cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-3461) EndorsingSupportingTokens policy reports not satisfied when using TLS with signed timestamp
Date Wed, 04 May 2011 12:23:03 GMT

     [ https://issues.apache.org/jira/browse/CXF-3461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh updated CXF-3461:
-------------------------------------

    Fix Version/s: 2.4.1

> EndorsingSupportingTokens policy reports not satisfied when using TLS with signed timestamp
> -------------------------------------------------------------------------------------------
>
>                 Key: CXF-3461
>                 URL: https://issues.apache.org/jira/browse/CXF-3461
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.4
>            Reporter: Alistair Phipps
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.4.1
>
>
> WS-SecurityPolicy 1.2 spec states: If transport security is used, the signature (Sig2)
MUST cover the message timestamp
> However, when sending a request to a CXF service requiring EndorsingSupportingTokens
with a signed message timestamp, the EndorsingSupportingTokens policy is reported not satisfied.
> It appears the PolicyBasedWSS4JInterceptor.doResults will only mark this satisfied if
"hasEndorsement" is set, which is in turn based on a signature on the entire message.  This
is only true when using MLS, not TLS.
> Example policy fragment:
> 			<sp:EndorsingSupportingTokens>
> 				<wsp:Policy>
> 					<sp:X509Token
> 						sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> 						<wsp:Policy>
> 							<sp:WssX509V3Token10 />
> 						</wsp:Policy>
> 					</sp:X509Token>
> 				</wsp:Policy>
> 			</sp:EndorsingSupportingTokens>
> Example message portion:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>     <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
>       <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-xxx">xxx</wsse:BinarySecurityToken>
>       <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-1">
>         <wsu:Created>2011-04-19T15:46:35.705Z</wsu:Created>
>         <wsu:Expires>2011-04-19T15:51:35.705Z</wsu:Expires>
>       </wsu:Timestamp>
>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
>         <ds:SignedInfo>
>           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>           <ds:Reference URI="#Timestamp-1">
>             <ds:Transforms>
>               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>             </ds:Transforms>
>             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>             <ds:DigestValue>xxx</ds:DigestValue>
>           </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>xxx</ds:SignatureValue>
>         <ds:KeyInfo Id="KeyId-xxx">
>           <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-xxx">
>             <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
URI="#CertId-xxx" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>           </wsse:SecurityTokenReference>
>         </ds:KeyInfo>
>       </ds:Signature>
>     </wsse:Security>
>   </soap:Header>
> </soap:Envelope>

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message