You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by jsmith828 <je...@putnam.com> on 2015/08/13 01:58:25 UTC
Re: CXF Security policy signature method
I actually have the same issue in that my sec engineering department will not
allow any SHA-1 algorithms of any kind and require a minimum of SHA-256 for
the digest algorithm. I am using CXF-3.1.0 and I was hoping the ability to
override SHA-1 was now available and if so how can I do it.
Thanks!
-Jeff
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760020.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes the fix will also be available in the 3.1.3 release. I'm not sure when
that release will be as we have only released 3.1.2 a few weeks back - we
normally release every 2 months or so.
Colm.
On Tue, Aug 18, 2015 at 6:05 PM, jsmith828 <je...@putnam.com> wrote:
> Thanks Colm. Looks like the change was to SAMLUtils and
> SamlCallbackHandler.
> I'll clone the cxf-3.0.x-fixes branch and give that a shot. Will this be
> available in the 3.1.3 release of CXF and if so can you let me know around
> when that might be available? Cheers!
>
>
>
> -----
> -Jeff
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760265.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF Security policy signature method
Posted by jsmith828 <je...@putnam.com>.
Thanks Colm. Looks like the change was to SAMLUtils and SamlCallbackHandler.
I'll clone the cxf-3.0.x-fixes branch and give that a shot. Will this be
available in the 3.1.3 release of CXF and if so can you let me know around
when that might be available? Cheers!
-----
-Jeff
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760265.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
It's a bug, now fixed:
https://issues.apache.org/jira/browse/CXF-6543
Colm.
On Thu, Aug 13, 2015 at 3:10 PM, jsmith828 <je...@putnam.com> wrote:
> It's the "action" approach. I've written a custom CallbackHandler to
> create
> my SAML assertion and defined it in my security.saml-callback-handler
> property of my JAXRSClientFactoryBean. I've tried setting the following in
> my CallbackHandler but it still doesn't work.
>
>
> callback.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
>
> callback.setSignatureDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA256);
>
> The SignatureMethod alg is still "rsa-sha1" and the DigestMethod alg is
> "sha1". No errors reported it's just not using the set algorithm.
> Unrestricted policies in place. Not sure what I am still missing -Jeff
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760065.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF Security policy signature method
Posted by jsmith828 <je...@putnam.com>.
It's the "action" approach. I've written a custom CallbackHandler to create
my SAML assertion and defined it in my security.saml-callback-handler
property of my JAXRSClientFactoryBean. I've tried setting the following in
my CallbackHandler but it still doesn't work.
callback.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
callback.setSignatureDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA256);
The SignatureMethod alg is still "rsa-sha1" and the DigestMethod alg is
"sha1". No errors reported it's just not using the set algorithm.
Unrestricted policies in place. Not sure what I am still missing -Jeff
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760065.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
Are you using WS-Security via the "action" approach or via
WS-SecurityPolicy?
a) Action approach. Simply specify the following algorithms in the
WSS4JOutInterceptor configuration:
signatureDigestAlgorithm - http://www.w3.org/2001/04/xmlenc#sha256
signatureAlgorithm - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
b) WS-SecurityPolicy approach.
Digest: Use one of the AlgorithmSuites that ends in "Sha256", e.g.
"sp:Basic256Sha256".
Signature: Set the JAX-WS property
"ws-security.asymmetric.signature.algorithm" to "
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
Colm.
On Thu, Aug 13, 2015 at 12:58 AM, jsmith828 <je...@putnam.com>
wrote:
> I actually have the same issue in that my sec engineering department will
> not
> allow any SHA-1 algorithms of any kind and require a minimum of SHA-256 for
> the digest algorithm. I am using CXF-3.1.0 and I was hoping the ability to
> override SHA-1 was now available and if so how can I do it.
>
> Thanks!
> -Jeff
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760020.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com