You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/08/31 11:55:00 UTC
[jira] [Commented] (WSS-456) Not possible to support
SymmetricBinding ProtectTokens policy
[ https://issues.apache.org/jira/browse/WSS-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16598640#comment-16598640 ]
Colm O hEigeartaigh commented on WSS-456:
-----------------------------------------
ProtectTokens + SymmericBinding is actually supported for the DOM code, but not the StAX code. Do you specifically need it for the StAX code?
You can reproduce the error by removing the if statement in this piece of test-code in CXF:
[https://github.com/apache/cxf/blob/ce2fcd19c63b7f666b778d482c5aa40e0e0c1828/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java#L962]
The error that results is "org.apache.xml.security.exceptions.XMLSecurityException: Part to sign not found: \{http://www.w3.org/2001/04/xmlenc#}EncryptedKey". The problem is that as we have "sign before encrypting", the EncryptedKey is not yet available to the Signature when we are trying to sign the EncryptedKey. It might be possible to get it working with some hacking, but it would probably be quite tricky.
> Not possible to support SymmetricBinding ProtectTokens policy
> -------------------------------------------------------------
>
> Key: WSS-456
> URL: https://issues.apache.org/jira/browse/WSS-456
> Project: WSS4J
> Issue Type: Bug
> Reporter: Colm O hEigeartaigh
> Assignee: Marc Giger
> Priority: Major
>
> It is not possible currently to support the SymmetricBinding ProtectTokens policy. In this scenario, the Signature KeyInfo references an EncryptedKey Element, and also signs the EncryptedKey Element.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org