cpan.org #74296] Lack of "Type" attribute in "Password" element
Date:	Tue, 24 Jan 2012 21:22:13 +0100
To:	via RT <bug-XML-Compile-WSS [...] rt.cpan.org>
From:	Mark Overmeer <secretaris [...] nluug.nl>

* via RT (bug-XML-Compile-WSS@rt.cpan.org) [120124 15:25]: Show quoted text

> Queue: XML-Compile-WSS > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > >

> > Question: should we do the encoding of the password when PDIGEST, or > > should the application do that? The code is simple: > > sha1_base64 encode($password, 'utf8'); > > But what is smart?

> > I think that is better to encode given clear text password (eg. in > soapUI is similar process - user get clear text and check PasswordDigest > as password type and application encode it).

Sorry, I do not understand your answer. Do we want the end-user to write: 1) $wss->wsseBasicAuth($u, $p, UTP11_PTEXT); $wss->wsseBasicAuth($u, $p, UTP11_PDIGEST); or 2) $wss->wsseBasicAuth($u, $p, UTP11_PTEXT); my $q = sha1_base64 encode($p, 'utf8'); $wss->wsseBasicAuth($u, $q, UTP11_PDIGEST); -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Tue Jan 24 15:28:35 2012 mawasak [...] gmail.com - Correspondence added

From:

mawasak [...] gmail.com

On Wt 24 Sty 2012, 15:22:27, secretaris@nluug.nl wrote: Show quoted text

> * via RT (bug-XML-Compile-WSS@rt.cpan.org) [120124 15:25]:

> > Queue: XML-Compile-WSS > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > >

> > > Question: should we do the encoding of the password when PDIGEST, or > > > should the application do that? The code is simple: > > > sha1_base64 encode($password, 'utf8'); > > > But what is smart?

> > > > I think that is better to encode given clear text password (eg. in > > soapUI is similar process - user get clear text and check PasswordDigest > > as password type and application encode it).

> > Sorry, I do not understand your answer. > Do we want the end-user to write: > > 1) > $wss->wsseBasicAuth($u, $p, UTP11_PTEXT); > $wss->wsseBasicAuth($u, $p, UTP11_PDIGEST); > > or 2) > $wss->wsseBasicAuth($u, $p, UTP11_PTEXT); > my $q = sha1_base64 encode($p, 'utf8'); > $wss->wsseBasicAuth($u, $q, UTP11_PDIGEST); >

:) My proposition is "1" - we do sha1_base64 encode($p, 'utf8'); when user do $wss->wsseBasicAuth($u, $p, UTP11_PDIGEST); ok?

Tue Jan 24 18:14:01 2012 Mark [...] Overmeer.net - Correspondence added

Subject:	Re: [rt.cpan.org #74296] Lack of "Type" attribute in "Password" element
Date:	Wed, 25 Jan 2012 00:13:46 +0100
To:	via RT <bug-XML-Compile-WSS [...] rt.cpan.org>
From:	Mark Overmeer <mark [...] overmeer.net>

* via RT (bug-XML-Compile-WSS@rt.cpan.org) [120124 20:28]: Show quoted text

> Queue: XML-Compile-WSS > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74296 > > My proposition is "1" - we do sha1_base64 encode($p, 'utf8'); when > user do $wss->wsseBasicAuth($u, $p, UTP11_PDIGEST);

Just released as version 0.13. Hope it works, because I did not test it myself ;-) -- Thanks for the contribution, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net

Sat Feb 25 08:56:30 2012 MARKOV [...] cpan.org - Correspondence added

fixed in 0.13

Sat Feb 25 08:56:31 2012 MARKOV [...] cpan.org - Status changed from 'open' to 'resolved'