cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Sosnoski (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-3041) AsymmetricBinding used only for response causes error
Date Tue, 02 Nov 2010 06:50:25 GMT

    [ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12927320#action_12927320
] 

Dennis Sosnoski commented on CXF-3041:
--------------------------------------

The WS-SecPolicy WG does not respond to questions about usage, as far as I've ever seen, so
I think your suggestion is not intended to be helpful.

If you're correct that everything should be signed and encrypted by default, and that the
standard somehow forgot to mention this seemingly crucial point, then both CXF and all the
other stacks I'm aware are broken because they don't do this. If I'm correct that only those
components specified by the policy should be signed or encrypted, then the issue is somewhat
simpler in that CXF just needs to stop generating a signature block if no components are being
signed. Either way, the current behavior is wrong.

> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
>                 Key: CXF-3041
>                 URL: https://issues.apache.org/jira/browse/CXF-3041
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>         Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response
message, the request message is sent with a signature and the server throws an exception (tested
with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> 	at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> 	at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> 	at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> 	at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> 	at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption
only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
>     xmlns:wns="http://ws.sosnoski.com/library/wsdl"
>     xmlns:tns="http://ws.sosnoski.com/library/types"
>     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>     xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>   
>   <!-- Policy for asymmetric binding with the certificate included in the message
from
>    client to server but only a thumbprint on messages from the server to the client.
-->
>   <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
>       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>       xmlns:wsp="http://www.w3.org/ns/ws-policy"
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>     <sp:AsymmetricBinding>
>       <wsp:Policy>
>         <sp:InitiatorToken>
>           <wsp:Policy>
>             <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:InitiatorToken>
>         <sp:RecipientToken>
>           <wsp:Policy>
>             <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:RecipientToken>
>         <sp:AlgorithmSuite>
>           <wsp:Policy>
>             <sp:Basic128Rsa15/>
>           </wsp:Policy>
>         </sp:AlgorithmSuite>
>       </wsp:Policy>
>     </sp:AsymmetricBinding>
>   </wsp:Policy>
>   
>   <!-- Policy for signing the message body. -->
>   <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
>       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>       xmlns:wsp="http://www.w3.org/ns/ws-policy"
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>     <sp:SignedParts>
>       <sp:Body/>
>     </sp:SignedParts>
>   </wsp:Policy>
>   
>   ...
>   <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
>     <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
>     <wsdl:operation name="getBook">
>   
>       <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>     
>       <wsdlsoap:operation soapAction="urn:getBook"/>
>       
>       <wsdl:input name="getBookRequest">
>         <wsdlsoap:body use="literal"/>
>       </wsdl:input>
>       
>       <wsdl:output name="getBookResponse">
>         <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
>         <wsdlsoap:body use="literal"/>
>       </wsdl:output>
>       
>     </wsdl:operation>
>     ...
>   </wsdl:binding>
>   ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>    <soap:Header>
>       <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
>          <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
>          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
>             <ds:SignedInfo>
>                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>             </ds:SignedInfo>
>             <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
>             <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
>                <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
>                   <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>                </wsse:SecurityTokenReference>
>             </ds:KeyInfo>
>          </ds:Signature>
>       </wsse:Security>
>    </soap:Header>
>    <soap:Body>
>       <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
>          <isbn>0061020052</isbn>
>       </getBook>
>    </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home
directory for you CXF installation, and build with Ant (default target). This generates the
.war, and you can then run the client with the Ant target "run".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message