cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: WS Security via policies - Timestamp always signed
Date Sat, 23 Dec 2017 10:03:54 GMT
If you have a security binding with an "IncludeTimestamp" policy then the
spec says:

"This boolean property specifies whether a wsu:Timestamp element is present
in the wsse:Security
header. If the value is 'true', the timestamp element MUST be present and
MUST be integrity protected
either by transport or message level security. If the value is 'false', the
timestamp element MUST NOT be
present. The default value for this property is 'false'."

So the Timestamp must be signed if it is present in the request.

Colm.

On Fri, Dec 22, 2017 at 7:51 PM, Kai Rommel <krommel2010@googlemail.com>
wrote:

> Hi,
>
> I tested different policies and was wondering about the result.
>
> When I add
> <sp:SignedParts  xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>   <sp:Body />
> </sp:SignedParts>
> Integrity protection Information is added for the SOAP Header Timestamp and
> the SOAP Body.
>
> This looks good. According to the spec
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/
> ws-securitypolicy-1.2-spec-os.html
>  Timestamp is signed.
> "The SignedParts assertion is used to specify the parts of the message
> outside of security headers that require integrity protection."
>
> So my WS-Consumer expects the integrity protection Information in the
> response message.
>
> The issue is, that the WS-Provider accepts my request message, but creates
> a response, where this information is missing. I am getting following
> error:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/
> 200702}AsymmetricBinding:
> Received Timestamp does not match the requirements
>
> As security headers require integrity protection, error is fine, as
> response is not valid.
>
> So I checked the spec again and there is the possibility to use
> SignedElementsAssertion.
> "The SignedElements assertion is used to specify arbitrary elements in the
> message that require integrity protection. "
>
> I changed my policies to:
>  <sp:SignedElements xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>   <sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
> and local-name()='Envelope']/*[namespace-uri()='
> http://schemas.xmlsoap.org/soap/envelope/' and
> local-name()='Body']</sp:XPath>
> </sp:SignedElements>
>
> And still the integrity protection is added for the timestamp. Have I
> overlooked something? I would like to accept response message with
> timestamp but without integrity protection information for the timestamp.
>
> I wish a Merry Christmas :)
>
> Kai
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message