Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CAA38FC34 for ; Tue, 13 Aug 2013 13:48:54 +0000 (UTC) Received: (qmail 50044 invoked by uid 500); 13 Aug 2013 13:48:53 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 49997 invoked by uid 500); 13 Aug 2013 13:48:53 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 49989 invoked by uid 99); 13 Aug 2013 13:48:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Aug 2013 13:48:52 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ted.roeloffzen@gmail.com designates 74.125.82.51 as permitted sender) Received: from [74.125.82.51] (HELO mail-wg0-f51.google.com) (74.125.82.51) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Aug 2013 13:48:46 +0000 Received: by mail-wg0-f51.google.com with SMTP id a12so6494203wgh.6 for ; Tue, 13 Aug 2013 06:48:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=HOlt1ifp6PsOKSuBCfVjcqlMrFghSmlThpFnIN22+zo=; b=JXZA78W6MqxGMMp4UKfmVKJzk/fRNk9wld9e0gWkDpxK3pi7yxDcHsYiM/aP3v3jD5 4qn0WQMGpYnk9QZKoGFU+oQvwqkW9duln5hcZhoj/6hS01Wzexy66BIs221nUwjOSXgp TKLUO2YEi6WscYAWPvbdBEUuvRdM3UarOgkg3cuZ3pygv/oFcmZjZMREQWW7ivZ+zkZv QKqBgzKDscwM/Ve/rdAnpAemQ4FzfAVxyzkFIBMtyHTokOasMIAMOBM67VlpE/bmBwvN Hcn98fQmkOIdvvoFxeE87Rx6pae8LgGN6ecih4C8dk5OPhjAa3kD6/MwJpVcTq9NlHur ykeA== MIME-Version: 1.0 X-Received: by 10.180.211.7 with SMTP id my7mr1235639wic.26.1376401706564; Tue, 13 Aug 2013 06:48:26 -0700 (PDT) Received: by 10.180.145.110 with HTTP; Tue, 13 Aug 2013 06:48:26 -0700 (PDT) In-Reply-To: References: Date: Tue, 13 Aug 2013 15:48:26 +0200 Message-ID: Subject: Re: CXF Security policy signature method From: Ted Roeloffzen To: users Content-Type: multipart/alternative; boundary=001a11c259f0c9c2c404e3d47e90 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c259f0c9c2c404e3d47e90 Content-Type: text/plain; charset=ISO-8859-1 Thank you for creating the JIRA. In this case i'm screwed i think. As far as I know, RSA-SHA256 is mandatory for this service to work. Is there a to work around it? Is there a class that I can inherit from to make it work? Ted 2013/8/13 Colm O hEigeartaigh > SHA-256 is only used for the digest algorithm for any of the standard > WS-SecurityPolicy AlgorithmSuites. The Signature Algorithm is always > RSA-SHA1 and cannot be configured. Ideally, we would have a new > specification to cater for newer security algorithms, but this does not > appear likely from my understanding. > > I've created a JIRA to find a way around this problem: > > https://issues.apache.org/jira/browse/CXF-5200 > > I think I will add a configuration option to override the default RSA-SHA1 > signature algorithm. > > Colm. > > > On Tue, Aug 13, 2013 at 2:19 PM, Ted Roeloffzen >wrote: > > > I was afraid of that. > > > > The policy that is used is as follows: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > When I look at this policy, I'd think that SHA256 would be used i thought > > RSA-SHA256 would be used as the signature-algorithm, but when I look at > the > > XML that is output by CXF RSA-SHA1 is used. > > > > Where am I going wrong? > > > > Ted > > > > > > > > > > 2013/8/13 Colm O hEigeartaigh > > > > > You can't set the SignatureAlgorithm if you are using > WS-SecurityPolicy, > > > as it defaults to that of the spec. What requirements do you have? What > > > signature algorithm do you want to use? > > > > > > Colm. > > > > > > > > > On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen < > > ted.roeloffzen@gmail.com>wrote: > > > > > >> Hi Colm, > > >> > > >> The WSS4JOutInterceptor is created and configured automatically by > CXF, > > >> right? > > >> Can I somehow retrieve the WSS4JOutInterceptor during the process and > > set > > >> the signatureAlgorithm tag, without having to configure the entire > > >> interceptor? > > >> > > >> Ted > > >> > > >> > > >> > > >> > > >> 2013/8/13 Colm O hEigeartaigh > > >> > > >>> If you are using WS-SecurityPolicy, then the spec defines the > signature > > >>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for > > >>> Symmetric Signature. Otherwise, you can set it via the > > >>> "signatureAlgorithm" > > >>> configuration tag on the WSS4JOutInterceptor. > > >>> > > >>> Colm. > > >>> > > >>> > > >>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen < > > >>> ted.roeloffzen@gmail.com>wrote: > > >>> > > >>> > Hi All, > > >>> > > > >>> > How does CXF determine which signature method to use? > > >>> > Does it retrieve it from the security-policy in the WSDL or do you > > >>> have to > > >>> > configure it? > > >>> > > > >>> > kind regards, > > >>> > > > >>> > Ted > > >>> > > > >>> > > >>> > > >>> > > >>> -- > > >>> Colm O hEigeartaigh > > >>> > > >>> Talend Community Coder > > >>> http://coders.talend.com > > >>> > > >> > > >> > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > --001a11c259f0c9c2c404e3d47e90--