You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Alx <ot...@gmail.com> on 2015/04/02 13:49:14 UTC
Signing of UsernameToken element with WS-SecurityPolicy and CXF
I have a requirement from my client for the signature to contain the
UsernameToken element. According to the rest of his requirements the
security policy I am using is the following:
<wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="
http://www.w3.org/2006/05/addressing/wsdl" />
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
">
<wsp:Policy>
<sp:NoPassword />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
">
<wsp:Policy>
<sp:NoPassword />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
<sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The above works correctly for me. the only thing that I could not sign is
the UserbameToken I tried using:
<sp:SignedElements>
<sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
/soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
</sp:XPath>
</sp:SignedElements>
which did not seem to work.
Trying to debug I see that the SignedElementsBuilder class is accessed but
I am not sure where to debug next, where should the signing occurs.
Any help will be appreciated.
Alex
Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Posted by Alx <ot...@gmail.com>.
Ok then this definitely did not work. I will try to get back to you on
Monday with a test case. Oh and I m using wildfly 8.0.2 which I believe
uses cxf version 2.7.13?
On Friday, April 3, 2015, Colm O hEigeartaigh <co...@apache.org> wrote:
> > Unfortunatelly i m out of the office at the moment so I cannot provide a
> > test case. Do you mean I still need the SignedElements part?
> >
>
>
> No. Change "SupportingTokens" to "SignedSupportingTokens" in your original
> policy, no SignedElements is required here.
>
> Colm.
>
>
> >
> > On Friday, April 3, 2015, Colm O hEigeartaigh <coheigea@apache.org
> <javascript:;>> wrote:
> >
> > >
> > > I tried this before and the Username was still not signed. Only when I
> > >> used SignedEncryptedSupportingTokens the username is getting signed
> (and
> > >> not encrypted by the way, which is what I want at the moment).
> Probably
> > I
> > >> am doing something wrong but this works for me now.
> > >>
> > >
> > > Any chance of a test-case? Both scenarios should work fine. By the way,
> > > the UsernameToken should be signed/encrypted, not just the "Username"
> > part
> > > of it. What version of CXF are you using?
> > >
> > > Colm.
> > >
> > >
> > >> Thanks for the feedback!
> > >>
> > >> Alex
> > >>
> > >> On Fri, Apr 3, 2015 at 4:33 PM, Colm O hEigeartaigh <
> > coheigea@apache.org <javascript:;>
> > >> <javascript:_e(%7B%7D,'cvml','coheigea@apache.org <javascript:;>');>>
> wrote:
> > >>
> > >>> Simply change "SupportingTokens" to "SignedSupportingTokens".
> > >>>
> > >>> Colm.
> > >>>
> > >>> On Thu, Apr 2, 2015 at 12:49 PM, Alx <otinanism@gmail.com
> <javascript:;>
> > >>> <javascript:_e(%7B%7D,'cvml','otinanism@gmail.com <javascript:;>');>>
> wrote:
> > >>>
> > >>> > I have a requirement from my client for the signature to contain
> the
> > >>> > UsernameToken element. According to the rest of his requirements
> the
> > >>> > security policy I am using is the following:
> > >>> >
> > >>> > <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
> > >>> > <wsp:ExactlyOne>
> > >>> > <wsp:All>
> > >>> > <wsaws:UsingAddressing xmlns:wsaws="
> > >>> > http://www.w3.org/2006/05/addressing/wsdl" />
> > >>> > <sp:SupportingTokens
> > >>> > xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> > ">
> > >>> > <wsp:Policy>
> > >>> > <sp:UsernameToken
> > >>> > sp:IncludeToken="
> > >>> >
> > >>> >
> > >>>
