Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A859F94DB for ; Sun, 12 Feb 2012 02:23:39 +0000 (UTC) Received: (qmail 15039 invoked by uid 500); 12 Feb 2012 02:23:38 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 14993 invoked by uid 500); 12 Feb 2012 02:23:38 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Delivered-To: moderator for users@cxf.apache.org Received: (qmail 21924 invoked by uid 99); 11 Feb 2012 20:59:26 -0000 X-ASF-Spam-Status: No, hits=2.5 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,SPF_SOFTFAIL,URI_HEX X-Spam-Check-By: apache.org Received-SPF: softfail (athena.apache.org: transitioning domain of sram71@hotmail.com does not designate 216.139.236.26 as permitted sender) Date: Sat, 11 Feb 2012 12:59:00 -0800 (PST) From: sram To: users@cxf.apache.org Message-ID: <1328993940573-5475654.post@n5.nabble.com> Subject: Signing Message parts MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I'm testing out a usecase combining DoubleIT_TransportEndorsingPolicy and #DoubleItBinding_DoubleIt_Input_Policy. * * ** On the client I generate signatures using WSS4j, wss4jOut.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.USERNAME_TOKEN + " " + WSHandlerConstants.SIGNATURE); wss4jOut.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); All works fine, even if client signs only the timestamp part and not any message body part. Even though I add DoubleItBinding_DoubleIt_Input_Policy reference to my SOAP message input part, I suspect the server is only checking for timestamp. >>>>>>> WSDL ... I wanted client to sign message parts which can be authenticated on the server side using clients X.509 token, flowing in as part of TLS binding as an endorsing supporting token. >>>>>>>>> Logs [2/11/12 15:44:04:747 EST] 0000004e SignatureProc 1 org.apache.ws.security.processor.SignatureProcessor handleToken Found signature element [2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1 org.apache.ws.security.validate.SignatureTrustValidator verifyTrustInCert Transmitted certificate has subject CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US [2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1 org.apache.ws.security.validate.SignatureTrustValidator verifyTrustInCert Transmitted certificate has issuer CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US (serial 1328709293) [2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1 org.apache.ws.security.validate.SignatureTrustValidator isCertificateInKeyStore Direct trust for certificate with CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US [2/11/12 15:44:04:747 EST] 0000004e SignatureProc 1 org.apache.ws.security.processor.SignatureProcessor verifyXMLSignature Verify XML Signature [2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1 org.apache.ws.security.processor.UsernameTokenProcessor handleToken Found UsernameToken list element [2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1 org.apache.ws.security.validate.UsernameTokenValidator validate UsernameToken user stanforduser [2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1 org.apache.ws.security.validate.UsernameTokenValidator validate UsernameToken password type http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText [2/11/12 15:44:04:747 EST] 0000004e SystemOut O stanforduser : workbench [2/11/12 15:44:04:747 EST] 0000004e TimestampProc 1 org.apache.ws.security.processor.TimestampProcessor handleToken Found Timestamp list element [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1 org.apache.ws.security.message.token.Timestamp Current time: 2012-02-11T20:44:04.747Z [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1 org.apache.ws.security.message.token.Timestamp Timestamp created: 2012-02-11T20:44:04.310Z [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1 org.apache.ws.security.message.token.Timestamp Timestamp expires: 2012-02-11T20:49:04.310Z [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1 org.apache.ws.security.message.token.Timestamp verifyCreated Validation of Timestamp: Everything is ok [2/11/12 15:44:04:747 EST] 0000004e PingPortTypeI I Executing operation ping [2/11/12 15:44:04:747 EST] 0000004e SystemOut O System.getProperty user.name -- View this message in context: http://cxf.547215.n5.nabble.com/Signing-Message-parts-tp5475654p5475654.html Sent from the cxf-user mailing list archive at Nabble.com.