ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-456) Not possible to support SymmetricBinding ProtectTokens policy
Date Fri, 31 Aug 2018 11:55:00 GMT

    [ https://issues.apache.org/jira/browse/WSS-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16598640#comment-16598640
] 

Colm O hEigeartaigh commented on WSS-456:
-----------------------------------------

ProtectTokens + SymmericBinding is actually supported for the DOM code, but not the StAX code.
Do you specifically need it for the StAX code?

You can reproduce the error by removing the if statement in this piece of test-code in CXF:

[https://github.com/apache/cxf/blob/ce2fcd19c63b7f666b778d482c5aa40e0e0c1828/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java#L962]

The error that results is "org.apache.xml.security.exceptions.XMLSecurityException: Part to
sign not found: \{http://www.w3.org/2001/04/xmlenc#}EncryptedKey". The problem is that as
we have "sign before encrypting", the EncryptedKey is not yet available to the Signature when
we are trying to sign the EncryptedKey. It might be possible to get it working with some hacking,
but it would probably be quite tricky.

 

> Not possible to support SymmetricBinding ProtectTokens policy
> -------------------------------------------------------------
>
>                 Key: WSS-456
>                 URL: https://issues.apache.org/jira/browse/WSS-456
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>            Priority: Major
>
> It is not possible currently to support the SymmetricBinding ProtectTokens policy. In
this scenario, the Signature KeyInfo references an EncryptedKey Element, and also signs the
EncryptedKey Element.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message