cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kai Rommel <krommel2...@googlemail.com>
Subject Re: InitiatorToken is included in response message when AlwaysToRecipient is set
Date Mon, 20 Jan 2014 13:56:37 GMT
Hi Colm, this is the complete policy

<wsp:Policy wsu:Id="Asymmetric"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
xmlns:wsp="http://www.w3.org/ns/ws-policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
">
<wsp:Policy/>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body />
<sp:Header Name="To"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="From"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="FaultTo"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="ReplyTo"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="MessageID"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="RelatesTo"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="Action"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name="Timestamp"
Namespace="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wst="
http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility" xmlns:wsx="
http://schemas.xmlsoap.org/ws/2004/09/mex">
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>


2014/1/20 Colm O hEigeartaigh <coheigea@apache.org>

> It sounds like a bug. What does your complete security policy look like?
>
> Colm.
>
>
> On Mon, Jan 20, 2014 at 1:42 PM, Kai Rommel <krommel2010@googlemail.com
> >wrote:
>
> > Hi,
> >
> > I setup a request/response scenario with wss. The policy for the
> initiator
> > token is set to /AlwaysToRecipient and for the recipient token to /Never.
> > Signature and encryption is configured.
> >
> > The message exchange works fine and the request message looks like
> > expected.
> > But the response message also contains a BinarySecurityToken element (the
> > initiator token) in the soap header.
> >
> > This causes an issues, when my WS Consumer is not a cxf endpoint and
> > validates the response message against the following rule
> >
> >
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826602
> >
> >
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> >
> >
> > The token MUST be included in all messages sent from initiator to the
> > recipient. The token MUST NOT be included in messages sent from the
> > recipient to the initiator.
> >
> >
> > Is this a bug?
> >
> >
> > Thanks.
> >
> >
> > Best regards
> >
> > Kai
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message