ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Issue because elements within signedParts list are not optional
Date Wed, 06 Nov 2013 15:16:41 GMT
In WSS4J 2.0, there is/will be a "Optional" signatureParts configuration
that won't throw an exception if it doesn't encounter the Element to sign.

Colm.


On Wed, Nov 6, 2013 at 3:13 PM, Kai Rommel <krommel2010@googlemail.com>wrote:

> Hi Colm,
> thanks for the information. I used WS-SecurityPolicy and I do not get the
> exception. I am wondering whether there will be a fix for WSS4J to align
> the behaviour, or is it recommended not to use WSS4JOutInterceptor but to
> use WS-SecurityPolicy in the future.
> Thanks.
> Best regards
> Kai
>
>
> 2013/10/25 Colm O hEigeartaigh <coheigea@apache.org>
>
>> Hi Kai,
>>
>> Rather than using CXF's WSS4JOutInterceptor, you need to use
>> WS-SecurityPolicy instead. When WSS4J is configured in this way, any
>> SignedParts Element will only be signed if they exist in the message.
>>
>> Colm.
>>
>>
>> On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel <krommel2010@googlemail.com>wrote:
>>
>>> Hi,
>>> I am trying to consume a WebService which requires WSRM and that the
>>> SOAP headers are signed.
>>>
>>> So I listed in the configuration of the interceptor
>>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint
>>> the elemenst to sign:
>>>  <entry key="signatureParts"
>>>                     value="{Element}{
>>> http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo;
>>> ....
>>>
>>> Doing so leads to a successful CreateSequence message send to the
>>> WS-Provider, which answers with a CreateSequenceResponse.
>>> But now the cxf WS-Consumer endpoint tries to sign the One-Way message.
>>> This message does not have the header "ReplyTo", and an exception is thrown
>>> in the class org.apache.ws.security.message.WSSecSignatureBase
>>>
>>> It is in line 159, where the elementsToSign are checked.
>>>
>>> In the specification
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512
following
>>> is stated: "Note that this assertion does not require that a given part
>>> appear in a message, just that if such a part appears, it requires
>>> integrity protection."
>>>
>>> Is there a possibility to change the wss4j implementation so that only
>>> these elements of the SignedParts configuration are signed, which are
>>> available in the message (and not to throw an exception for the elements,
>>> which are not available)? Or I am wrong with my interpretation?
>>> If there is another possibitiy to configure it, please let me know.
>>>
>>> Best regards
>>>  Kai
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message