cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Valeri (JIRA)" <>
Subject [jira] Resolved: (CXF-2656) WS-SP signed elements assertion cannot be applied to portions of the signature in outbound processing
Date Wed, 16 Mar 2011 03:00:29 GMT


David Valeri resolved CXF-2656.

    Resolution: Not A Problem
      Assignee: David Valeri

Before creating a test case, I reviewed the WS-Security 1.1 X509 token profile to determine
the applicability of this issue to a specification compliant implementation.  The original
driver behind this issue was the need to include X509 tokens in the message signature.  Since
the X509 token profile requires that a wsse:SecurityTokenReference is used in ds:KeyInfo and
also specifies a limited number of mechanisms by which the wsse:SecurityTokenReference may
reference/include an X509 token, the situation where an embedded X509 certificate is present
as a descendant of ds:KeyInfo cannot arise.  Since the available reference mechanisms in the
specification all rely on a token that is not embedded as part of the actual XML digital signature,
the token can always be protected using the STR Dereference Transform or directly referenced
from a ds:Reference when a wsse:BinarySecurityToken is embedded in the WS-Security header
of the message.

As such, the original use case for this issue is handled by existing capabilities now that
CXF-2655 is resolved.

I'm resolving the issues as "Not A Problem".

> WS-SP signed elements assertion cannot be applied to portions of the signature in outbound
> -----------------------------------------------------------------------------------------------------
>                 Key: CXF-2656
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.3.0
>            Reporter: David Valeri
>            Assignee: David Valeri
>             Fix For: NeedMoreInfo
> AsymetricBinding can't sign parts created by the WSS4J signature processing code.  Because
AsymetricBinding calculates signature covered parts before creating/embedding the constructs
of the WS-S signature into the SAAJ DOM, it cannot find things like the ws:KeyInfo to sign.
> Changing the order of operations is necessary to resolve this issue.  It would appear
that WSS4J supports this capability any time after prepare has been called as it can accomplish
this feat when using the build convenience method.
> Test case is pending.

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message