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> > >>> > ">
> > >>> > <wsp:Policy>
> > >>> > <sp:NoPassword />
> > >>> > </wsp:Policy>
> > >>> > </sp:UsernameToken>
> > >>> > </wsp:Policy>
> > >>> > </sp:SupportingTokens>
> > >>> > <sp:AsymmetricBinding
> > >>> > xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> > ">
> > >>> > <wsp:Policy>
> > >>> > <sp:InitiatorToken>
> > >>> > <wsp:Policy>
> > >>> > <sp:UsernameToken
> > >>> > sp:IncludeToken="
> > >>> >
> > >>> >
> > >>>
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> > >>> > ">
> > >>> > <wsp:Policy>
> > >>> > <sp:NoPassword />
> > >>> > </wsp:Policy>
> > >>> > </sp:UsernameToken>
> > >>> > </wsp:Policy>
> > >>> > </sp:InitiatorToken>
> > >>> > <sp:RecipientSignatureToken>
> > >>> > <wsp:Policy>
> > >>> > <sp:X509Token
> > >>> > sp:IncludeToken="
> > >>> >
> > >>> >
> > >>>
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> > >>> > ">
> > >>> > <wsp:Policy>
> > >>> > <sp:WssX509V3Token10 />
> > >>> > </wsp:Policy>
> > >>> > </sp:X509Token>
> > >>> > </wsp:Policy>
> > >>> > </sp:RecipientSignatureToken>
> > >>> > <sp:AlgorithmSuite>
> > >>> > <wsp:Policy>
> > >>> > <sp:Basic256Sha256 />
> > >>> > </wsp:Policy>
> > >>> > </sp:AlgorithmSuite>
> > >>> > <sp:Layout>
> > >>> > <wsp:Policy>
> > >>> > <sp:Lax />
> > >>> > </wsp:Policy>
> > >>> > </sp:Layout>
> > >>> > <sp:IncludeTimestamp />
> > >>> > </wsp:Policy>
> > >>> > </sp:AsymmetricBinding>
> > >>> > <sp:SignedParts>
> > >>> > <sp:Body />
> > >>> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
> > >>> > </sp:SignedParts>
> > >>> >
> > >>> > </wsp:All>
> > >>> > </wsp:ExactlyOne>
> > >>> > </wsp:Policy>
> > >>> >
> > >>> >
> > >>> > The above works correctly for me. the only thing that I could not
> > sign
> > >>> is
> > >>> > the UserbameToken I tried using:
> > >>> >
> > >>> > <sp:SignedElements>
> > >>> >
> > >>> > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> > >>> > xmlns:wsse="
> > >>> >
> > >>> >
> > >>>
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > >>> > "
> > >>> > xmlns:wsu="
> > >>> >
> > >>> >
> > >>>
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > >>> > ">
> > >>> >
> > >>>
> > /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
> > >>> > </sp:XPath>
> > >>> >
> > >>> > </sp:SignedElements>
> > >>> >
> > >>> > which did not seem to work.
> > >>> >
> > >>> > Trying to debug I see that the SignedElementsBuilder class is
> > accessed
> > >>> but
> > >>> > I am not sure where to debug next, where should the signing occurs.
> > >>> >
> > >>> > Any help will be appreciated.
> > >>> >
> > >>> > Alex
> > >>> >
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Colm O hEigeartaigh
> > >>>
> > >>> Talend Community Coder
> > >>> http://coders.talend.com
> > >>>
> > >>
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Unfortunatelly i m out of the office at the moment so I cannot provide a
> test case. Do you mean I still need the SignedElements part?
>
No. Change "SupportingTokens" to "SignedSupportingTokens" in your original
policy, no SignedElements is required here.
Colm.
>
> On Friday, April 3, 2015, Colm O hEigeartaigh <co...@apache.org> wrote:
>
> >
> > I tried this before and the Username was still not signed. Only when I
> >> used SignedEncryptedSupportingTokens the username is getting signed (and
> >> not encrypted by the way, which is what I want at the moment). Probably
> I
> >> am doing something wrong but this works for me now.
> >>
> >
> > Any chance of a test-case? Both scenarios should work fine. By the way,
> > the UsernameToken should be signed/encrypted, not just the "Username"
> part
> > of it. What version of CXF are you using?
> >
> > Colm.
> >
> >
> >> Thanks for the feedback!
