cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chance BJ (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5056) EndorsingSupportingTokens with both transport security and message layer security applied
Date Thu, 13 Jun 2013 14:58:20 GMT

    [ https://issues.apache.org/jira/browse/CXF-5056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13682313#comment-13682313
] 

Chance BJ commented on CXF-5056:
--------------------------------

Hi Colm,

Thanks for reply. I hit this problem by accident. When tested endorsing token with message
level security/symmetric binding, and it works. Because the web container has TLS support,
we just change endpoint to SSL without modifying policy, and test fails due to endorsing checking.


If we always expect TransportBinding for TLS, should we emit a warning if TransportBinding
is not configured?

Thanks

Chance
                
> EndorsingSupportingTokens with both transport security and message layer security applied
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-5056
>                 URL: https://issues.apache.org/jira/browse/CXF-5056
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.6.2
>            Reporter: Chance BJ
>              Labels: newbie
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> According to WS-SecurityPolicy, EndorsingSupportingTokens signs timestamp if using transport
security, and sign main message signature if using message layer security. 
> In CXF WS-Security,   if TLS is used (regardless of Transport policy applied or not),
it always requires timestamp be signed, without checking if message layer security is configured
and main message signature is endorsed.
> AbstractSupportingTokenPolicyValidator.java
>     /**
>      * Check the endorsing supporting token policy. If we're using the Transport Binding
then
>      * check that the Timestamp is signed. Otherwise, check that the signature is signed.
>      * 
>      * @return true if the endorsed supporting token policy is correct
>      */
>     private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults) {
>         if (isTLSInUse()) {
>             return checkTimestampIsSigned(tokenResults);
>         }
>         return checkSignatureIsSigned(tokenResults);
>     }
> Say  we have a ws-security policy which requires main message signature be endorsed,
timestamp itself is not signed by endorsing token, and transport policy is not applied/attached.
> If we run the test case over plain HTTP, the test case passes.
> If we run the test case over HTTPS, the test case fails.
> This raises following questions:
> 1. If you have both transport security and message layer security, which one to check?
or which one first? or both?
> 2. When enforcing EndorsingSupportingToken, does "Transport security" in EndorsingSupportingToken
means "Transport Policy Applied" or  "SSL applied regardless of  Transport policy applied".
> I just want to bring this up for discussion first. If we have a conclusion on how it
should work, I will submit a patch.
> Thanks

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message