Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3BABBCE3B for ; Fri, 13 Apr 2012 08:37:45 +0000 (UTC) Received: (qmail 55707 invoked by uid 500); 13 Apr 2012 08:37:44 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 55642 invoked by uid 500); 13 Apr 2012 08:37:44 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 55598 invoked by uid 99); 13 Apr 2012 08:37:43 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Apr 2012 08:37:43 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [193.56.114.199] (HELO smtp4.gemalto.com) (193.56.114.199) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Apr 2012 08:37:37 +0000 Received: from ABSHUBBWP01.gemalto.com ([10.3.0.231]) by smtp4.gemalto.com (8.14.3/8.14.3) with ESMTP id q3D8Zcl8004158; Fri, 13 Apr 2012 10:35:38 +0200 Received: from ABSEXCFWP02.gemalto.com ([10.3.0.235]) by ABSHUBBWP01.gemalto.com ([10.3.0.231]) with mapi; Fri, 13 Apr 2012 10:37:16 +0200 From: COURTAULT Francois To: "coheigea@apache.org" CC: "users@cxf.apache.org" Date: Fri, 13 Apr 2012 10:37:14 +0200 Subject: RE: Aware of compatibility issue between CXF and Metro/Weblogic ? Thread-Topic: Aware of compatibility issue between CXF and Metro/Weblogic ? Thread-Index: Ac0X9qw0NjHOpXOLSN6vi0rNPIKlSAAAX/cQACdyR6AALqRyAA== Message-ID: <9597A2730A02F448AEEB6AF78BE0482E2519E2498D@ABSEXCFWP02.gemalto.com> References: <9597A2730A02F448AEEB6AF78BE0482E129C313261@ABSEXCFWP02.gemalto.com> <9597A2730A02F448AEEB6AF78BE0482E129C31389F@ABSEXCFWP02.gemalto.com> <3944730.VFjNpzDzqi@dilbert.dankulp.com> <9597A2730A02F448AEEB6AF78BE0482E2519B574DD@ABSEXCFWP02.gemalto.com> <9597A2730A02F448AEEB6AF78BE0482E2519C95B61@ABSEXCFWP02.gemalto.com> <9597A2730A02F448AEEB6AF78BE0482E2519C95C6B@ABSEXCFWP02.gemalto.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: fr-FR, en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Any feedback ? Best Regards. -----Original Message----- From: COURTAULT Francois Sent: jeudi 12 avril 2012 12:32 To: coheigea@apache.org Cc: users@cxf.apache.org Subject: RE: Aware of compatibility issue between CXF and Metro/Weblogic ? Hello, I have looked at the security policy spec (1.3) and it seems that SignedPar= ts is OPTIONAL: right ? However this spec is not clear at all regarding the relationship between th= e directive and the di= rective :-( Does the presence of the di= rective requires the directive ? Any spec or document which can provide more clear explanation about the rel= ationship between these 2 above directives ? So let's suppose that the could be used = alone, in such case does it mean that all the security headers and the body= have to be signed ? Best Regards. -----Original Message----- From: COURTAULT Francois [mailto:Francois.COURTAULT@gemalto.com] Sent: mercredi 11 avril 2012 17:59 To: coheigea@apache.org Cc: users@cxf.apache.org Subject: RE: Aware of compatibility issue between CXF and Metro/Weblogic ? Importance: High Hello, Regarding your last question: Is there such a policy in your WSDL? I have looked at the policy used (attached) and I only see with no SignedParts. So my question is: with the policy used(attached), is it required or not to= sign the body ? A corollary question is, with only the d= irective in the policy, the webservice endpoint has to accept only SOAP req= uest with at least a body signature ? Best Regards. -----Original Message----- From: Colm O hEigeartaigh [mailto:coheigea@apache.org] Sent: mercredi 11 avril 2012 17:21 To: COURTAULT Francois Subject: Re: Aware of compatibility issue between CXF and Metro/Weblogic ? Hi Francois, > - first, for them, in the section, they refer > the wsse11 namespace which is used in > wsse11:TokenType=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-w= ss-x509-token-profile-1.0#X509v3". Is this TokenType mandatory ? Not according to my reading of the Basic Security Profile 1.1: http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#x509tokentypes They