> >>
> >> Alex
> >>
> >> On Fri, Apr 3, 2015 at 4:33 PM, Colm O hEigeartaigh <
> coheigea@apache.org
> >> <javascript:_e(%7B%7D,'cvml','coheigea@apache.org');>> wrote:
> >>
> >>> Simply change "SupportingTokens" to "SignedSupportingTokens".
> >>>
> >>> Colm.
> >>>
> >>> On Thu, Apr 2, 2015 at 12:49 PM, Alx <otinanism@gmail.com
> >>> <javascript:_e(%7B%7D,'cvml','otinanism@gmail.com');>> wrote:
> >>>
> >>> > I have a requirement from my client for the signature to contain the
> >>> > UsernameToken element. According to the rest of his requirements the
> >>> > security policy I am using is the following:
> >>> >
> >>> > <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
> >>> > <wsp:ExactlyOne>
> >>> > <wsp:All>
> >>> > <wsaws:UsingAddressing xmlns:wsaws="
> >>> > http://www.w3.org/2006/05/addressing/wsdl" />
> >>> > <sp:SupportingTokens
> >>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> ">
> >>> > <wsp:Policy>
> >>> > <sp:UsernameToken
> >>> > sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> >>> > ">
> >>> > <wsp:Policy>
> >>> > <sp:NoPassword />
> >>> > </wsp:Policy>
> >>> > </sp:UsernameToken>
> >>> > </wsp:Policy>
> >>> > </sp:SupportingTokens>
> >>> > <sp:AsymmetricBinding
> >>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> ">
> >>> > <wsp:Policy>
> >>> > <sp:InitiatorToken>
> >>> > <wsp:Policy>
> >>> > <sp:UsernameToken
> >>> > sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> >>> > ">
> >>> > <wsp:Policy>
> >>> > <sp:NoPassword />
> >>> > </wsp:Policy>
> >>> > </sp:UsernameToken>
> >>> > </wsp:Policy>
> >>> > </sp:InitiatorToken>
> >>> > <sp:RecipientSignatureToken>
> >>> > <wsp:Policy>
> >>> > <sp:X509Token
> >>> > sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> >>> > ">
> >>> > <wsp:Policy>
> >>> > <sp:WssX509V3Token10 />
> >>> > </wsp:Policy>
> >>> > </sp:X509Token>
> >>> > </wsp:Policy>
> >>> > </sp:RecipientSignatureToken>
> >>> > <sp:AlgorithmSuite>
> >>> > <wsp:Policy>
> >>> > <sp:Basic256Sha256 />
> >>> > </wsp:Policy>
> >>> > </sp:AlgorithmSuite>
> >>> > <sp:Layout>
> >>> > <wsp:Policy>
> >>> > <sp:Lax />
> >>> > </wsp:Policy>
> >>> > </sp:Layout>
> >>> > <sp:IncludeTimestamp />
> >>> > </wsp:Policy>
> >>> > </sp:AsymmetricBinding>
> >>> > <sp:SignedParts>
> >>> > <sp:Body />
> >>> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
> >>> > </sp:SignedParts>
> >>> >
> >>> > </wsp:All>
> >>> > </wsp:ExactlyOne>
> >>> > </wsp:Policy>
> >>> >
> >>> >
> >>> > The above works correctly for me. the only thing that I could not
> sign
> >>> is
> >>> > the UserbameToken I tried using:
> >>> >
> >>> > <sp:SignedElements>
> >>> >
> >>> > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> >>> > xmlns:wsse="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> >>> > "
> >>> > xmlns:wsu="
> >>> >
> >>> >
> >>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> >>> > ">
> >>> >
> >>>
> /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
> >>> > </sp:XPath>
> >>> >
> >>> > </sp:SignedElements>
> >>> >
> >>> > which did not seem to work.
> >>> >
> >>> > Trying to debug I see that the SignedElementsBuilder class is
> accessed
> >>> but
> >>> > I am not sure where to debug next, where should the signing occurs.
> >>> >
> >>> > Any help will be appreciated.
