Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Date: Wed, 16 Mar 2011 03:00:29 +0000 (UTC)
From: "David Valeri (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: 
 <1726120361.5824.1300244429997.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] Resolved: (CXF-2656) WS-SP signed elements assertion cannot
 be applied to portions of the signature in outbound processing
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/CXF-2656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Valeri resolved CXF-2656.
-------------------------------

    Resolution: Not A Problem
      Assignee: David Valeri

Before creating a test case, I reviewed the WS-Security 1.1 X509 token profile to determine the applicability of this issue to a specification compliant implementation.  The original driver behind this issue was the need to include X509 tokens in the message signature.  Since the X509 token profile requires that a wsse:SecurityTokenReference is used in ds:KeyInfo and also specifies a limited number of mechanisms by which the wsse:SecurityTokenReference may reference/include an X509 token, the situation where an embedded X509 certificate is present as a descendant of ds:KeyInfo cannot arise.  Since the available reference mechanisms in the specification all rely on a token that is not embedded as part of the actual XML digital signature, the token can always be protected using the STR Dereference Transform or directly referenced from a ds:Reference when a wsse:BinarySecurityToken is embedded in the WS-Security header of the message.

As such, the original use case for this issue is handled by existing capabilities now that CXF-2655 is resolved.

I'm resolving the issues as "Not A Problem".

> WS-SP signed elements assertion cannot be applied to portions of the signature in outbound processing
> -----------------------------------------------------------------------------------------------------
>
>                 Key: CXF-2656
>                 URL: https://issues.apache.org/jira/browse/CXF-2656
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.3.0
>            Reporter: David Valeri
>            Assignee: David Valeri
>             Fix For: NeedMoreInfo
>
>
> AsymetricBinding can't sign parts created by the WSS4J signature processing code.  Because AsymetricBinding calculates signature covered parts before creating/embedding the constructs of the WS-S signature into the SAAJ DOM, it cannot find things like the ws:KeyInfo to sign.
> Changing the order of operations is necessary to resolve this issue.  It would appear that WSS4J supports this capability any time after prepare has been called as it can accomplish this feat when using the build convenience method.
> Test case is pending.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira