ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kai Rommel <krommel2...@googlemail.com>
Subject Re: Issue because elements within signedParts list are not optional
Date Wed, 06 Nov 2013 15:13:13 GMT
Hi Colm,
thanks for the information. I used WS-SecurityPolicy and I do not get the
exception. I am wondering whether there will be a fix for WSS4J to align
the behaviour, or is it recommended not to use WSS4JOutInterceptor but to
use WS-SecurityPolicy in the future.
Thanks.
Best regards
Kai


2013/10/25 Colm O hEigeartaigh <coheigea@apache.org>

> Hi Kai,
>
> Rather than using CXF's WSS4JOutInterceptor, you need to use
> WS-SecurityPolicy instead. When WSS4J is configured in this way, any
> SignedParts Element will only be signed if they exist in the message.
>
> Colm.
>
>
> On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel <krommel2010@googlemail.com>wrote:
>
>> Hi,
>> I am trying to consume a WebService which requires WSRM and that the SOAP
>> headers are signed.
>>
>> So I listed in the configuration of the interceptor
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint
>> the elemenst to sign:
>>  <entry key="signatureParts"
>>                     value="{Element}{
>> http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo;
>> ....
>>
>> Doing so leads to a successful CreateSequence message send to the
>> WS-Provider, which answers with a CreateSequenceResponse.
>> But now the cxf WS-Consumer endpoint tries to sign the One-Way message.
>> This message does not have the header "ReplyTo", and an exception is thrown
>> in the class org.apache.ws.security.message.WSSecSignatureBase
>>
>> It is in line 159, where the elementsToSign are checked.
>>
>> In the specification
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512
following
>> is stated: "Note that this assertion does not require that a given part
>> appear in a message, just that if such a part appears, it requires
>> integrity protection."
>>
>> Is there a possibility to change the wss4j implementation so that only
>> these elements of the SignedParts configuration are signed, which are
>> available in the message (and not to throw an exception for the elements,
>> which are not available)? Or I am wrong with my interpretation?
>> If there is another possibitiy to configure it, please let me know.
>>
>> Best regards
>>  Kai
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
View raw message