cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sram <sra...@hotmail.com>
Subject Signing Message parts
Date Sat, 11 Feb 2012 20:59:00 GMT
I'm testing out a usecase combining DoubleIT_TransportEndorsingPolicy and
#DoubleItBinding_DoubleIt_Input_Policy. 

<sp:TransportBinding>
					<wsp:Policy>
						<sp:TransportToken>
							<wsp:Policy>
								<sp:HttpsToken RequireClientCertificate="false" />
							</wsp:Policy>
						</sp:TransportToken>
						<sp:Layout>
							<wsp:Policy>
								<sp:Lax />
							</wsp:Policy>
						</sp:Layout>
						*<sp:IncludeTimestamp />		
						<sp:OnlySignEntireHeadersAndBody /> 				 *
						<sp:AlgorithmSuite>
							<wsp:Policy>
								<sp:Basic128 />
							</wsp:Policy>
						</sp:AlgorithmSuite>
					</wsp:Policy>
				</sp:TransportBinding>



<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
		<wsp:ExactlyOne>
			<wsp:All>
				<sp:SignedParts>
					*<sp:Body />*
				</sp:SignedParts>
			</wsp:All>
		</wsp:ExactlyOne>
	</wsp:Policy>

On the client I generate signatures using WSS4j,

wss4jOut.setProperty(WSHandlerConstants.ACTION, 
WSHandlerConstants.TIMESTAMP + " "  
        		+ WSHandlerConstants.USERNAME_TOKEN  + " " +
WSHandlerConstants.SIGNATURE);
    	
wss4jOut.setProperty(WSHandlerConstants.SIGNATURE_PARTS, 
        	
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;");


All works fine, even if client signs only the timestamp part and not any
message body part. Even though I add DoubleItBinding_DoubleIt_Input_Policy
reference to my SOAP message input part, I suspect the server is only
checking for timestamp.

>>>>>>> WSDL
<binding name="pingBinding" type="p0:pingPortType">
		<wsp:PolicyReference URI="#DoubleIT_TransportEndorsingPolicy" />
		<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
			style="document" />
		<operation name="ping">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy" />
			</input>
			<output>
				<soap:body use="literal" />
...	


I wanted client to sign message parts which can be authenticated on the
server side using clients X.509 token, flowing in as part of TLS binding as
an endorsing supporting token.

>>>>>>>>> Logs
[2/11/12 15:44:04:747 EST] 0000004e SignatureProc 1
org.apache.ws.security.processor.SignatureProcessor handleToken Found
signature element
[2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1
org.apache.ws.security.validate.SignatureTrustValidator verifyTrustInCert
Transmitted certificate has subject
CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US
[2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1
org.apache.ws.security.validate.SignatureTrustValidator verifyTrustInCert
Transmitted certificate has issuer
CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US (serial 1328709293)
[2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1
org.apache.ws.security.validate.SignatureTrustValidator
isCertificateInKeyStore Direct trust for certificate with
CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US
[2/11/12 15:44:04:747 EST] 0000004e SignatureProc 1
org.apache.ws.security.processor.SignatureProcessor verifyXMLSignature
Verify XML Signature
[2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1
org.apache.ws.security.processor.UsernameTokenProcessor handleToken Found
UsernameToken list element
[2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1
org.apache.ws.security.validate.UsernameTokenValidator validate
UsernameToken user stanforduser
[2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1
org.apache.ws.security.validate.UsernameTokenValidator validate
UsernameToken password type
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
[2/11/12 15:44:04:747 EST] 0000004e SystemOut     O   stanforduser :
workbench
[2/11/12 15:44:04:747 EST] 0000004e TimestampProc 1
org.apache.ws.security.processor.TimestampProcessor handleToken Found
Timestamp list element
[2/11/12 15:44:04:747 EST] 0000004e Timestamp     1
org.apache.ws.security.message.token.Timestamp <init> Current time:
2012-02-11T20:44:04.747Z
[2/11/12 15:44:04:747 EST] 0000004e Timestamp     1
org.apache.ws.security.message.token.Timestamp <init> Timestamp created:
2012-02-11T20:44:04.310Z
[2/11/12 15:44:04:747 EST] 0000004e Timestamp     1
org.apache.ws.security.message.token.Timestamp <init> Timestamp expires:
2012-02-11T20:49:04.310Z
[2/11/12 15:44:04:747 EST] 0000004e Timestamp     1
org.apache.ws.security.message.token.Timestamp verifyCreated Validation of
Timestamp: Everything is ok
[2/11/12 15:44:04:747 EST] 0000004e PingPortTypeI I   Executing operation
ping
[2/11/12 15:44:04:747 EST] 0000004e SystemOut     O   System.getProperty
user.name



--
View this message in context: http://cxf.547215.n5.nabble.com/Signing-Message-parts-tp5475654p5475654.html
Sent from the cxf-user mailing list archive at Nabble.com.

Mime
View raw message