cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5056) EndorsingSupportingTokens with both transport security and message layer security applied
Date Thu, 06 Jun 2013 14:07:21 GMT

    [ https://issues.apache.org/jira/browse/CXF-5056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13677040#comment-13677040
] 

Colm O hEigeartaigh commented on CXF-5056:
------------------------------------------

Hi,

What is the use-case of a non-TransportBinding with TLS? If you are using TLS then why not
just use a TransportBinding policy?

Colm.
                
> EndorsingSupportingTokens with both transport security and message layer security applied
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-5056
>                 URL: https://issues.apache.org/jira/browse/CXF-5056
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.6.2
>            Reporter: Chance BJ
>              Labels: newbie
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> According to WS-SecurityPolicy, EndorsingSupportingTokens signs timestamp if using transport
security, and sign main message signature if using message layer security. 
> In CXF WS-Security,   if TLS is used (regardless of Transport policy applied or not),
it always requires timestamp be signed, without checking if message layer security is configured
and main message signature is endorsed.
> AbstractSupportingTokenPolicyValidator.java
>     /**
>      * Check the endorsing supporting token policy. If we're using the Transport Binding
then
>      * check that the Timestamp is signed. Otherwise, check that the signature is signed.
>      * 
>      * @return true if the endorsed supporting token policy is correct
>      */
>     private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults) {
>         if (isTLSInUse()) {
>             return checkTimestampIsSigned(tokenResults);
>         }
>         return checkSignatureIsSigned(tokenResults);
>     }
> Say  we have a ws-security policy which requires main message signature be endorsed,
timestamp itself is not signed by endorsing token, and transport policy is not applied/attached.
> If we run the test case over plain HTTP, the test case passes.
> If we run the test case over HTTPS, the test case fails.
> This raises following questions:
> 1. If you have both transport security and message layer security, which one to check?
or which one first? or both?
> 2. When enforcing EndorsingSupportingToken, does "Transport security" in EndorsingSupportingToken
means "Transport Policy Applied" or  "SSL applied regardless of  Transport policy applied".
> I just want to bring this up for discussion first. If we have a conclusion on how it
should work, I will submit a patch.
> Thanks

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message