> >>> >
> >>> > Alex
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Colm O hEigeartaigh
> >>>
> >>> Talend Community Coder
> >>> http://coders.talend.com
> >>>
> >>
> >>
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Posted by Alx <ot...@gmail.com>.
Unfortunatelly i m out of the office at the moment so I cannot provide a
test case. Do you mean I still need the SignedElements part? Because I have
removed it and the token is signed when using what i mentioned. Either
way I believe I have tried both username and UsernameToken in the
SignedElements part without success. But I would have to check again when I
am back at the office on Monday
On Friday, April 3, 2015, Colm O hEigeartaigh <co...@apache.org> wrote:
>
> I tried this before and the Username was still not signed. Only when I
>> used SignedEncryptedSupportingTokens the username is getting signed (and
>> not encrypted by the way, which is what I want at the moment). Probably I
>> am doing something wrong but this works for me now.
>>
>
> Any chance of a test-case? Both scenarios should work fine. By the way,
> the UsernameToken should be signed/encrypted, not just the "Username" part
> of it. What version of CXF are you using?
>
> Colm.
>
>
>> Thanks for the feedback!
>>
>> Alex
>>
>> On Fri, Apr 3, 2015 at 4:33 PM, Colm O hEigeartaigh <coheigea@apache.org
>> <javascript:_e(%7B%7D,'cvml','coheigea@apache.org');>> wrote:
>>
>>> Simply change "SupportingTokens" to "SignedSupportingTokens".
>>>
>>> Colm.
>>>
>>> On Thu, Apr 2, 2015 at 12:49 PM, Alx <otinanism@gmail.com
>>> <javascript:_e(%7B%7D,'cvml','otinanism@gmail.com');>> wrote:
>>>
>>> > I have a requirement from my client for the signature to contain the
>>> > UsernameToken element. According to the rest of his requirements the
>>> > security policy I am using is the following:
>>> >
>>> > <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
>>> > <wsp:ExactlyOne>
>>> > <wsp:All>
>>> > <wsaws:UsingAddressing xmlns:wsaws="
>>> > http://www.w3.org/2006/05/addressing/wsdl" />
>>> > <sp:SupportingTokens
>>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> > <wsp:Policy>
>>> > <sp:UsernameToken
>>> > sp:IncludeToken="
>>> >
>>> >
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>>> > ">
>>> > <wsp:Policy>
>>> > <sp:NoPassword />
>>> > </wsp:Policy>
>>> > </sp:UsernameToken>
>>> > </wsp:Policy>
>>> > </sp:SupportingTokens>
>>> > <sp:AsymmetricBinding
>>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> > <wsp:Policy>
>>> > <sp:InitiatorToken>
>>> > <wsp:Policy>
>>> > <sp:UsernameToken
>>> > sp:IncludeToken="
>>> >
>>> >
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>>> > ">
>>> > <wsp:Policy>
>>> > <sp:NoPassword />
>>> > </wsp:Policy>
>>> > </sp:UsernameToken>
>>> > </wsp:Policy>
>>> > </sp:InitiatorToken>
>>> > <sp:RecipientSignatureToken>
>>> > <wsp:Policy>
>>> > <sp:X509Token
>>> > sp:IncludeToken="
>>> >
>>> >
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>>> > ">
>>> > <wsp:Policy>
>>> > <sp:WssX509V3Token10 />
>>> > </wsp:Policy>
>>> > </sp:X509Token>
>>> > </wsp:Policy>
>>> > </sp:RecipientSignatureToken>
>>> > <sp:AlgorithmSuite>
>>> > <wsp:Policy>
>>> > <sp:Basic256Sha256 />
>>> > </wsp:Policy>
>>> > </sp:AlgorithmSuite>
>>> > <sp:Layout>
>>> > <wsp:Policy>
>>> > <sp:Lax />
>>> > </wsp:Policy>
>>> > </sp:Layout>
>>> > <sp:IncludeTimestamp />
>>> > </wsp:Policy>
>>> > </sp:AsymmetricBinding>
>>> > <sp:SignedParts>
>>> > <sp:Body />
>>> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
>>> > </sp:SignedParts>
>>> >
>>> > </wsp:All>
>>> > </wsp:ExactlyOne>
>>> > </wsp:Policy>
>>> >
>>> >
>>> > The above works correctly for me. the only thing that I could not sign
>>> is
>>> > the UserbameToken I tried using:
>>> >
>>> > <sp:SignedElements>
>>> >
>>> > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>>> > xmlns:wsse="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> > "
>>> > xmlns:wsu="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> > ">
>>> >
>>> /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
>>> > </sp:XPath>
>>> >
>>> > </sp:SignedElements>
>>> >
>>> > which did not seem to work.
