cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Date Fri, 03 Apr 2015 13:58:21 GMT
> I tried this before and the Username was still not signed. Only when I
> used SignedEncryptedSupportingTokens the username is getting signed (and
> not encrypted by the way, which is what I want at the moment). Probably I
> am doing something wrong but this works for me now.
>

Any chance of a test-case? Both scenarios should work fine. By the way, the
UsernameToken should be signed/encrypted, not just the "Username" part of
it. What version of CXF are you using?

Colm.


> Thanks for the feedback!
>
> Alex
>
> On Fri, Apr 3, 2015 at 4:33 PM, Colm O hEigeartaigh <coheigea@apache.org>
> wrote:
>
>> Simply change "SupportingTokens" to "SignedSupportingTokens".
>>
>> Colm.
>>
>> On Thu, Apr 2, 2015 at 12:49 PM, Alx <otinanism@gmail.com> wrote:
>>
>> > I have a requirement from my client for the signature to contain the
>> > UsernameToken element. According to the rest of his requirements the
>> > security policy I am using is the following:
>> >
>> > <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
>> > <wsp:ExactlyOne>
>> > <wsp:All>
>> > <wsaws:UsingAddressing xmlns:wsaws="
>> > http://www.w3.org/2006/05/addressing/wsdl" />
>> > <sp:SupportingTokens
>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>> > <wsp:Policy>
>> > <sp:UsernameToken
>> > sp:IncludeToken="
>> >
>> >
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>> > ">
>> > <wsp:Policy>
>> > <sp:NoPassword />
>> > </wsp:Policy>
>> > </sp:UsernameToken>
>> > </wsp:Policy>
>> > </sp:SupportingTokens>
>> > <sp:AsymmetricBinding
>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>> > <wsp:Policy>
>> > <sp:InitiatorToken>
>> > <wsp:Policy>
>> > <sp:UsernameToken
>> > sp:IncludeToken="
>> >
>> >
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>> > ">
>> > <wsp:Policy>
>> > <sp:NoPassword />
>> > </wsp:Policy>
>> > </sp:UsernameToken>
>> > </wsp:Policy>
>> > </sp:InitiatorToken>
>> > <sp:RecipientSignatureToken>
>> > <wsp:Policy>
>> > <sp:X509Token
>> > sp:IncludeToken="
>> >
>> >
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>> > ">
>> > <wsp:Policy>
>> > <sp:WssX509V3Token10 />
>> > </wsp:Policy>
>> > </sp:X509Token>
>> > </wsp:Policy>
>> > </sp:RecipientSignatureToken>
>> > <sp:AlgorithmSuite>
>> > <wsp:Policy>
>> > <sp:Basic256Sha256 />
>> > </wsp:Policy>
>> > </sp:AlgorithmSuite>
>> > <sp:Layout>
>> > <wsp:Policy>
>> > <sp:Lax />
>> > </wsp:Policy>
>> > </sp:Layout>
>> > <sp:IncludeTimestamp />
>> > </wsp:Policy>
>> > </sp:AsymmetricBinding>
>> > <sp:SignedParts>
>> > <sp:Body />
>> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
>> > </sp:SignedParts>
>> >
>> > </wsp:All>
>> > </wsp:ExactlyOne>
>> > </wsp:Policy>
>> >
>> >
>> > The above works correctly for me. the only thing that I could not sign
>> is
>> > the UserbameToken I tried using:
>> >
>> > <sp:SignedElements>
>> >
>> > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>> > xmlns:wsse="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> > "
>> > xmlns:wsu="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> > ">
>> >
>> /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
>> > </sp:XPath>
>> >
>> > </sp:SignedElements>
>> >
>> > which did not seem to work.
>> >
>> > Trying to debug I see that the SignedElementsBuilder class is accessed
>> but
>> > I am not sure where to debug next, where should the signing occurs.
>> >
>> > Any help will be appreciated.
>> >
>> > Alex
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message