cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: Signing of WS-Addressing headers
Date Fri, 14 Feb 2014 00:39:14 GMT


I would say bug in Metro.

The very first example in the WS-SecurityPolicy spec:

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573554

specifically shows that if you want the WS-A headers also signed, you should be:

 <sp:SignedParts>
     <sp:Body/>
     <sp:Header
       Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"
    />
 </sp:SignedParts>


If the sp:Body element wasn’t in there (so empty SignedParts  element) a case could likely
be made that the WS-Addressing headers should be signed as the spec says:

"If no child elements are specified, all message headers targeted at the UltimateReceiver
role [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity protected."


Anyway, that’s my reading of it.


Dan



On Feb 13, 2014, at 6:43 PM, Dennis Sosnoski <dms@sosnoski.com> wrote:

> In testing Metro interop I noticed that if I only specified:
> 
>        <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>          <sp:Body/>
>        </sp:SignedParts>
> 
> CXF happily generated messages signing only the Body, but Metro apparently requires the
WS-A headers (at least MessageID) to be signed anyway:
> 
> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
> SEVERE: WSS0206: Security in the incoming message does not conform to the SecurityPolicy
configured at the Recipient.
> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
> SEVERE: WSS0814: policy verification error, missing target MessageID for Signature
> Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
> SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
> com.sun.xml.wss.impl.PolicyViolationException: com.sun.xml.wss.XWSSecurityException:
Policy verification error:Missing target MessageID for Signature
>    at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
>    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
>    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
>    at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
>    at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
> 
> It's certainly best practice to sign the WS-A headers, but AFAIK it isn't required. Is
this an error on Metro's part, or should we be requiring signing of the WS-A headers too?
> 
> Thanks,
> 
>  - Dennis
> 

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com


Mime
View raw message