>>> >
>>> > Trying to debug I see that the SignedElementsBuilder class is accessed
>>> but
>>> > I am not sure where to debug next, where should the signing occurs.
>>> >
>>> > Any help will be appreciated.
>>> >
>>> > Alex
>>> >
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Posted by Colm O hEigeartaigh <co...@apache.org>.
> I tried this before and the Username was still not signed. Only when I
> used SignedEncryptedSupportingTokens the username is getting signed (and
> not encrypted by the way, which is what I want at the moment). Probably I
> am doing something wrong but this works for me now.
>
Any chance of a test-case? Both scenarios should work fine. By the way, the
UsernameToken should be signed/encrypted, not just the "Username" part of
it. What version of CXF are you using?
Colm.
> Thanks for the feedback!
>
> Alex
>
> On Fri, Apr 3, 2015 at 4:33 PM, Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
>> Simply change "SupportingTokens" to "SignedSupportingTokens".
>>
>> Colm.
>>
>> On Thu, Apr 2, 2015 at 12:49 PM, Alx <ot...@gmail.com> wrote:
>>
>> > I have a requirement from my client for the signature to contain the
>> > UsernameToken element. According to the rest of his requirements the
>> > security policy I am using is the following:
>> >
>> > <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
>> > <wsp:ExactlyOne>
>> > <wsp:All>
>> > <wsaws:UsingAddressing xmlns:wsaws="
>> > http://www.w3.org/2006/05/addressing/wsdl" />
>> > <sp:SupportingTokens
>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>> > <wsp:Policy>
>> > <sp:UsernameToken
>> > sp:IncludeToken="
>> >
>> >
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>> > ">
>> > <wsp:Policy>
>> > <sp:NoPassword />
>> > </wsp:Policy>
>> > </sp:UsernameToken>
>> > </wsp:Policy>
>> > </sp:SupportingTokens>
>> > <sp:AsymmetricBinding
>> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>> > <wsp:Policy>
>> > <sp:InitiatorToken>
>> > <wsp:Policy>
>> > <sp:UsernameToken
>> > sp:IncludeToken="
>> >
>> >
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>> > ">
>> > <wsp:Policy>
>> > <sp:NoPassword />
>> > </wsp:Policy>
>> > </sp:UsernameToken>
>> > </wsp:Policy>
>> > </sp:InitiatorToken>
>> > <sp:RecipientSignatureToken>
>> > <wsp:Policy>
>> > <sp:X509Token
>> > sp:IncludeToken="
>> >
>> >
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>> > ">
>> > <wsp:Policy>
>> > <sp:WssX509V3Token10 />
>> > </wsp:Policy>
>> > </sp:X509Token>
>> > </wsp:Policy>
>> > </sp:RecipientSignatureToken>
>> > <sp:AlgorithmSuite>
>> > <wsp:Policy>
>> > <sp:Basic256Sha256 />
>> > </wsp:Policy>
>> > </sp:AlgorithmSuite>
>> > <sp:Layout>
>> > <wsp:Policy>
>> > <sp:Lax />
>> > </wsp:Policy>
>> > </sp:Layout>
>> > <sp:IncludeTimestamp />
>> > </wsp:Policy>
>> > </sp:AsymmetricBinding>
>> > <sp:SignedParts>
>> > <sp:Body />
>> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
>> > </sp:SignedParts>
>> >
>> > </wsp:All>
>> > </wsp:ExactlyOne>
>> > </wsp:Policy>
>> >
>> >
>> > The above works correctly for me. the only thing that I could not sign
>> is
>> > the UserbameToken I tried using:
>> >
>> > <sp:SignedElements>
>> >
>> > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>> > xmlns:wsse="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> > "
>> > xmlns:wsu="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> > ">
>> >
>> /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
>> > </sp:XPath>
>> >
>> > </sp:SignedElements>
>> >
>> > which did not seem to work.
