You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by "Morris Jr, David P" <da...@lmco.com> on 2011/03/03 18:52:50 UTC

RE: EXTERNAL: Re: Wsse digital signature - how to sign the ds:timestamp and not the soap body

Yes that worked. Thanks for the quick response!

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Thursday, March 03, 2011 12:02 PM
To: users@cxf.apache.org
Subject: EXTERNAL: Re: Wsse digital signature - how to sign the ds:timestamp and not the soap body

The best way to configure WS-Security in CXF is via WS-SecurityPolicy.
However, you can sign the timestamp instead using spring by adding a
property like this:

<property name="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"/>

Colm.


On Thu, Mar 3, 2011 at 4:51 PM, Morris Jr, David P
<da...@lmco.com> wrote:
> I noticed that the digital signature signs the soap body by default. Using SOAPUI and changing the request message in the soap body.
>
> Question: How do I specify in CXF to sign the digital timestamp instead? This is to prevent replay attacks. I assume there is a property setting in CXF+Spring that I need to set.
>
> I'm still researching...
>
> Thanks!
>
> Dave
>