give the example: CORRECT: MIGfMa0GCSq > - second, in the section, the body signature seems missi= ng in the CXF SOAP request. Is it normal ? CXF will only sign the SOAP Body if there is a SignedParts policy that spec= ifies the SOAP Body. Is there such a policy in your WSDL? Colm. On Wed, Apr 11, 2012 at 3:56 PM, COURTAULT Francois wrote: > Hello again, > > I have forwarded your answer to the Oracle support. They replied me 2 thi= ngs: > - first, for them, in the section, they refer the w= sse11 namespace which is used in wsse11:TokenType=3D"http://docs.oasis-open= .org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3". Is this T= okenType mandatory ? > > - second, in the section, the body signature seems= missing in the CXF SOAP request. Is it normal ? > * In Weblogic request: > > > Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#" /> > Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> > URI=3D"#Timestamp_WF911A291H4C9EVH"> > > Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#" /> > > Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1" /> > > FQdxW5uhQYvIlEjZ5eF6FwD0WWM=3D > > URI=3D"#Body_6e1VPrhuvqnQBAe6"> > > Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#" /> > > Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1" /> > > hqQ8dypeB6mi9otTZftZ9wdaIpQ=3D > > URI=3D"#bst_156mJ1UUoTA9ZP7b"> > > Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#" /> > > Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1" /> > > dmD/DqmQIf+LrHjcOgxLKhpCvZE=3D > > > > * In CXF request: > > > Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#"> > > PrefixList=3D"soap"> > > Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1"> ethod> > > > Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#"> > > > xmlns:ec=3D"http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=3D"wsse > soap"> > > > Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1"> > > qqnMVp6ogLp4FbJuMaenBdYlm3E=3D > > URI=3D"#X509-A8BAAB773C57F7C94113313097001254"> > > Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#"> > > > xmlns:ec=3D"http://www.w3.org/2001/10/xml-exc-c14n#" > PrefixList=3D"soap"> > > > Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1"> > > YZ0E9NbYropID0uM5ZQInOgSmYA=3D > > > > Best Regards. > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:coheigea@apache.org] > Sent: mardi 10 avril 2012 17:18 > To: COURTAULT Francois > Cc: users@cxf.apache.org > Subject: Re: Aware of compatibility issue between CXF and Metro/Weblogic = ? > >> So according to them, the following namespaces are missing in the CXF re= quest: >> - wsu >> - wsse > > This is incorrect as both of these namespaces are defined in the security= header element. > > Colm. > > On Tue, Apr 10, 2012 at 3:38 PM, COURTAULT Francois wrote: >> Hello, >> >> Just to inform you I have also entered an issue in MOS (My Oracle Suppor= t). >> >> The answer they gave me was that, >> In the Weblogic client request I had: >> >> >> > xmlns:wsse=3D"http://docs= .oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >> xmlns:wsse11=3D"http://do= cs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" >> xmlns:wsu=3D"http://docs.= oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >> wsse11:TokenType=3D"http:= //docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X= 509v3" >> >> wsu:Id=3D"str_4RaFdeoK8oynP98t"> >> > EncodingType=3D"h= ttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-securit= y-1.0#Base64Binary" >> >> ValueType=3D"http://docs.oasis-open.org/wss/oasis-wss-soap-message-secu >> r >> ity-1.1#ThumbprintSHA1">tDqtOB05FR2Q/BUdXx1X8rzDXMg=3D> i >> er> >> >> >> >> Whereas, in the CXF client (CXF 2.5.3 SNAPSHOT), I had: >> >> > Id=3D"KI-A8BAAB773C57F7C94113313097001252"> >> > wsu:Id=3D"STR-A8BAAB773C57F7C94113313097001253"> >> > EncodingType=3D"h= ttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-securit= y-1.0#Base64Binary" >> >> ValueType=3D"http://docs.oasis-open.org/wss/oasis-wss-soap-message-secu >> r >> ity-1.1#ThumbprintSHA1">tDqtOB05FR2Q/BUdXx1X8rzDXMg=3D> i >> er> >> >> >> >> So according to them, the following namespaces are missing in the CXF re= quest: >> - wsu >> - wsse >> >> Do you agree ? If yes can we have a fix for that please ? >> >> Best Regards. >> >> -----Original Message----- >> From: COURTAULT Francois >> Sent: vendredi 9 mars 2012 17:36 >> To: 'coheigea@apache.org' >> Cc: users@cxf.apache.org >> Subject: RE: Aware of compatibility issue between CXF and Metro/Weblogic= ? >> >> Hello, >> >> I have picked up the 2.5.3-20120309.061736-28 snapshot. >> In the SOAP request I saw now, in the SOAP request, the section in the section :-= ) (thanks for this fix) but I still have a SOAP fault in the response comin= g from Weblogic :-(. >> >> Do you have an idea as I haven't so much information (log) on the Weblog= ic side ? >> >> Best Regards. >> >> -----Original Message----- >> From: Daniel Kulp [mailto:dkulp@apache.org] >> Sent: mercredi 7 mars 2012 19:38 >> To: users@cxf.apache.org >> Subject: Re: Aware of compatibility issue between CXF and Metro/Weblogic= ? >> >> On Tuesday, March 06, 2012 06:52:41 PM COURTAULT Francois wrote: >>> Hello, >>> >>> Thanks for the feedback :-) >>> According to the issue, it should be fixed in the 2.5.3 release: right = ? >>> When this version will be released ? >> >> Likely in a couple weeks. We did a release on Jan 25th and we >> normally shoot for about every 8 weeks or so. >> >> Dan >> >> >>> >>> Best Regards. >>> >>> -----Original Message----- >>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org] >>> Sent: mardi 6 mars 2012 18:36 >>> To: users@cxf.apache.org >>> Subject: Re: Aware of compatibility issue between CXF and Metro/Weblogi= c ? >>> >>> It's an issue in CXF: >>> >>> https://issues.apache.org/jira/browse/CXF-4166 >>> >>> I'll merge a fix shortly. >>> >>> Colm. >>> >>> On Tue, Mar 6, 2012 at 3:13 PM, COURTAULT Francois >> wrote: >>> > Hello Glen, >>> > >>> > The two issues (WSIT-1490 and WSIT-1590) you mention seem not >>> > related to the issue I have got :-( I am not using STS (WS-Trust) at = all: >>> > - WSIT-1490: no SAML used in the KeyIdentifier with a >>> > #uuid in the SOAP request. - WSIT-1590: no encoded email in the SOAP= request. >>> > >>> > Best Regards. >>> > >>> > -----Original Message----- >>> > From: Glen Mazza [mailto:gmazza@talend.com] >>> > Sent: mardi 6 mars 2012 15:20 >>> > To: users@cxf.apache.org >>> > Subject: Re: Aware of compatibility issue between CXF and >>> > Metro/Weblogic ? >>> > >>> > There's a couple of problems that seem to be on Metro's side >>> > (http://java.net/jira/browse/WSIT-1490, >>> > http://java.net/jira/browse/WSIT-1590) affecting interoperability >>> > between the two stacks. It would be great if these were fixed, as >>> > both Metro and CXF are better off the more interoperable they are >>> > with each other. Feel free to vote for these two issues. :) >>> > >>> > Glen >>> > >>> > On 03/06/2012 07:03 AM, COURTAULT Francois wrote: >>> >> Hello, >>> >> >>> >> I have tried to write a CXF client which talks to a WSS protected >>> >> (X509Token) webservice hosted in Weblogic (Metro based) but >>> >> unfortunately I got a Soap fault error. >>> >> >>> >> If I compare a soap request which works and the one generated by >>> >> CXF, the only difference I have seen is that in the >>> >> section, I have >>> >> a section in the one which succeeded whereas >>> >> I haven't this section in the CXF one. >>> >> >>> >> Any advice ? Any idea ? >>> >> >>> >> Best Regards. >>> > >>> > -- >>> > Glen Mazza >>> > Talend Community Coders - coders.talend.com >>> > blog: www.jroller.com/gmazza >>> >>> -- >>> Colm O hEigeartaigh >>> >>> Talend Community Coder >>> http://coders.talend.com >> -- >> Daniel Kulp >> dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - >> http://coders.talend.com >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com