cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-7605) RequireDerivedKeys policy is not respected
Date Mon, 08 Jan 2018 12:33:00 GMT

     [ https://issues.apache.org/jira/browse/CXF-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Lukas updated CXF-7605:
-----------------------
    Description: 
CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac signature, while
ws-policy states that derived keys are required ({{<ws:RequireDerivedKeys/>}} in {{effective
Policy}}).

The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle task.

Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the contents of {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}}
(SupportEndorsingTokens) contain a nested Policy setting {{RequireDerivedKeys}}.

This reflects the structure and contents of the attached policy (see policy_fragment.xml).

CXF correctly embeds a SAML Token as requested by the policy and signs using a symmetric key
(got by WS-Secureconversation / WS-Trust previously) - both steps are defined in the attached
policy. 

CXF should however, sign with a key *derived* from said symmetric key, specified by {{<wsp:RequestDerivedKeys
/>}}, this step is ignored, thus resulting an a request that does not adhere to the policy.

The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object with the RequestDerivedKeys
Assertion set  to asserted=true.

{{WSS4JStaxOutInterceptor, line 159}} 
{{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}}
 
{{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces {{true}} (which is default)

{{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces {{http://www.w3.org/2000/09/xmldsig#hmac-sha1}}

all other properties related to derived keys are null / 0 / their defaults.


Code and wsdl worked with cxf 3.1.12.


Attached are:

* full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped of irrelevant
endpoints and domain names)
* code.java - code snippet demonstrating the use-case
* policy_fragment.xml - the policy to save looking for it in the wsdl


  was:
CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac signature, while
ws-policy states that derived keys are required ({{<ws:RequireDerivedKeys/>}} in {{effective
Policy}}).

The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle task.

Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the contents of {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}}
(SupportEndorsingTokens) contain a nested Policy setting {{RequireDerivedKeys}}.

This reflects the structure and contents of the attached policy (see policy_fragment.xml).

CXF correctly embeds a SAML Token as requested by the policy and signs using a symmetric key
(got by WS-Secureconversation / WS-Trust previously) - both steps are defined in the attached
policy. 

CXF should however, sign with a key *derived* from said symmetric key, specified by {{<wsp:RequestDerivedKeys
/>}}, this step is ignored, thus resulting an a request that does not adhere to the policy.

The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object with the RequestDerivedKeys
Assertion set  to asserted=true.

Code and wsdl worked with cxf 3.1.12.


Attached are:

* full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped of irrelevant
endpoints and domain names)
* code.java - code snippet demonstrating the use-case
* policy_fragment.xml - the policy to save looking for it in the wsdl



> RequireDerivedKeys policy is not respected
> ------------------------------------------
>
>                 Key: CXF-7605
>                 URL: https://issues.apache.org/jira/browse/CXF-7605
>             Project: CXF
>          Issue Type: Bug
>          Components: Soap Binding, WS-* Components
>    Affects Versions: 3.1.15, 3.2.2
>         Environment: * cxf-rt-frontend-jaxws
> * cxf-rt-frontend-jaxrs
> * cxf-rt-transports-http
> * cxf-rt-rs-client
> * cxf-rt-rs-service-description
> * cxf-rt-ws-security
> * cxf-tools-common
> * cxf-rt-ws-policy
>            Reporter: Lukas
>         Attachments: code.java, full_wsdl.wsdl, policy_fragment.xml
>
>
> CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac signature,
while ws-policy states that derived keys are required ({{<ws:RequireDerivedKeys/>}}
in {{effective Policy}}).
> The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle task.
> Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the contents of {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]}}
(SupportEndorsingTokens) contain a nested Policy setting {{RequireDerivedKeys}}.
> This reflects the structure and contents of the attached policy (see policy_fragment.xml).
> CXF correctly embeds a SAML Token as requested by the policy and signs using a symmetric
key (got by WS-Secureconversation / WS-Trust previously) - both steps are defined in the attached
policy. 
> CXF should however, sign with a key *derived* from said symmetric key, specified by {{<wsp:RequestDerivedKeys
/>}}, this step is ignored, thus resulting an a request that does not adhere to the policy.
> The {{PolicyVerificationOutInterceptor}} also recieves a Soapmessage Object with the
RequestDerivedKeys Assertion set  to asserted=true.
> {{WSS4JStaxOutInterceptor, line 159}} 
> {{OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);}}
>  
> {{outboundWSSec.securityProperties.isUseDerivedKeyForMAC()}} produces {{true}} (which
is default)
> {{outboundWSSec.securityProperties.getSignatureAlgorithm()}} produces {{http://www.w3.org/2000/09/xmldsig#hmac-sha1}}
> all other properties related to derived keys are null / 0 / their defaults.
> Code and wsdl worked with cxf 3.1.12.
> Attached are:
> * full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped of irrelevant
endpoints and domain names)
> * code.java - code snippet demonstrating the use-case
> * policy_fragment.xml - the policy to save looking for it in the wsdl



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message