ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Xml-Signature wrapping
Date Tue, 19 Jun 2012 11:34:38 GMT
> Thanks for your answer! :) That's the case of the soap body, what about
another element
> in the soap tree?

It works with any element in the SOAP Envelope. Basically, WSS4J validates
the signature and each of the references, by searching for the reference
element in the SOAP Envelope corresponding to the Id of the Reference. It
then stores the Reference Element, as well as an XPath corresponding to the
location of the Element in the SOAP Envelope. Downstream code can then
extract the list of signed elements and compare the location to the
location that was "expected".

Colm.



On Tue, Jun 19, 2012 at 12:21 PM, massimiliano.masi@gmail.com <
massimiliano.masi@gmail.com> wrote:

> Hi,
>
> Thanks for your answer! :) That's the case of the soap body, what about
> another element
> in the soap tree?
>
> The idea to have xpath references in the ds:Transform keeps the semantic
> of the signature tied to the structure of the xml document. Do you know if
> there is a way to
> add such xpath property to the ds:Transform, without creating a custom
> signature
> processor?
>
> Ciao,
>
>     Massi
>
> On Tue, Jun 19, 2012 at 12:53 PM, Colm O hEigeartaigh <coheigea@apache.org
> > wrote:
>
>> Hi Massimiliano,
>>
>> WSS4J does not enforce that certain elements in a request must be signed
>> or encrypted, that's the job of the calling code. So for example, if a CXF
>> endpoint has a WS-SecurityPolicy requirement that the SOAP Body must be
>> signed, then your sample altered request will fail at that stage.
>>
>> Colm.
>>
>>
>> On Tue, Jun 19, 2012 at 11:28 AM, massimiliano.masi@gmail.com <
>> massimiliano.masi@gmail.com> wrote:
>>
>>> Hello All,
>>>
>>> I am trying to write a code against XML-Signature wrapping.
>>>
>>> The attached XML is validating, but it shouldn't (the signature was made
>>> on the correct XML, where I switched the body) :-)
>>>
>>> I was trying to use the w3c's best practice #14, which is described in
>>>
>>> http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf
>>>
>>> How can I do that easily with wss4j?
>>>
>>> Thanks a lot!
>>>
>>> <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
>>>
>>> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
>>>
>>>   <s:Header>
>>>
>>>     <wsse:Security s:mustUnderstand="true" xmlns:wsse="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> ">
>>>
>>>       <wsse:BinarySecurityToken EncodingType="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>>> ValueType="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>>> wsu:Id="X509-5ED3F58FF83785A1E613401010446741">MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCB0ZXN0czEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIE1hc2kxMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wIBcNMTIwMTAyMDkwMDM1WhgPMjE5MTA2MDgwOTAwMzVaMIGPMQswCQYDVQQGEwJBVDEQMA4GA1UECBMHQXVzdHJpYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCBUZXN0czEOMAwGA1UEAxMFY2VydDExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANgfPyeyh5akguf7m0rxeAlzeTmfSHQw6VFcttllUHvK7EowEhnCXySqqd6F+rFf6GtvYxdIKAoSy2dW6clU9Qa43GdDxnRH2nWj/2BHQpNeagn4SnHnB0Sh+Tg+GyIzGMLwVW+3exKfNqXX+bT/0qe2s9aSx5+6YablcPdbjd7nAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTyZNkaXQQW/poejdu6nXjh3rBhbzAfBgNVHSMEGDAWgBR0cbZF2tyFPQ8VxQGIiJhzLmEADjANBgkqhkiG9w0BAQUFAAOBgQBNxznZ6jvfMQDjCZvI+/SVGubIDGse9kYgeIqkzxs/fxZQHf2WCZLwnRLWKiPbVuiyJqQaP+BefGWTwzw76abjPOliPLyCoZeJS3bT6Pdubswlgzx49yp0b+RF424tRtGAgDpvRPij7RYIQuGt30iVOTkgEqMciOw/8ZHWHS3/+Q==</wsse:BinarySecurityToken>
>>>
>>>       <ds:Signature Id="SIG-2" xmlns:ds="
>>> http://www.w3.org/2000/09/xmldsig#">
>>>
>>>         <ds:SignedInfo>
>>>
>>>           <ds:CanonicalizationMethod Algorithm="
>>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>>
>>>             <ec:InclusiveNamespaces PrefixList="s" xmlns:ec="
>>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>
>>>           </ds:CanonicalizationMethod>
>>>
>>>           <ds:SignatureMethod Algorithm="
>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>
>>>           <ds:Reference URI="#id-1">
>>>
>>>             <ds:Transforms>
>>>
>>>               <ds:Transform Algorithm="
>>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>>
>>>                 <ec:InclusiveNamespaces PrefixList="" xmlns:ec="
>>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>
>>>               </ds:Transform>
>>>
>>>             </ds:Transforms>
>>>
>>>             <ds:DigestMethod Algorithm="
>>> http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>
>>>             <ds:DigestValue>mjUU4XkDWH4O/mdFHz65/e5C6hw=</ds:DigestValue>
>>>
>>>           </ds:Reference>
>>>
>>>         </ds:SignedInfo>
>>>
>>>
>>> <ds:SignatureValue>OZBdrJ4ucWbfdTJIFd6thEtyaBH3OshqVHEmPDlaaoqFXqD4dHJCUWR9KMjcJ1gozFEe1aVM4Ju7
>>>
>>>
>>> w2jJdSa4CKLgX2xf5dIdUkoH1+ck68hYBT7zfYj3sivctxRwLh2PwuI8qTrUB2ya1vw5X9vsPp2z
>>>
>>> f0nfnO3NoOHScDa1ZcI=</ds:SignatureValue>
>>>
>>>         <ds:KeyInfo Id="KI-5ED3F58FF83785A1E613401010446952">
>>>
>>>           <wsse:SecurityTokenReference
>>> wsu:Id="STR-5ED3F58FF83785A1E613401010446963">
>>>
>>>             <wsse:Reference URI="#X509-5ED3F58FF83785A1E613401010446741"
>>> ValueType="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
>>> "/>
>>>
>>>           </wsse:SecurityTokenReference>
>>>
>>>         </ds:KeyInfo>
>>>
>>>       </ds:Signature>
>>>
>>>     </wsse:Security>
>>>
>>>     <fooHeader>
>>>
>>>       <s:Body wsu:Id="id-1" xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> ">
>>>
>>>         <ns1:sampleValue xmlns:ns1="urn:tiani-spirit:test">
>>>
>>> this is a value
>>>
>>> </ns1:sampleValue>
>>>
>>>       </s:Body>
>>>
>>>     </fooHeader>
>>>
>>>   </s:Header>
>>>
>>>   <Body xmlns="http://www.w3.org/2003/05/soap-envelope">
>>>
>>>     <sampleValue xmlns="urn:tiani-spirit:test">This is another one,
>>> FAKED</sampleValue>
>>>
>>>   </Body>
>>>
>>> </s:Envelope>
>>>
>>>
>>>
>>>
>>> --
>>> Massimiliano Masi
>>>
>>> http://www.mascanc.net/~max
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>
>
> --
> Massimiliano Masi
>
> http://www.mascanc.net/~max
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message