ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "massimiliano.masi@gmail.com" <massimiliano.m...@gmail.com>
Subject Re: Xml-Signature wrapping
Date Tue, 19 Jun 2012 11:21:59 GMT
Hi,

Thanks for your answer! :) That's the case of the soap body, what about
another element
in the soap tree?

The idea to have xpath references in the ds:Transform keeps the semantic of
the signature tied to the structure of the xml document. Do you know if
there is a way to
add such xpath property to the ds:Transform, without creating a custom
signature
processor?

Ciao,

    Massi

On Tue, Jun 19, 2012 at 12:53 PM, Colm O hEigeartaigh
<coheigea@apache.org>wrote:

> Hi Massimiliano,
>
> WSS4J does not enforce that certain elements in a request must be signed
> or encrypted, that's the job of the calling code. So for example, if a CXF
> endpoint has a WS-SecurityPolicy requirement that the SOAP Body must be
> signed, then your sample altered request will fail at that stage.
>
> Colm.
>
>
> On Tue, Jun 19, 2012 at 11:28 AM, massimiliano.masi@gmail.com <
> massimiliano.masi@gmail.com> wrote:
>
>> Hello All,
>>
>> I am trying to write a code against XML-Signature wrapping.
>>
>> The attached XML is validating, but it shouldn't (the signature was made
>> on the correct XML, where I switched the body) :-)
>>
>> I was trying to use the w3c's best practice #14, which is described in
>>
>> http://domino.research.ibm.com/library/cyberdig.nsf/papers/73053F26BFE5D1D385257067004CFD80/$File/rc23691.pdf
>>
>> How can I do that easily with wss4j?
>>
>> Thanks a lot!
>>
>> <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
>>
>> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
>>
>>   <s:Header>
>>
>>     <wsse:Security s:mustUnderstand="true" xmlns:wsse="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> ">
>>
>>       <wsse:BinarySecurityToken EncodingType="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>> ValueType="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>> wsu:Id="X509-5ED3F58FF83785A1E613401010446741">MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrDELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCB0ZXN0czEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIE1hc2kxMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wIBcNMTIwMTAyMDkwMDM1WhgPMjE5MTA2MDgwOTAwMzVaMIGPMQswCQYDVQQGEwJBVDEQMA4GA1UECBMHQXVzdHJpYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRQwEgYDVQQLEwtKVW5pdCBUZXN0czEOMAwGA1UEAxMFY2VydDExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANgfPyeyh5akguf7m0rxeAlzeTmfSHQw6VFcttllUHvK7EowEhnCXySqqd6F+rFf6GtvYxdIKAoSy2dW6clU9Qa43GdDxnRH2nWj/2BHQpNeagn4SnHnB0Sh+Tg+GyIzGMLwVW+3exKfNqXX+bT/0qe2s9aSx5+6YablcPdbjd7nAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTyZNkaXQQW/poejdu6nXjh3rBhbzAfBgNVHSMEGDAWgBR0cbZF2tyFPQ8VxQGIiJhzLmEADjANBgkqhkiG9w0BAQUFAAOBgQBNxznZ6jvfMQDjCZvI+/SVGubIDGse9kYgeIqkzxs/fxZQHf2WCZLwnRLWKiPbVuiyJqQaP+BefGWTwzw76abjPOliPLyCoZeJS3bT6Pdubswlgzx49yp0b+RF424tRtGAgDpvRPij7RYIQuGt30iVOTkgEqMciOw/8ZHWHS3/+Q==</wsse:BinarySecurityToken>
>>
>>       <ds:Signature Id="SIG-2" xmlns:ds="
>> http://www.w3.org/2000/09/xmldsig#">
>>
>>         <ds:SignedInfo>
>>
>>           <ds:CanonicalizationMethod Algorithm="
>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>>             <ec:InclusiveNamespaces PrefixList="s" xmlns:ec="
>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>
>>           </ds:CanonicalizationMethod>
>>
>>           <ds:SignatureMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>>           <ds:Reference URI="#id-1">
>>
>>             <ds:Transforms>
>>
>>               <ds:Transform Algorithm="
>> http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>>                 <ec:InclusiveNamespaces PrefixList="" xmlns:ec="
>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>
>>               </ds:Transform>
>>
>>             </ds:Transforms>
>>
>>             <ds:DigestMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>>             <ds:DigestValue>mjUU4XkDWH4O/mdFHz65/e5C6hw=</ds:DigestValue>
>>
>>           </ds:Reference>
>>
>>         </ds:SignedInfo>
>>
>>
>> <ds:SignatureValue>OZBdrJ4ucWbfdTJIFd6thEtyaBH3OshqVHEmPDlaaoqFXqD4dHJCUWR9KMjcJ1gozFEe1aVM4Ju7
>>
>>
>> w2jJdSa4CKLgX2xf5dIdUkoH1+ck68hYBT7zfYj3sivctxRwLh2PwuI8qTrUB2ya1vw5X9vsPp2z
>>
>> f0nfnO3NoOHScDa1ZcI=</ds:SignatureValue>
>>
>>         <ds:KeyInfo Id="KI-5ED3F58FF83785A1E613401010446952">
>>
>>           <wsse:SecurityTokenReference
>> wsu:Id="STR-5ED3F58FF83785A1E613401010446963">
>>
>>             <wsse:Reference URI="#X509-5ED3F58FF83785A1E613401010446741"
>> ValueType="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
>> "/>
>>
>>           </wsse:SecurityTokenReference>
>>
>>         </ds:KeyInfo>
>>
>>       </ds:Signature>
>>
>>     </wsse:Security>
>>
>>     <fooHeader>
>>
>>       <s:Body wsu:Id="id-1" xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> ">
>>
>>         <ns1:sampleValue xmlns:ns1="urn:tiani-spirit:test">
>>
>> this is a value
>>
>> </ns1:sampleValue>
>>
>>       </s:Body>
>>
>>     </fooHeader>
>>
>>   </s:Header>
>>
>>   <Body xmlns="http://www.w3.org/2003/05/soap-envelope">
>>
>>     <sampleValue xmlns="urn:tiani-spirit:test">This is another one,
>> FAKED</sampleValue>
>>
>>   </Body>
>>
>> </s:Envelope>
>>
>>
>>
>>
>> --
>> Massimiliano Masi
>>
>> http://www.mascanc.net/~max
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>


-- 
Massimiliano Masi

http://www.mascanc.net/~max

Mime
View raw message