cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alistair Phipps (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-3461) EndorsingSupportingTokens policy reports not satisfied when using TLS with signed timestamp
Date Tue, 19 Apr 2011 17:18:05 GMT
EndorsingSupportingTokens policy reports not satisfied when using TLS with signed timestamp
-------------------------------------------------------------------------------------------

                 Key: CXF-3461
                 URL: https://issues.apache.org/jira/browse/CXF-3461
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.4
            Reporter: Alistair Phipps


WS-SecurityPolicy 1.2 spec states: If transport security is used, the signature (Sig2) MUST
cover the message timestamp

However, when sending a request to a CXF service requiring EndorsingSupportingTokens with
a signed message timestamp, the EndorsingSupportingTokens policy is reported not satisfied.

It appears the PolicyBasedWSS4JInterceptor.doResults will only mark this satisfied if "hasEndorsement"
is set, which is in turn based on a signature on the entire message.  This is only true when
using MLS, not TLS.

Example policy fragment:

			<sp:EndorsingSupportingTokens>
				<wsp:Policy>
					<sp:X509Token
						sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
						<wsp:Policy>
							<sp:WssX509V3Token10 />
						</wsp:Policy>
					</sp:X509Token>
				</wsp:Policy>
			</sp:EndorsingSupportingTokens>

Example message portion:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
      <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-xxx">xxx</wsse:BinarySecurityToken>
      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
        <wsu:Created>2011-04-19T15:46:35.705Z</wsu:Created>
        <wsu:Expires>2011-04-19T15:51:35.705Z</wsu:Expires>
      </wsu:Timestamp>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#Timestamp-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>xxx</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>xxx</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-xxx">
          <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-xxx">
            <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
URI="#CertId-xxx" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
</soap:Envelope>


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message