You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Nicolas B <ni...@gmail.com> on 2011/07/22 23:25:08 UTC
WSSConfig processors
Dear all,
I'm trying to understand the default map processors initialize in the
WSSConfig class of wss4j.
As explained in this ticket
http://forum.springsource.org/showthread.php?112450-WSSecurityException-while-validating-WS-Security-headers
I'm trying to validate my incoming SOAP messages based on the UernameToken.
So I want to only take care of this header element ;) When one of my client
attacks my web service he is sending the right UsernameToken but also other
elements, and the WSSecurityEngine is trying to validate ALL the elements.
How can I configure wss4j to only validate my UsernameToken and ignore
others. Is this the good way ? Is it to my client to respect what the server
is waiting ?
Thanks a lot in advance, and thanks for wss4j ;)
Best Regards,
--
View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32118532.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: WSSConfig processors
Posted by Nicolas Buisson <ni...@gmail.com>.
Damn, thanks !!!
Colm O hEigeartaigh-2 wrote:
>
> There is a method in WSSConfig:
>
> public String setProcessor(QName el, Processor processor)
>
> You can call this specifying the QNames of the elements you want to
> avoid processing, and passing in null as the processor.
>
> Colm.
>
> On Mon, Jul 25, 2011 at 4:49 PM, Nicolas Buisson <ni...@gmail.com>
> wrote:
>>
>>> In this case you could disable the Timestamp and Signature Processors
>>> using WSSConfig.
>>
>> That is what Im looking for ! And I didn't found how to make it.
>>
>> In WSSConfig there is a list of default processors map and there is no
>> way
>> to change this map. I'm missing something ?
>>
>>
>> --
>> View this message in context:
>> http://old.nabble.com/WSSConfig-processors-tp32118532p32132918.html
>> Sent from the WSS4J mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: dev-help@ws.apache.org
>>
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> http://coheigea.blogspot.com/
> Talend - http://www.talend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32133039.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: WSSConfig processors
Posted by Colm O hEigeartaigh <co...@apache.org>.
There is a method in WSSConfig:
public String setProcessor(QName el, Processor processor)
You can call this specifying the QNames of the elements you want to
avoid processing, and passing in null as the processor.
Colm.
On Mon, Jul 25, 2011 at 4:49 PM, Nicolas Buisson <ni...@gmail.com> wrote:
>
>> In this case you could disable the Timestamp and Signature Processors
>> using WSSConfig.
>
> That is what Im looking for ! And I didn't found how to make it.
>
> In WSSConfig there is a list of default processors map and there is no way
> to change this map. I'm missing something ?
>
>
> --
> View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32132918.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: WSSConfig processors
Posted by Nicolas Buisson <ni...@gmail.com>.
> In this case you could disable the Timestamp and Signature Processors
> using WSSConfig.
That is what Im looking for ! And I didn't found how to make it.
In WSSConfig there is a list of default processors map and there is no way
to change this map. I'm missing something ?
--
View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32132918.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: WSSConfig processors
Posted by Colm O hEigeartaigh <co...@apache.org>.
> But I would like to only take care of the UsernameToken element and skip the
> Timestamp and Signature elements.
In this case you could disable the Timestamp and Signature Processors
using WSSConfig.
> What I also don't understand is why wss4j take care of the Signature element
> which is not in the wsse:Security element.
The signature element *is* in the wsse:Security element.
> The actor attribute should be added by the client ? What is the goal of this
> attribute.
You can specify multiple security headers targeted at different recipients.
Colm.
