Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7E1A710A1B for ; Wed, 5 Jun 2013 16:02:25 +0000 (UTC) Received: (qmail 23475 invoked by uid 500); 5 Jun 2013 16:02:25 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 22450 invoked by uid 500); 5 Jun 2013 16:02:21 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 22381 invoked by uid 99); 5 Jun 2013 16:02:20 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Jun 2013 16:02:20 +0000 Date: Wed, 5 Jun 2013 16:02:20 +0000 (UTC) From: "Chance BJ (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CXF-5056) EndorsingSupportingTokens with both transport security and message layer security applied MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Chance BJ created CXF-5056: ------------------------------ Summary: EndorsingSupportingTokens with both transport security and message layer security applied Key: CXF-5056 URL: https://issues.apache.org/jira/browse/CXF-5056 Project: CXF Issue Type: Bug Components: WS-* Components Affects Versions: 2.6.2 Reporter: Chance BJ According to WS-SecurityPolicy, EndorsingSupportingTokens signs timestamp if using transport security, and sign main message signature if using message layer security. In CXF WS-Security, if TLS is used (regardless of Transport policy applied or not), it always requires timestamp be signed, without checking if message layer security is configured and main message signature is endorsed. AbstractSupportingTokenPolicyValidator.java /** * Check the endorsing supporting token policy. If we're using the Transport Binding then * check that the Timestamp is signed. Otherwise, check that the signature is signed. * * @return true if the endorsed supporting token policy is correct */ private boolean checkEndorsed(List tokenResults) { if (isTLSInUse()) { return checkTimestampIsSigned(tokenResults); } return checkSignatureIsSigned(tokenResults); } Say we have a ws-security policy which requires main message signature be endorsed, timestamp itself is not signed by endorsing token, and transport policy is not applied/attached. If we run the test case over plain HTTP, the test case passes. If we run the test case over HTTPS, the test case fails. This raises following questions: 1. If you have both transport security and message layer security, which one to check? or which one first? or both? 2. When enforcing EndorsingSupportingToken, does "Transport security" in EndorsingSupportingToken means "Transport Policy Applied" or "SSL applied regardless of Transport policy applied". I just want to bring this up for discussion first. If we have a conclusion on how it should work, I will submit a patch. Thanks -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira