cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Sosnoski <...@sosnoski.com>
Subject Re: Signing of WS-Addressing headers
Date Fri, 14 Feb 2014 06:03:15 GMT
Yes, that certainly makes sense. I'll run some other tests to verify the 
Metro behavior, and see about entering a bug report.

   - Dennis

On 02/14/2014 01:39 PM, Daniel Kulp wrote:
>
> I would say bug in Metro.
>
> The very first example in the WS-SecurityPolicy spec:
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573554
>
> specifically shows that if you want the WS-A headers also signed, you should be:
>
>   <sp:SignedParts>
>       <sp:Body/>
>       <sp:Header
>         Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>      />
>   </sp:SignedParts>
>
>
> If the sp:Body element wasn’t in there (so empty SignedParts  element) a case could
likely be made that the WS-Addressing headers should be signed as the spec says:
>
> "If no child elements are specified, all message headers targeted at the UltimateReceiver
role [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity protected."
>
>
> Anyway, that’s my reading of it.
>
>
> Dan
>
>
>
> On Feb 13, 2014, at 6:43 PM, Dennis Sosnoski <dms@sosnoski.com> wrote:
>
>> In testing Metro interop I noticed that if I only specified:
>>
>>         <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>           <sp:Body/>
>>         </sp:SignedParts>
>>
>> CXF happily generated messages signing only the Body, but Metro apparently requires
the WS-A headers (at least MessageID) to be signed anyway:
>>
>> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
>> SEVERE: WSS0206: Security in the incoming message does not conform to the SecurityPolicy
configured at the Recipient.
>> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
>> SEVERE: WSS0814: policy verification error, missing target MessageID for Signature
>> Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
>> SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
>> com.sun.xml.wss.impl.PolicyViolationException: com.sun.xml.wss.XWSSecurityException:
Policy verification error:Missing target MessageID for Signature
>>     at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
>>     at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
>>     at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
>>     at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
>>     at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
>>
>> It's certainly best practice to sign the WS-A headers, but AFAIK it isn't required.
Is this an error on Metro's part, or should we be requiring signing of the WS-A headers too?
>>
>> Thanks,
>>
>>   - Dennis
>>


Mime
View raw message