On Mon, Jul 25, 2011 at 4:34 PM, Nicolas Buisson <ni...@gmail.com> wrote:
>
> Hi Colm,
>
> Thanks a lot for your answer:
>
> Here is the header I received :
>
> <soap:Header>
> <wsse:Security soap:mustUnderstand="1">
> <wsu:Timestamp wsu:Id="Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c">
> <wsu:Created>2011-07-22T14:26:05Z</wsu:Created>
> <wsu:Expires>2011-07-22T14:31:05Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse:UsernameToken
> wsu:Id="SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e">
> <wsse:Username>xxx</wsse:Username>
> <wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxx</wsse:Password>
> <wsse:Nonce>8PfBYBg1vo84GAlUVshpSA==</wsse:Nonce>
> <wsu:Created>2011-07-22T14:26:05Z</wsu:Created>
> </wsse:UsernameToken>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
> <Reference URI="#Id-68a23867-f268-4e07-8df5-e5de2511ab11">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>8ldWcRrq+AinkfWayJEieHUTZ7E=</DigestValue>
> </Reference>
> <Reference URI="#Id-5b7ed34a-b987-4984-a231-82c19ce1f132">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>BPUCRJEi6qoe/3lS0qTG81VsYFc=</DigestValue>
> </Reference>
> <Reference URI="#Id-4e37fd76-bd14-4035-acdb-e38b98630761">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>RNJRrCK+5ewoyAN5onKm05siJ9o=</DigestValue>
> </Reference>
> <Reference URI="#Id-c248e36a-4e62-4ec2-971a-069b5eeb26a8">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>FMUsGZGuIKQDpi+WTngvhQml4qI=</DigestValue>
> </Reference>
> <Reference URI="#Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>PstX8mJwKMKhjyNojsHghW3myk4=</DigestValue>
> </Reference>
> <Reference URI="#Id-ebb3ef9a-9057-4ad8-b7ac-f790d2587b56">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>1ySbGzd5DD8gu340swQji66xGuc=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>PuY5HJCIC8ZoX+KtnJwqXdJIFMA=</SignatureValue>
> <KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/>
> </wsse:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </wsse:Security>
> </soap:Header>
>
> And wss4j is trying to validate the Signature element.
>
> But I would like to only take care of the UsernameToken element and skip the
> Timestamp and Signature elements.
>
> What I also don't understand is why wss4j take care of the Signature element
> which is not in the wsse:Security element.
>
> The actor attribute should be added by the client ? What is the goal of this
> attribute.
>
> Again, thanks a lot for your answer :)
>
>
> Colm O hEigeartaigh-2 wrote:
>>
>> Hi Nicolas,
>>
>> What are the invalid security header elements that you want to avoid
>> processing? If the service only cares about the UsernameToken, the
>> correct thing to do is to add an "actor" attribute to a security
>> header that is only meant to be processed by the service provider, and
>> only put the UsernameToken in this security header.
>>
>> You can disable processors by the QName of the element they are meant
>> to process via WSSConfig:
>>
>> https://svn.apache.org/repos/asf/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSConfig.java
>>
>> Colm.
>>
>> On Fri, Jul 22, 2011 at 10:25 PM, Nicolas B <ni...@gmail.com> wrote:
>>>
>>> Dear all,
>>>
>>> I'm trying to understand the default map processors initialize in the
>>> WSSConfig class of wss4j.
>>>
>>> As explained in this ticket
>>> http://forum.springsource.org/showthread.php?112450-WSSecurityException-while-validating-WS-Security-headers
>>> I'm trying to validate my incoming SOAP messages based on the
>>> UernameToken.
>>>
>>> So I want to only take care of this header element ;) When one of my
>>> client
>>> attacks my web service he is sending the right UsernameToken but also
>>> other
>>> elements, and the WSSecurityEngine is trying to validate ALL the
>>> elements.
>>>
>>> How can I configure wss4j to only validate my UsernameToken and ignore
>>> others. Is this the good way ? Is it to my client to respect what the
>>> server
>>> is waiting ?
>>>
>>> Thanks a lot in advance, and thanks for wss4j ;)
>>>
>>> Best Regards,
>>> --
>>> View this message in context:
>>> http://old.nabble.com/WSSConfig-processors-tp32118532p32118532.html
>>> Sent from the WSS4J mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: dev-help@ws.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> http://coheigea.blogspot.com/
>> Talend - http://www.talend.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: dev-help@ws.apache.org
>>
>>
>>
>
> --
> View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32132801.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: WSSConfig processors
Posted by Nicolas Buisson <ni...@gmail.com>.
