You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2011/07/03 14:04:22 UTC
[jira] [Commented] (CXF-3630) WSS4JIn Interceptor Issue
[ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13059187#comment-13059187 ]
Glen Mazza commented on CXF-3630:
---------------------------------
I'm confused -- you first mention that "WSS4JInInterceptor does not assert the policies" which is true, because there aren't supposed to be WS-SecurityPolicy statements if you're using WSS4JInInterceptor; this older object was created before CXF had support for reading (and basing security on) WS-SecPol statements--or if there are such statements, they're to be ignored as usage of WSS4JInInterceptor means you want manual configuration and don't care what the WS-SecPol statements, if any, say.
So you switched to the WS-Policy-reading object instead, which means security is to be defined by SecPol statements are within the WSDL being read by the client and web service provider. But then you write "I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed"--is this a manual requirement on your part, or a requirement already declared within SecPol statements in the WSDL? AFAIK it's gonna have to be the latter with PolicyBasedWSS4JInInterceptor. Your usage of an action element with PolicyBasedWSS4JInInterceptor seems strange--because the required actions should already be defined in the WSDL--I don't even see "action" as an option for SecPol: https://cwiki.apache.org/CXF20DOC/ws-securitypolicy.html
Finally: "Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor." -- I think there's a reason for no constructor, again, it's supposed to be reading the WSDL and basing all security rules on SecPol statements within it, no?
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
> <value>passwordCallbackRef</value>
> </key>
> <ref bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile" value="${client.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile" value="${server.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira