cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Date Fri, 03 Apr 2015 14:21:06 GMT
> Unfortunatelly i m out of the office at the moment so I cannot provide a
> test case. Do you mean I still need the SignedElements part?
>


No. Change "SupportingTokens" to "SignedSupportingTokens" in your original
policy, no SignedElements is required here.

Colm.


>
> On Friday, April 3, 2015, Colm O hEigeartaigh <coheigea@apache.org> wrote:
>
> >
> > I tried this before and the Username was still not signed. Only when I
> >> used SignedEncryptedSupportingTokens the username is getting signed (and
> >> not encrypted by the way, which is what I want at the moment). Probably
> I
> >> am doing something wrong but this works for me now.
> >>
> >
> > Any chance of a test-case? Both scenarios should work fine. By the way,
> > the UsernameToken should be signed/encrypted, not just the "Username"
> part
> > of it. What version of CXF are you using?
> >
> > Colm.
> >
> >
> >> Thanks for the feedback!
> >>
> >> Alex
> >>
> >> On Fri, Apr 3, 2015 at 4:33 PM, Colm O hEigeartaigh <
> coheigea@apache.org
> >> <javascript:_e(%7B%7D,'cvml','coheigea@apache.org');>> wrote:
> >>
> >>> Simply change "SupportingTokens" to "SignedSupportingTokens".
> >>>
> >>> Colm.
> >>>
> >>> On Thu, Apr 2, 2015 at 12:49 PM, Alx <otinanism@gmail.com
> >>> <javascript:_e(%7B%7D,'cvml','otinanism@gmail.com');>> wrote:
> >>>
> >>> > I have a requirement from my client for the signature to contain the
> >>> > UsernameToken element. According to the rest of his requirements the
> >>> > security policy I am using is the following:
> >>> >
> >>> > <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
> >>> > <wsp:ExactlyOne>
> >>> > <wsp:All>
> >>> > <wsaws:UsingAddressing xmlns:wsaws="
> >>> > http://www.w3.org/2006/05/addressing/wsdl" />
> >>> > <sp:SupportingTokens
> >>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> ">
> >>> > <wsp:Policy>
> >>> > <sp:UsernameToken
> >>> > sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> >>> > ">
> >>> > <wsp:Policy>
> >>> > <sp:NoPassword />
> >>> > </wsp:Policy>
> >>> > </sp:UsernameToken>
> >>> > </wsp:Policy>
> >>> > </sp:SupportingTokens>
> >>> > <sp:AsymmetricBinding
> >>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> ">
> >>> > <wsp:Policy>
> >>> > <sp:InitiatorToken>
> >>> > <wsp:Policy>
> >>> > <sp:UsernameToken
> >>> > sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> >>> > ">
> >>> > <wsp:Policy>
> >>> > <sp:NoPassword />
> >>> > </wsp:Policy>
> >>> > </sp:UsernameToken>
> >>> > </wsp:Policy>
> >>> > </sp:InitiatorToken>
> >>> > <sp:RecipientSignatureToken>
> >>> > <wsp:Policy>
> >>> > <sp:X509Token
> >>> > sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> >>> > ">
> >>> > <wsp:Policy>
> >>> > <sp:WssX509V3Token10 />
> >>> > </wsp:Policy>
> >>> > </sp:X509Token>
> >>> > </wsp:Policy>
> >>> > </sp:RecipientSignatureToken>
> >>> > <sp:AlgorithmSuite>
> >>> > <wsp:Policy>
> >>> > <sp:Basic256Sha256 />
> >>> > </wsp:Policy>
> >>> > </sp:AlgorithmSuite>
> >>> > <sp:Layout>
> >>> > <wsp:Policy>
> >>> > <sp:Lax />
> >>> > </wsp:Policy>
> >>> > </sp:Layout>
> >>> > <sp:IncludeTimestamp />
> >>> > </wsp:Policy>
> >>> > </sp:AsymmetricBinding>
> >>> > <sp:SignedParts>
> >>> > <sp:Body />
> >>> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
> >>> > </sp:SignedParts>
> >>> >
> >>> > </wsp:All>
> >>> > </wsp:ExactlyOne>
> >>> > </wsp:Policy>
> >>> >
> >>> >
> >>> > The above works correctly for me. the only thing that I could not
> sign
> >>> is
> >>> > the UserbameToken I tried using:
> >>> >
> >>> > <sp:SignedElements>
> >>> >
> >>> > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> >>> > xmlns:wsse="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> >>> > "
> >>> > xmlns:wsu="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> >>> > ">
> >>> >
> >>>
> /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
> >>> > </sp:XPath>
> >>> >
> >>> > </sp:SignedElements>
> >>> >
> >>> > which did not seem to work.
> >>> >
> >>> > Trying to debug I see that the SignedElementsBuilder class is
> accessed
> >>> but
> >>> > I am not sure where to debug next, where should the signing occurs.
> >>> >
> >>> > Any help will be appreciated.
> >>> >
> >>> > Alex
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Colm O hEigeartaigh
> >>>
> >>> Talend Community Coder
> >>> http://coders.talend.com
> >>>
> >>
> >>
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message