Hi Colm,
Thanks a lot for your answer:
Here is the header I received :
<soap:Header>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c">
<wsu:Created>2011-07-22T14:26:05Z</wsu:Created>
<wsu:Expires>2011-07-22T14:31:05Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
wsu:Id="SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e">
<wsse:Username>xxx</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxx</wsse:Password>
<wsse:Nonce>8PfBYBg1vo84GAlUVshpSA==</wsse:Nonce>
<wsu:Created>2011-07-22T14:26:05Z</wsu:Created>
</wsse:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#Id-68a23867-f268-4e07-8df5-e5de2511ab11">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>8ldWcRrq+AinkfWayJEieHUTZ7E=</DigestValue>
</Reference>
<Reference URI="#Id-5b7ed34a-b987-4984-a231-82c19ce1f132">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>BPUCRJEi6qoe/3lS0qTG81VsYFc=</DigestValue>
</Reference>
<Reference URI="#Id-4e37fd76-bd14-4035-acdb-e38b98630761">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>RNJRrCK+5ewoyAN5onKm05siJ9o=</DigestValue>
</Reference>
<Reference URI="#Id-c248e36a-4e62-4ec2-971a-069b5eeb26a8">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>FMUsGZGuIKQDpi+WTngvhQml4qI=</DigestValue>
</Reference>
<Reference URI="#Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>PstX8mJwKMKhjyNojsHghW3myk4=</DigestValue>
</Reference>
<Reference URI="#Id-ebb3ef9a-9057-4ad8-b7ac-f790d2587b56">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>1ySbGzd5DD8gu340swQji66xGuc=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>PuY5HJCIC8ZoX+KtnJwqXdJIFMA=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
And wss4j is trying to validate the Signature element.
But I would like to only take care of the UsernameToken element and skip the
Timestamp and Signature elements.
What I also don't understand is why wss4j take care of the Signature element
which is not in the wsse:Security element.
The actor attribute should be added by the client ? What is the goal of this
attribute.
Again, thanks a lot for your answer :)
Colm O hEigeartaigh-2 wrote:
>
> Hi Nicolas,
>
> What are the invalid security header elements that you want to avoid
> processing? If the service only cares about the UsernameToken, the
> correct thing to do is to add an "actor" attribute to a security
> header that is only meant to be processed by the service provider, and
> only put the UsernameToken in this security header.
>
> You can disable processors by the QName of the element they are meant
> to process via WSSConfig:
>
> https://svn.apache.org/repos/asf/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSConfig.java
>
> Colm.
>
> On Fri, Jul 22, 2011 at 10:25 PM, Nicolas B <ni...@gmail.com> wrote:
>>
>> Dear all,
>>
>> I'm trying to understand the default map processors initialize in the
>> WSSConfig class of wss4j.
>>
>> As explained in this ticket
>> http://forum.springsource.org/showthread.php?112450-WSSecurityException-while-validating-WS-Security-headers
>> I'm trying to validate my incoming SOAP messages based on the
>> UernameToken.
>>
>> So I want to only take care of this header element ;) When one of my
>> client
>> attacks my web service he is sending the right UsernameToken but also
>> other
>> elements, and the WSSecurityEngine is trying to validate ALL the
>> elements.
>>
>> How can I configure wss4j to only validate my UsernameToken and ignore
>> others. Is this the good way ? Is it to my client to respect what the
>> server
>> is waiting ?
>>
>> Thanks a lot in advance, and thanks for wss4j ;)
>>
>> Best Regards,
>> --
>> View this message in context:
>> http://old.nabble.com/WSSConfig-processors-tp32118532p32118532.html
>> Sent from the WSS4J mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: dev-help@ws.apache.org
>>
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> http://coheigea.blogspot.com/
> Talend - http://www.talend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32132801.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: WSSConfig processors
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Nicolas,
What are the invalid security header elements that you want to avoid
processing? If the service only cares about the UsernameToken, the
correct thing to do is to add an "actor" attribute to a security
header that is only meant to be processed by the service provider, and
only put the UsernameToken in this security header.
You can disable processors by the QName of the element they are meant
to process via WSSConfig:
https://svn.apache.org/repos/asf/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSConfig.java
Colm.
On Fri, Jul 22, 2011 at 10:25 PM, Nicolas B <ni...@gmail.com> wrote:
>
> Dear all,
>
> I'm trying to understand the default map processors initialize in the
> WSSConfig class of wss4j.
>
> As explained in this ticket
> http://forum.springsource.org/showthread.php?112450-WSSecurityException-while-validating-WS-Security-headers
> I'm trying to validate my incoming SOAP messages based on the UernameToken.
>
> So I want to only take care of this header element ;) When one of my client
> attacks my web service he is sending the right UsernameToken but also other
> elements, and the WSSecurityEngine is trying to validate ALL the elements.
>
> How can I configure wss4j to only validate my UsernameToken and ignore
> others. Is this the good way ? Is it to my client to respect what the server
> is waiting ?
>
> Thanks a lot in advance, and thanks for wss4j ;)
>
> Best Regards,
> --
> View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32118532.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org