cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: Signing of WS-Addressing headers
Date Fri, 14 Feb 2014 00:39:14 GMT

I would say bug in Metro.

The very first example in the WS-SecurityPolicy spec:

specifically shows that if you want the WS-A headers also signed, you should be:


If the sp:Body element wasn’t in there (so empty SignedParts  element) a case could likely
be made that the WS-Addressing headers should be signed as the spec says:

"If no child elements are specified, all message headers targeted at the UltimateReceiver
role [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity protected."

Anyway, that’s my reading of it.


On Feb 13, 2014, at 6:43 PM, Dennis Sosnoski <> wrote:

> In testing Metro interop I noticed that if I only specified:
>        <sp:SignedParts xmlns:sp="">
>          <sp:Body/>
>        </sp:SignedParts>
> CXF happily generated messages signing only the Body, but Metro apparently requires the
WS-A headers (at least MessageID) to be signed anyway:
> Feb 13, 2014 3:51:55 PM
> SEVERE: WSS0206: Security in the incoming message does not conform to the SecurityPolicy
configured at the Recipient.
> Feb 13, 2014 3:51:55 PM
> SEVERE: WSS0814: policy verification error, missing target MessageID for Signature
> Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
> SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
> com.sun.xml.wss.impl.PolicyViolationException: com.sun.xml.wss.XWSSecurityException:
Policy verification error:Missing target MessageID for Signature
>    at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(
>    at
>    at
>    at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(
>    at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(
> It's certainly best practice to sign the WS-A headers, but AFAIK it isn't required. Is
this an error on Metro's part, or should we be requiring signing of the WS-A headers too?
> Thanks,
>  - Dennis

Daniel Kulp -
Talend Community Coder -

View raw message