You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Denis Koelewijn <de...@gmail.com> on 2007/05/21 14:15:54 UTC
Doest WSS4J verify that all required parts are signed ?
Hi,
I've run into the problem that WSS4J doesn't seem to verify that all
required fields are signed. I wonder if I'm doing something wrong, or is
this the intended behaviour of WSS4J ?
The webservice wsdd-file is configured with the following parameters:
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts" value="{}{
http://schemas.xmlsoap.org/soap/envelope/}Body; {}{
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"
/>
The webservices accepts messages from a client configured in either of the
following ways:
1) Sign both body and timestamp. This is what is expected to be correct.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts" value="{}{
http://schemas.xmlsoap.org/soap/envelope/}Body; {}{
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"
/>
2) Sign only the body. I think this is wrong and the message should be
rejected.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts" value="{}{
http://schemas.xmlsoap.org/soap/envelope/}Body;" />
In the logfiles I can confirm that indeed the signed parts are verified
successfully, e.g:
1) When body the body and timestamp are signed:
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful for
URI "#id-8347989"
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful for
URI "#id-27316497"
2) When only the body is signed:
2007-05-21 13:45:15,668 [http-8080-Processor24] INFO
org.apache.xml.security.signature.Reference - Verification successful for
URI "#id-28218725"
Is this intentionaly and am I to verify myself whether all required elements
are signed ? Or is there some API call that allows me to have WSS4J check
this ?
Regards, Denis
AW: Doest WSS4J verify that all required parts are signed ?
Posted by "Dittmann, Werner" <we...@nsn.com>.
I'll try to answer this:
signatureParts is usually used at the client only and defines which
parts of the
message shall be signed. If nothing is specified WSS4J signes the Body
only.
The server (the receiver) does not look at signatureParts parameter
(effectively it
ignores it) but scans the whole message and verfies every signed part.
To be
true: this is the behaviour of the WSS4J Axis handler that uses the
WSS4J core
classes.
Regards,
Werner
________________________________
Von: ext Denis Koelewijn [mailto:denis.koelewijn@gmail.com]
Gesendet: Montag, 21. Mai 2007 14:16
An: wss4j-dev@ws.apache.org
Betreff: Doest WSS4J verify that all required parts are signed ?
Hi,
I've run into the problem that WSS4J doesn't seem to verify that
all required fields are signed. I wonder if I'm doing something wrong,
or is this the intended behaviour of WSS4J ?
The webservice wsdd-file is configured with the following
parameters:
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body ;
{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut
ility-1.0.xsd}Timestamp" />
The webservices accepts messages from a client configured in
either of the following ways:
1) Sign both body and timestamp. This is what is expected to be
correct.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;
{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut
ility-1.0.xsd}Timestamp" />
2) Sign only the body. I think this is wrong and the message
should be rejected.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
In the logfiles I can confirm that indeed the signed parts are
verified successfully, e.g:
1) When body the body and timestamp are signed:
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful
for URI "#id-8347989"
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful
for URI "#id-27316497"
2) When only the body is signed:
2007-05-21 13:45:15,668 [http-8080-Processor24] INFO
org.apache.xml.security.signature.Reference - Verification successful
for URI "#id-28218725"
Is this intentionaly and am I to verify myself whether all
required elements are signed ? Or is there some API call that allows me
to have WSS4J check this ?
Regards, Denis
AW: Doest WSS4J verify that all required parts are signed ?
Posted by "Dittmann, Werner" <we...@nsn.com>.
I'll try to answer this:
signatureParts is usually used at the client only and defines which
parts of the
message shall be signed. If nothing is specified WSS4J signes the Body
only.
The server (the receiver) does not look at signatureParts parameter
(effectively it
ignores it) but scans the whole message and verfies every signed part.
To be
true: this is the behaviour of the WSS4J Axis handler that uses the
WSS4J core
classes.
Regards,
Werner
________________________________
Von: ext Denis Koelewijn [mailto:denis.koelewijn@gmail.com]
Gesendet: Montag, 21. Mai 2007 14:16
An: wss4j-dev@ws.apache.org
Betreff: Doest WSS4J verify that all required parts are signed ?
Hi,
I've run into the problem that WSS4J doesn't seem to verify that
all required fields are signed. I wonder if I'm doing something wrong,
or is this the intended behaviour of WSS4J ?
The webservice wsdd-file is configured with the following
parameters:
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body ;
{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut
ility-1.0.xsd}Timestamp" />
The webservices accepts messages from a client configured in
either of the following ways:
1) Sign both body and timestamp. This is what is expected to be
correct.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;
{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut
ility-1.0.xsd}Timestamp" />
2) Sign only the body. I think this is wrong and the message
should be rejected.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
In the logfiles I can confirm that indeed the signed parts are
verified successfully, e.g:
1) When body the body and timestamp are signed:
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful
for URI "#id-8347989"
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful
for URI "#id-27316497"
2) When only the body is signed:
2007-05-21 13:45:15,668 [http-8080-Processor24] INFO
org.apache.xml.security.signature.Reference - Verification successful
for URI "#id-28218725"
Is this intentionaly and am I to verify myself whether all
required elements are signed ? Or is there some API call that allows me
to have WSS4J check this ?
Regards, Denis