cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Srinivasa Kukatla (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-3630) WSS4JIn Interceptor Issue
Date Tue, 05 Jul 2011 12:58:16 GMT

    [ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13059879#comment-13059879
] 

Srinivasa Kukatla commented on CXF-3630:
----------------------------------------

Here is my requirement. I want all the messages leaving should have a Signed Saml Token, as
well as the Timestamp which is signed. None of the body elements needs to be signed. We also
want the wsdl to enforce the security policies. Here is the security policies configured in
the WSDL.

<wsp:Policy wsu:Id="Security_Binding_Policy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:TransportBinding>
                    <wsp:Policy>
                        <sp:TransportToken>
                            <wsp:Policy>
                                <sp:HttpsToken>
                                    <wsp:Policy>
                                        <sp:RequireClientCertificate />
                                    </wsp:Policy>
                                </sp:HttpsToken>
                            </wsp:Policy>
                        </sp:TransportToken>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Strict />
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp />
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic128 />
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                    </wsp:Policy>
                </sp:TransportBinding>
                <sp:EndorsingSupportingTokens>
                    <wsp:Policy>
                        <sp:SamlToken
                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                            <wsp:Policy>
                                <sp:WssSamlV20Token11 />
                            </wsp:Policy>
                        </sp:SamlToken>
                    </wsp:Policy>
                </sp:EndorsingSupportingTokens>

                <sp:Wss11>
                    <wsp:Policy>
                        <sp:MustSupportRefKeyIdentifier />
                        <sp:MustSupportRefIssuerSerial />
                        <sp:RequireSignatureConfirmation />
                    </wsp:Policy>
                </sp:Wss11>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

Please let me know, how do we achieve that. 

We have used WSS4JOutInterceptor and WSS4JInInterceptor, and configured, as shown in the previous
message.



> WSS4JIn     Interceptor   Issue
> -------------------------------
>
>                 Key: CXF-3630
>                 URL: https://issues.apache.org/jira/browse/CXF-3630
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.4
>            Reporter: Srinivasa Kukatla
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor,
but it does not have the constructor. Hence I had to add the constructor. Here is another
problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs
to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature,
the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
>             <map>
>                 <entry key="action" value="Timestamp SAMLTokenSigned"/>
>                 <entry key="timeToLive" value="${timestamp.expiration.property}"/>
>                 <entry key="user" value="${client.signature.username}"/>
>                 <entry>
> 						<key>
> 						<value>passwordCallbackRef</value>
> 						</key>
> 						<ref bean="passwordCallBackHandler"/>
> 				</entry>
>                 <entry key="passwordType" value="PasswordDigest" />
>                 <entry key="samlPropFile" value="${client.saml.properties}"/>
>                 <entry key="signaturePropFile" value="${client.signature.properties}"
/>
>                 <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
>                 <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1"
/>
>                 <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
>            </map>
>         </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
>             <map>
>                 <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
>                 <entry key="timeToLive" value="${timestamp.expiration.property}"/>
>                 <entry key="passwordType" value="PasswordDigest" />
>                 <entry key="signaturePropFile" value="${server.signature.properties}"
/>
>                 <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
>                 <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1"
/>
>                 <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
>                	<entry key="enableSignatureConfirmation" value="true" />
>            </map>
>         </constructor-arg>

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message