cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-3041) AsymmetricBinding used only for response causes error
Date Fri, 08 Oct 2010 07:56:31 GMT

    [ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12919192#action_12919192
] 

Glen Mazza commented on CXF-3041:
---------------------------------

Your first two questions I answered as well as I could in my immediately preceding response.
 I believe your next step is to go to the WS-SecPol WG and get clarification from them to
get more ammo before coming back here.

I'm not sure what your example is showing, it just overrides the defaults by -->explicitly<--
signing/encrypting one thing, the UsernameToken--nothing about what happens when you omit
the SignedParts/EncryptedParts tags entirely.  Also, nothing one way or the other is being
said about the response.  At any rate, when I had earlier showed the Axis2/Rampart example
*not* supporting what you had wanted you had dismissed individual implementations as not sufficiently
definitive enough on how things should be implemented.


> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
>                 Key: CXF-3041
>                 URL: https://issues.apache.org/jira/browse/CXF-3041
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>         Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response
message, the request message is sent with a signature and the server throws an exception (tested
with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> 	at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> 	at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> 	at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> 	at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> 	at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption
only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
>     xmlns:wns="http://ws.sosnoski.com/library/wsdl"
>     xmlns:tns="http://ws.sosnoski.com/library/types"
>     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>     xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>   
>   <!-- Policy for asymmetric binding with the certificate included in the message
from
>    client to server but only a thumbprint on messages from the server to the client.
-->
>   <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
>       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>       xmlns:wsp="http://www.w3.org/ns/ws-policy"
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>     <sp:AsymmetricBinding>
>       <wsp:Policy>
>         <sp:InitiatorToken>
>           <wsp:Policy>
>             <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:InitiatorToken>
>         <sp:RecipientToken>
>           <wsp:Policy>
>             <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:RecipientToken>
>         <sp:AlgorithmSuite>
>           <wsp:Policy>
>             <sp:Basic128Rsa15/>
>           </wsp:Policy>
>         </sp:AlgorithmSuite>
>       </wsp:Policy>
>     </sp:AsymmetricBinding>
>   </wsp:Policy>
>   
>   <!-- Policy for signing the message body. -->
>   <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
>       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>       xmlns:wsp="http://www.w3.org/ns/ws-policy"
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>     <sp:SignedParts>
>       <sp:Body/>
>     </sp:SignedParts>
>   </wsp:Policy>
>   
>   ...
>   <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
>     <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
>     <wsdl:operation name="getBook">
>   
>       <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>     
>       <wsdlsoap:operation soapAction="urn:getBook"/>
>       
>       <wsdl:input name="getBookRequest">
>         <wsdlsoap:body use="literal"/>
>       </wsdl:input>
>       
>       <wsdl:output name="getBookResponse">
>         <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
>         <wsdlsoap:body use="literal"/>
>       </wsdl:output>
>       
>     </wsdl:operation>
>     ...
>   </wsdl:binding>
>   ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>    <soap:Header>
>       <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
>          <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
>          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
>             <ds:SignedInfo>
>                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>             </ds:SignedInfo>
>             <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
>             <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
>                <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
>                   <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>                </wsse:SecurityTokenReference>
>             </ds:KeyInfo>
>          </ds:Signature>
>       </wsse:Security>
>    </soap:Header>
>    <soap:Body>
>       <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
>          <isbn>0061020052</isbn>
>       </getBook>
>    </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home
directory for you CXF installation, and build with Ant (default target). This generates the
.war, and you can then run the client with the Ant target "run".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message