ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Issue because elements within signedParts list are not optional
Date Fri, 25 Oct 2013 12:55:47 GMT
Hi Kai,

Rather than using CXF's WSS4JOutInterceptor, you need to use
WS-SecurityPolicy instead. When WSS4J is configured in this way, any
SignedParts Element will only be signed if they exist in the message.

Colm.


On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel <krommel2010@googlemail.com>wrote:

> Hi,
> I am trying to consume a WebService which requires WSRM and that the SOAP
> headers are signed.
>
> So I listed in the configuration of the interceptor
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint
> the elemenst to sign:
>  <entry key="signatureParts"
>                     value="{Element}{
> http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo;
> ....
>
> Doing so leads to a successful CreateSequence message send to the
> WS-Provider, which answers with a CreateSequenceResponse.
> But now the cxf WS-Consumer endpoint tries to sign the One-Way message.
> This message does not have the header "ReplyTo", and an exception is thrown
> in the class org.apache.ws.security.message.WSSecSignatureBase
>
> It is in line 159, where the elementsToSign are checked.
>
> In the specification
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512
following
> is stated: "Note that this assertion does not require that a given part
> appear in a message, just that if such a part appears, it requires
> integrity protection."
>
> Is there a possibility to change the wss4j implementation so that only
> these elements of the SignedParts configuration are signed, which are
> available in the message (and not to throw an exception for the elements,
> which are not available)? Or I am wrong with my interpretation?
> If there is another possibitiy to configure it, please let me know.
>
> Best regards
> Kai
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message