ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: WS Security with attachment encryption
Date Tue, 28 Jun 2016 08:50:57 GMT
"Element" refers to the entire Element, whereas "Content" refers to the
content of the Element. So obviously, if you are encrypting the SOAP Body,
you only want to encrypt the "Content" and not the "Element", as otherwise
the "soap:Body" part gets encrypted and the result is not a valid SOAP
message. With Signature, you might as well sign the entire Element, as the
result is still a valid SOAP message.

Colm.

On Mon, Jun 27, 2016 at 11:32 AM, Kai Rommel <krommel2010@googlemail.com>
wrote:

> Hello Colm,
>
> thanks. My configuration was wrong. I configured:
>
> <entry key="encryptionParts" value="{Element}{
> http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />
> I oriented myself on https://ws.apache.org/wss4j/attachments.html
>
> Now I am using (like in your test):
>
>  <entry key="encryptionParts" value="{}{
> http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}cid:Attachments;">
>
> and it works fine.
>
> The documentation states {}cid:Attachments. Maybe it can be updated to
> {Element}cid:Attachments.
>
>
> Is there an special reason, why I have to use in signatureParts {Element}{
> http://schemas.xmlsoap.org/soap/envelope/}Body and in encryptionParts {}{
> http://schemas.xmlsoap.org/soap/envelope/}Body?
>
> Thanks.
>
> Best regards
>
> Kai
>
>
>
>
>
>
>
> 2016-06-27 12:10 GMT+02:00 Colm O hEigeartaigh <coheigea@apache.org>:
>
>> I can't reproduce...I added a similar test to CXF and it works fine:
>>
>> https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=0eafb7f8
>>
>> Colm.
>>
>> On Mon, Jun 27, 2016 at 10:02 AM, Kai Rommel <krommel2010@googlemail.com>
>> wrote:
>>
>>> Hello Colm,
>>>
>>> I configured a WS-Consumer with WS-Security.
>>> Works fine for body encryption, when message is send to WS-Provider. The
>>> soap envelope contains beside soap header also soap body:
>>>
>>> ...</wsse:Security></soap:Header><soap:Body xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> wsu:Id="id-f2366587-d90a-44c5-9b03-22dccc6a177d"><xenc:EncryptedData .....
>>>
>>>
>>> Now I enhanced my scenario by encrypting attachments, too.
>>> My WSS4J Interceptor looks like this:
>>> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
>>>  id="Sign_Request">
>>>  <constructor-arg>
>>>      <map>
>>>          <entry key="action" value="Timestamp Signature Encrypt" />
>>>          <entry key="user" value="wss" />
>>>          <entry key="signatureUser" value="wss" />
>>>          <entry key="signaturePropFile" value="jks/client.properties" />
>>>          <entry key="signatureKeyIdentifier" value="DirectReference" />
>>>          <entry key="passwordCallbackClass"
>>> value="demo.ws_rm.client.CallBack" />
>>>          <!-- with attachments -->
>>>          <entry key="signatureParts"
>>>              value="{}cid:Attachments;
>>>              {Element}{
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp
>>> ;
>>>              {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
>>>          <entry key="encryptionUser" value="wss" />
>>>          <entry key="encryptionPropFile" value="jks/client.properties" />
>>>          <entry key="encryptionParts"
>>>           value="{Element}{
>>> http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />
>>>      </map>
>>>  </constructor-arg>
>>> </bean>
>>>
>>> Now the soap:body is missing in the soap:envelope. Header element is
>>> closed, but body not opened
>>> ...</wsse:Security></soap:Header><xenc:EncryptedData xmlns:....
>>>
>>> Attachments are encrypted fine. But message can not be decrypted on
>>> WS-Provider side, because of missing body element.
>>>
>>> I am using cxf 3.2.0-SNAPSHOT and wss4j 2.2.0-SNAPSHOT.
>>>
>>> Are you able to reproduce the error, or is my WSS4J interceptor
>>> configuration wrong?
>>>
>>> Thanks for your help.
>>>
>>> Best regards
>>> Kai
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message