Apache
WSS4J 1.6.8 has been
released. The list of issues fixed is available
here. One of the most significant improvements is a
fix for using WSS4J with XML Signature on Websphere. A new feature has also been added to WSS4J 1.6.8, namely the ability to define which algorithms are
acceptable when processing an inbound request. This functionality has already been
integrated into CXF and will be available in the 2.7.1, 2.6.4 and 2.5.7 releases. This essentially means that rather than check the algorithms against the relevant AlgorithmSuite used as part of WS-SecurityPolicy after WSS4J has finished processing the security header, the algorithms will be checked by WSS4J in real-time when processing the header.
A new page has been
added to the WSS4J website which describes 'security best practices' when using WSS4J. The points are summarised as follows:
- Upgrade from WSS4J 1.5.x to WSS4J 1.6.x
- Upgrade to the latest minor release as soon as possible
- Use WS-SecurityPolicy to enforce security requirements
- Use RSA-OAEP for the Key Transport Algorithm
- Avoid using a cbc Symmetric Encryption Algorithm
- Use Subject DN regular expressions with chain trust
- Specify signature algorithm on receiving side