Question about OnlySignEntireHeadersAndBody policy assertion

[COURTAULT Francois <Fr...@gemalto.com>]

Hello everyone,

What is the meaning of OnlySignEntireHeadersAndBody policy assertion ?

I looked at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html.
As we are using asymmetric binding, the only description I got in this spec is :
"/sp:AsymmetricBinding/wsp:Policy/sp:OnlySignEntireHeadersAndBody

This optional element is a policy assertion that indicates that the [Entire Header And Body Signatures] property is set to 'true'."

My interpretation of the sentence above is that, if this assertion is used for a web service endpoint it means that the client has to generate a signature for all SOAP headers and the body of the SOAP request he has to send: am I right or wrong ?
Best Regards.

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

RE: Question about OnlySignEntireHeadersAndBody policy assertion

[COURTAULT Francois <Fr...@gemalto.com>]

Hello Colm,

Thank you so much to clarify this for me :-)

Best Regards.

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: mercredi 6 novembre 2013 15:02
To: COURTAULT Francois
Cc: users@cxf.apache.org
Subject: Re: Question about OnlySignEntireHeadersAndBody policy assertion

Yes, that is correct.

Colm.


On Wed, Nov 6, 2013 at 1:26 PM, COURTAULT Francois < Francois.COURTAULT@gemalto.com> wrote:

>  Hello,
>
>
>
> Thanks for your reply.
>
> So, I have understood you well, this policy assertion doesn't state if
> we have or haven't to include headers or body in the signature. It
> just describes the way to proceed if we want to include a header or a
> body in the signature: am I right ?
>
>
>
> Best Regards.
>
>
>
> *From:* Colm O hEigeartaigh [mailto:coheigea@apache.org]
> *Sent:* mardi 5 novembre 2013 11:32
> *To:* COURTAULT Francois
> *Cc:* users@cxf.apache.org
> *Subject:* Re: Question about OnlySignEntireHeadersAndBody policy
> assertion
>
>
>
> It's explained in section 6.6 - "[Entire Header and Body Signatures]
> Property".
>
> Your interpretation is not correct. Essentially what it means is that
> only the SOAP Body, a SOAP Header, and/or a direct child of the
> security header can be signed, nothing else. It doesn't actually
> require that any of them actually be signed though.
>
> Colm.
>
>
>
> On Tue, Nov 5, 2013 at 9:32 AM, COURTAULT Francois <
> Francois.COURTAULT@gemalto.com> wrote:
>
> Hello everyone,
>
>
>
> What is the meaning of OnlySignEntireHeadersAndBody policy assertion ?
>
>
>
> I looked at
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securityp
> olicy-1.2-spec-os.html
> .
>
> As we are using asymmetric binding, the only description I got in this
> spec is :
>
> "/sp:AsymmetricBinding/wsp:Policy/sp:OnlySignEntireHeadersAndBody
>
>
>
> This optional element is a policy assertion that indicates that the
> [Entire Header And Body Signatures] property is set to 'true'."
>
>
>
> My interpretation of the sentence above is that, if this assertion is
> used for a web service endpoint it means that the client has to
> generate a signature for all SOAP headers and the body of the SOAP
> request he has to
> send: am I right or wrong ?
>
> Best Regards.
>
>
>  ------------------------------
>
> This message and any attachments are intended solely for the
> addressees and may contain confidential information. Any unauthorized
> use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable
> for the message if altered, changed or falsified. If you are not the
> intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this
> transmission free from viruses, the sender will not be liable for
> damages caused by a transmitted virus
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ------------------------------
> This message and any attachments are intended solely for the
> addressees and may contain confidential information. Any unauthorized
> use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable
> for the message if altered, changed or falsified. If you are not the
> intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this
> transmission free from viruses, the sender will not be liable for
> damages caused by a transmitted virus
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Re: Question about OnlySignEntireHeadersAndBody policy assertion

[Colm O hEigeartaigh <co...@apache.org>]

Yes, that is correct.

Colm.


On Wed, Nov 6, 2013 at 1:26 PM, COURTAULT Francois <
Francois.COURTAULT@gemalto.com> wrote:

>  Hello,
>
>
>
> Thanks for your reply.
>
> So, I have understood you well, this policy assertion doesn’t state if we
> have or haven’t to include headers or body in the signature. It just
> describes the way to proceed if we want to include a header or a body in
> the signature: am I right ?
>
>
>
> Best Regards.
>
>
>
> *From:* Colm O hEigeartaigh [mailto:coheigea@apache.org]
> *Sent:* mardi 5 novembre 2013 11:32
> *To:* COURTAULT Francois
> *Cc:* users@cxf.apache.org
> *Subject:* Re: Question about OnlySignEntireHeadersAndBody policy
> assertion
>
>
>
> It's explained in section 6.6 - "[Entire Header and Body Signatures]
> Property".
>
> Your interpretation is not correct. Essentially what it means is that only
> the SOAP Body, a SOAP Header, and/or a direct child of the security header
> can be signed, nothing else. It doesn't actually require that any of them
> actually be signed though.
>
> Colm.
>
>
>
> On Tue, Nov 5, 2013 at 9:32 AM, COURTAULT Francois <
> Francois.COURTAULT@gemalto.com> wrote:
>
> Hello everyone,
>
>
>
> What is the meaning of OnlySignEntireHeadersAndBody policy assertion ?
>
>
>
> I looked at
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
> .
>
> As we are using asymmetric binding, the only description I got in this
> spec is :
>
> “/sp:AsymmetricBinding/wsp:Policy/sp:OnlySignEntireHeadersAndBody
>
>
>
> This optional element is a policy assertion that indicates that the
> [Entire Header And Body Signatures] property is set to 'true'.”
>
>
>
> My interpretation of the sentence above is that, if this assertion is used
> for a web service endpoint it means that the client has to generate a
> signature for all SOAP headers and the body of the SOAP request he has to
> send: am I right or wrong ?
>
> Best Regards.
>
>
>  ------------------------------
>
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Question about OnlySignEntireHeadersAndBody policy assertion

[COURTAULT Francois <Fr...@gemalto.com>]

Hello,

Thanks for your reply.
So, I have understood you well, this policy assertion doesn't state if we have or haven't to include headers or body in the signature. It just describes the way to proceed if we want to include a header or a body in the signature: am I right ?

Best Regards.

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: mardi 5 novembre 2013 11:32
To: COURTAULT Francois
Cc: users@cxf.apache.org
Subject: Re: Question about OnlySignEntireHeadersAndBody policy assertion

It's explained in section 6.6 - "[Entire Header and Body Signatures] Property".
Your interpretation is not correct. Essentially what it means is that only the SOAP Body, a SOAP Header, and/or a direct child of the security header can be signed, nothing else. It doesn't actually require that any of them actually be signed though.

Colm.

On Tue, Nov 5, 2013 at 9:32 AM, COURTAULT Francois <Fr...@gemalto.com>> wrote:
Hello everyone,

What is the meaning of OnlySignEntireHeadersAndBody policy assertion ?

I looked at http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html.
As we are using asymmetric binding, the only description I got in this spec is :
"/sp:AsymmetricBinding/wsp:Policy/sp:OnlySignEntireHeadersAndBody

This optional element is a policy assertion that indicates that the [Entire Header And Body Signatures] property is set to 'true'."

My interpretation of the sentence above is that, if this assertion is used for a web service endpoint it means that the client has to generate a signature for all SOAP headers and the body of the SOAP request he has to send: am I right or wrong ?
Best Regards.

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Re: Question about OnlySignEntireHeadersAndBody policy assertion

[Colm O hEigeartaigh <co...@apache.org>]

It's explained in section 6.6 - "[Entire Header and Body Signatures]
Property".

Your interpretation is not correct. Essentially what it means is that only
the SOAP Body, a SOAP Header, and/or a direct child of the security header
can be signed, nothing else. It doesn't actually require that any of them
actually be signed though.

Colm.


On Tue, Nov 5, 2013 at 9:32 AM, COURTAULT Francois <
Francois.COURTAULT@gemalto.com> wrote:

>  Hello everyone,
>
>
>
> What is the meaning of OnlySignEntireHeadersAndBody policy assertion ?
>
>
>
> I looked at
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
> .
>
> As we are using asymmetric binding, the only description I got in this
> spec is :
>
> “/sp:AsymmetricBinding/wsp:Policy/sp:OnlySignEntireHeadersAndBody
>
>
>
> This optional element is a policy assertion that indicates that the
> [Entire Header And Body Signatures] property is set to 'true'.”
>
>
>
> My interpretation of the sentence above is that, if this assertion is used
> for a web service endpoint it means that the client has to generate a
> signature for all SOAP headers and the body of the SOAP request he has to
> send: am I right or wrong ?
>
>  Best Regards.
>
> ------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com