cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Sosnoski <...@sosnoski.com>
Subject Signing of WS-Addressing headers
Date Thu, 13 Feb 2014 23:43:49 GMT
In testing Metro interop I noticed that if I only specified:

         <sp:SignedParts 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
           <sp:Body/>
         </sp:SignedParts>

CXF happily generated messages signing only the Body, but Metro 
apparently requires the WS-A headers (at least MessageID) to be signed 
anyway:

Feb 13, 2014 3:51:55 PM 
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl 
resolveAndVerifyTargets
SEVERE: WSS0206: Security in the incoming message does not conform to 
the SecurityPolicy configured at the Recipient.
Feb 13, 2014 3:51:55 PM 
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl 
resolveAndVerifyTargets
SEVERE: WSS0814: policy verification error, missing target MessageID for 
Signature
Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube 
processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.PolicyViolationException: 
com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing 
target MessageID for Signature
     at 
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
     at 
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
     at 
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
     at 
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
     at 
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)

It's certainly best practice to sign the WS-A headers, but AFAIK it 
isn't required. Is this an error on Metro's part, or should we be 
requiring signing of the WS-A headers too?

Thanks,

   - Dennis


Mime
View raw message