>> >
>> > Trying to debug I see that the SignedElementsBuilder class is accessed
>> but
>> > I am not sure where to debug next, where should the signing occurs.
>> >
>> > Any help will be appreciated.
>> >
>> > Alex
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Posted by Alx <ot...@gmail.com>.
Hi Colm,
I tried this before and the Username was still not signed. Only when I used
SignedEncryptedSupportingTokens the username is getting signed (and not
encrypted by the way, which is what I want at the moment). Probably I am
doing something wrong but this works for me now.
Thanks for the feedback!
Alex
On Fri, Apr 3, 2015 at 4:33 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Simply change "SupportingTokens" to "SignedSupportingTokens".
>
> Colm.
>
> On Thu, Apr 2, 2015 at 12:49 PM, Alx <ot...@gmail.com> wrote:
>
> > I have a requirement from my client for the signature to contain the
> > UsernameToken element. According to the rest of his requirements the
> > security policy I am using is the following:
> >
> > <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <wsaws:UsingAddressing xmlns:wsaws="
> > http://www.w3.org/2006/05/addressing/wsdl" />
> > <sp:SupportingTokens
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:UsernameToken
> > sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> > ">
> > <wsp:Policy>
> > <sp:NoPassword />
> > </wsp:Policy>
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > <sp:AsymmetricBinding
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:UsernameToken
> > sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> > ">
> > <wsp:Policy>
> > <sp:NoPassword />
> > </wsp:Policy>
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientSignatureToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> > ">
> > <wsp:Policy>
> > <sp:WssX509V3Token10 />
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientSignatureToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256Sha256 />
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax />
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp />
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> > <sp:SignedParts>
> > <sp:Body />
> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
> > </sp:SignedParts>
> >
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> >
> > The above works correctly for me. the only thing that I could not sign is
> > the UserbameToken I tried using:
> >
> > <sp:SignedElements>
> >
> > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> > xmlns:wsse="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > "
> > xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > ">
> > /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
> > </sp:XPath>
> >
> > </sp:SignedElements>
> >
> > which did not seem to work.
> >
> > Trying to debug I see that the SignedElementsBuilder class is accessed
> but
> > I am not sure where to debug next, where should the signing occurs.
> >
> > Any help will be appreciated.
> >
> > Alex
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Signing of UsernameToken element with WS-SecurityPolicy and CXF
Posted by Colm O hEigeartaigh <co...@apache.org>.
Simply change "SupportingTokens" to "SignedSupportingTokens".
Colm.
On Thu, Apr 2, 2015 at 12:49 PM, Alx <ot...@gmail.com> wrote:
> I have a requirement from my client for the signature to contain the
> UsernameToken element. According to the rest of his requirements the
> security policy I am using is the following:
>
> <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsaws:UsingAddressing xmlns:wsaws="
> http://www.w3.org/2006/05/addressing/wsdl" />
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
> <wsp:Policy>
> <sp:NoPassword />
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> <sp:AsymmetricBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
> <wsp:Policy>
> <sp:NoPassword />
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientSignatureToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientSignatureToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Sha256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> The above works correctly for me. the only thing that I could not sign is
> the UserbameToken I tried using:
>
> <sp:SignedElements>
>
> <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> /soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username
> </sp:XPath>
>
> </sp:SignedElements>
>
> which did not seem to work.
>
> Trying to debug I see that the SignedElementsBuilder class is accessed but
> I am not sure where to debug next, where should the signing occurs.
>
> Any help will be appreciated.
>
> Alex
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com