ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Xml-Signature wrapping
Date Tue, 19 Jun 2012 10:53:51 GMT
Hi Massimiliano,

WSS4J does not enforce that certain elements in a request must be signed or
encrypted, that's the job of the calling code. So for example, if a CXF
endpoint has a WS-SecurityPolicy requirement that the SOAP Body must be
signed, then your sample altered request will fail at that stage.

Colm.

On Tue, Jun 19, 2012 at 11:28 AM, massimiliano.masi@gmail.com <
massimiliano.masi@gmail.com> wrote:

> Hello All,
>
> I am trying to write a code against XML-Signature wrapping.
>
> The attached XML is validating, but it shouldn't (the signature was made
> on the correct XML, where I switched the body) :-)
>
> I was trying to use the w3c's best practice #14, which is described in
>
> http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf
>
> How can I do that easily with wss4j?
>
> Thanks a lot!
>
> <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
>
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
>
>   <s:Header>
>
>     <wsse:Security s:mustUnderstand="true" xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>
>       <wsse:BinarySecurityToken EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> wsu:Id="X509-5ED3F58FF83785A1E613401010446741">MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCB0ZXN0czEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIE1hc2kxMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wIBcNMTIwMTAyMDkwMDM1WhgPMjE5MTA2MDgwOTAwMzVaMIGPMQswCQYDVQQGEwJBVDEQMA4GA1UECBMHQXVzdHJpYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCBUZXN0czEOMAwGA1UEAxMFY2VydDExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANgfPyeyh5akguf7m0rxeAlzeTmfSHQw6VFcttllUHvK7EowEhnCXySqqd6F+rFf6GtvYxdIKAoSy2dW6clU9Qa43GdDxnRH2nWj/2BHQpNeagn4SnHnB0Sh+Tg+GyIzGMLwVW+3exKfNqXX+bT/0qe2s9aSx5+6YablcPdbjd7nAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTyZNkaXQQW/poejdu6nXjh3rBhbzAfBgNVHSMEGDAWgBR0cbZF2tyFPQ8VxQGIiJhzLmEADjANBgkqhkiG9w0BAQUFAAOBgQBNxznZ6jvfMQDjCZvI+/SVGubIDGse9kYgeIqkzxs/fxZQHf2WCZLwnRLWKiPbVuiyJqQaP+BefGWTwzw76abjPOliPLyCoZeJS3bT6Pdubswlgzx49yp0b+RF424tRtGAgDpvRPij7RYIQuGt30iVOTkgEqMciOw/8ZHWHS3/+Q==</wsse:BinarySecurityToken>
>
>       <ds:Signature Id="SIG-2" xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#">
>
>         <ds:SignedInfo>
>
>           <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#">
>
>             <ec:InclusiveNamespaces PrefixList="s" xmlns:ec="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
>           </ds:CanonicalizationMethod>
>
>           <ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
>           <ds:Reference URI="#id-1">
>
>             <ds:Transforms>
>
>               <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#">
>
>                 <ec:InclusiveNamespaces PrefixList="" xmlns:ec="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
>               </ds:Transform>
>
>             </ds:Transforms>
>
>             <ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"/>
>
>             <ds:DigestValue>mjUU4XkDWH4O/mdFHz65/e5C6hw=</ds:DigestValue>
>
>           </ds:Reference>
>
>         </ds:SignedInfo>
>
>
> <ds:SignatureValue>OZBdrJ4ucWbfdTJIFd6thEtyaBH3OshqVHEmPDlaaoqFXqD4dHJCUWR9KMjcJ1gozFEe1aVM4Ju7
>
>
> w2jJdSa4CKLgX2xf5dIdUkoH1+ck68hYBT7zfYj3sivctxRwLh2PwuI8qTrUB2ya1vw5X9vsPp2z
>
> f0nfnO3NoOHScDa1ZcI=</ds:SignatureValue>
>
>         <ds:KeyInfo Id="KI-5ED3F58FF83785A1E613401010446952">
>
>           <wsse:SecurityTokenReference
> wsu:Id="STR-5ED3F58FF83785A1E613401010446963">
>
>             <wsse:Reference URI="#X509-5ED3F58FF83785A1E613401010446741"
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
> "/>
>
>           </wsse:SecurityTokenReference>
>
>         </ds:KeyInfo>
>
>       </ds:Signature>
>
>     </wsse:Security>
>
>     <fooHeader>
>
>       <s:Body wsu:Id="id-1" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>
>         <ns1:sampleValue xmlns:ns1="urn:tiani-spirit:test">
>
> this is a value
>
> </ns1:sampleValue>
>
>       </s:Body>
>
>     </fooHeader>
>
>   </s:Header>
>
>   <Body xmlns="http://www.w3.org/2003/05/soap-envelope">
>
>     <sampleValue xmlns="urn:tiani-spirit:test">This is another one,
> FAKED</sampleValue>
>
>   </Body>
>
> </s:Envelope>
>
>
>
>
> --
> Massimiliano Masi
>
> http://www.mascanc.net/~max
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message