cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Libois <clibois.w...@gmail.com>
Subject How to avoid default X509IssuerSerial as SecurityTokenReference with a Policy
Date Fri, 23 Sep 2016 08:30:34 GMT
Hello,
I would like to enforce my endpoint to return a reference to the embedded
binarySecurityToken instead of the serial+issuer name such as:
<wsse:SecurityTokenReference     xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
                        xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
                        wsu:Id="STR-a65f2369-4c86-4e01-9663-0ec7b90b5ac9">
                    <ds:X509Data>
                        <ds:X509IssuerSerial>
                            <ds:X509IssuerName>
IssuerName
                            </ds:X509IssuerName>
 <ds:X509SerialNumber>124284142324952637825</ds:X509SerialNumber>
                        </ds:X509IssuerSerial>
                    </ds:X509Data>
                </wsse:SecurityTokenReference>
I was told by Colm O hEigeartaigh(thank you btw)  that I could use the
signatureKeyIdentifier
property with "Directreference" value. TBH as I'm on a servicemix which
cxf+wss4J, it's quite complicate to know where to set this property value
but that's not the point here. I'm using a policy to define my ws-security
and found it was possible to definie something
like <sp:RequireEmbeddedTokenReference/> in the X509 tag. However, I'm
still receiving the X509IssuerSerial....
Does anybody knows how to define this correctly in a policy. Here is my
policy only applied on the server response:
*<wsp:Policy wsu:Id="signAndTsPolicy">*

*        <wsp:ExactlyOne>*
*            <wsp:All>*
*                <sp:AsymmetricBinding>*
*                    <wsp:Policy>*
*                        <sp:IncludeTimestamp/>*
*                        <sp:InitiatorSignatureToken>>*
*                            <wsp:Policy>*
*                                <sp:X509Token*
*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
*                                    <wsp:Policy>*
*                                        <sp:WssX509PkiPathV1Token10/>*
*                                    </wsp:Policy>*
*                                </sp:X509Token>*
*                            </wsp:Policy>*
*                        </sp:InitiatorSignatureToken>*
*                        >*
*                        <sp:RecipientSignatureToken>*
*                            <wsp:Policy>*
*                                <sp:X509Token*
*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">
<!-- Never? -->*
*                                    <wsp:Policy>*
*                                        <sp:WssX509PkiPathV1Token10/>*
*
<sp:RequireEmbeddedTokenReference/>*
*                                    </wsp:Policy>*
*                                </sp:X509Token>*
*                            </wsp:Policy>*
*                        </sp:RecipientSignatureToken>*
*                        <sp:AlgorithmSuite>*
*                            <wsp:Policy>*
*                                <sp:Basic256Sha256/>*

*                            </wsp:Policy>*
*                        </sp:AlgorithmSuite>*
*                        <sp:Layout> *
*                            <wsp:Policy>*
*                                <sp:Lax/>*
*                            </wsp:Policy>*
*                        </sp:Layout>*
*                        <sp:ProtectTokens/>*
*                        <sp:OnlySignEntireHeadersAndBody/>*
*                                </wsp:Policy>*
*                </sp:AsymmetricBinding>*
*                <sp:SignedParts>         *
*                    <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing
<http://www.w3.org/2005/08/addressing>"/>*
*                    <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing
<http://www.w3.org/2005/08/addressing>"/>*
*                    <sp:Body/>*

*                </sp:SignedParts>*
*                <sp:Wss10>*
*                    <sp:Policy>*
*                        <sp:MustSupportRefKeyIdentifier/>*
*                    </sp:Policy>*
*                </sp:Wss10>*
*            </wsp:All>*
*        </wsp:ExactlyOne>*
*    </wsp:Policy>*

To be honnest, I'm rather new in the ws-security with policy on cxf+wss4j.
I must say that it was quite complicate to find complete information to
achieve my goal.
That's why I'm asking some help now.
Best Regards,
Claude

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message