cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Roeloffzen <ted.roeloff...@gmail.com>
Subject Re: CXF Security policy signature method
Date Tue, 13 Aug 2013 13:48:26 GMT
Thank you for creating the JIRA.

In this case i'm screwed i think.
As far as I know, RSA-SHA256 is mandatory for this service to work.
Is there a to work around it?

Is there a class that I can inherit from to make it work?

Ted



2013/8/13 Colm O hEigeartaigh <coheigea@apache.org>

> SHA-256 is only used for the digest algorithm for any of the standard
> WS-SecurityPolicy AlgorithmSuites. The Signature Algorithm is always
> RSA-SHA1 and cannot be configured. Ideally, we would have a new
> specification to cater for newer security algorithms, but this does not
> appear likely from my understanding.
>
> I've created a JIRA to find a way around this problem:
>
> https://issues.apache.org/jira/browse/CXF-5200
>
> I think I will add a configuration option to override the default RSA-SHA1
> signature algorithm.
>
> Colm.
>
>
> On Tue, Aug 13, 2013 at 2:19 PM, Ted Roeloffzen <ted.roeloffzen@gmail.com
> >wrote:
>
> > I was afraid of that.
> >
> > The policy that is used is as follows:
> >
> > <wsp:Policy wsu:Id="...">
> >   <wsp:ExactlyOne>
> >    <wsp:All>
> >         <sp:AsymmetricBinding>
> >            <wsp:Policy>
> >                <sp:InitiatorToken>
> >                    <wsp:Policy>
> >                        <sp:X509Token sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> >                            <wsp:Policy>
> >                                <sp:RequireThumbprintReference/>
> >                                <sp:WssX509V3Token10/>
> >                            </wsp:Policy>
> >                        </sp:X509Token>
> >                    </wsp:Policy>
> >              </sp:InitiatorToken>
> >              <sp:RecipientToken>
> >                   <wsp:Policy>
> >                         <sp:X509Token sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator
> > ">
> >                              <wsp:Policy>
> >                                  <sp:RequireThumbprintReference/>
> >                                  <sp:WssX509V3Token10/>
> >                             </wsp:Policy>
> >                       </sp:X509Token>
> >                  </wsp:Policy>
> >               </sp:RecipientToken>
> >              <sp:AlgorithmSuite>
> >                      <wsp:Policy>
> >                          <sp:Basic256Sha256Rsa15/>
> >                      </wsp:Policy>
> >              </sp:AlgorithmSuite>
> >              <sp:Layout>
> >                   <wsp:Policy>
> >                         <sp:Lax/>
> >                   </wsp:Policy>
> >              </sp:Layout>
> >              <sp:IncludeTimestamp/>
> >              <sp:OnlySignEntireHeadersAndBody/>
> >        </wsp:Policy>
> >     </sp:AsymmetricBinding>
> >     </wsp:All>
> >    </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> >
> > When I look at this policy, I'd think that SHA256 would be used i thought
> > RSA-SHA256 would be used as the signature-algorithm, but when I look at
> the
> > XML that is output by CXF RSA-SHA1 is used.
> >
> > Where am I going wrong?
> >
> > Ted
> >
> >
> >
> >
> > 2013/8/13 Colm O hEigeartaigh <coheigea@apache.org>
> >
> > > You can't set the SignatureAlgorithm if you are using
> WS-SecurityPolicy,
> > > as it defaults to that of the spec. What requirements do you have? What
> > > signature algorithm do you want to use?
> > >
> > > Colm.
> > >
> > >
> > > On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen <
> > ted.roeloffzen@gmail.com>wrote:
> > >
> > >> Hi Colm,
> > >>
> > >> The WSS4JOutInterceptor is created and configured automatically by
> CXF,
> > >> right?
> > >> Can I somehow retrieve the WSS4JOutInterceptor during the process and
> > set
> > >> the signatureAlgorithm tag, without having to configure the entire
> > >> interceptor?
> > >>
> > >> Ted
> > >>
> > >>
> > >>
> > >>
> > >> 2013/8/13 Colm O hEigeartaigh <coheigea@apache.org>
> > >>
> > >>> If you are using WS-SecurityPolicy, then the spec defines the
> signature
> > >>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
> > >>> Symmetric Signature. Otherwise, you can set it via the
> > >>> "signatureAlgorithm"
> > >>> configuration tag on the WSS4JOutInterceptor.
> > >>>
> > >>> Colm.
> > >>>
> > >>>
> > >>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <
> > >>> ted.roeloffzen@gmail.com>wrote:
> > >>>
> > >>> > Hi All,
> > >>> >
> > >>> > How does CXF determine which signature method to use?
> > >>> > Does it retrieve it from the security-policy in the WSDL or do
you
> > >>> have to
> > >>> > configure it?
> > >>> >
> > >>> > kind regards,
> > >>> >
> > >>> > Ted
> > >>> >
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Colm O hEigeartaigh
> > >>>
> > >>> Talend Community Coder
> > >>> http://coders.talend.com
> > >>>
> > >>
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message