You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Srinivasa Kukatla (JIRA)" <ji...@apache.org> on 2011/07/01 23:55:28 UTC
[jira] [Created] (CXF-3630) WSS4JIn Interceptor Issue
WSS4JIn Interceptor Issue
-------------------------------
Key: CXF-3630
URL: https://issues.apache.org/jira/browse/CXF-3630
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.4
Reporter: Srinivasa Kukatla
WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
<constructor-arg>
<map>
<entry key="action" value="Timestamp SAMLTokenSigned"/>
<entry key="timeToLive" value="${timestamp.expiration.property}"/>
<entry key="user" value="${client.signature.username}"/>
<entry>
<key>
<value>passwordCallbackRef</value>
</key>
<ref bean="passwordCallBackHandler"/>
</entry>
<entry key="passwordType" value="PasswordDigest" />
<entry key="samlPropFile" value="${client.saml.properties}"/>
<entry key="signaturePropFile" value="${client.signature.properties}" />
<entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
<entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
</map>
</constructor-arg>
But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
<constructor-arg>
<map>
<entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
<entry key="timeToLive" value="${timestamp.expiration.property}"/>
<entry key="passwordType" value="PasswordDigest" />
<entry key="signaturePropFile" value="${server.signature.properties}" />
<entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
<entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
<entry key="enableSignatureConfirmation" value="true" />
</map>
</constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3630) WSS4JIn Interceptor Issue
Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13059187#comment-13059187 ]
Glen Mazza commented on CXF-3630:
---------------------------------
I'm confused -- you first mention that "WSS4JInInterceptor does not assert the policies" which is true, because there aren't supposed to be WS-SecurityPolicy statements if you're using WSS4JInInterceptor; this older object was created before CXF had support for reading (and basing security on) WS-SecPol statements--or if there are such statements, they're to be ignored as usage of WSS4JInInterceptor means you want manual configuration and don't care what the WS-SecPol statements, if any, say.
So you switched to the WS-Policy-reading object instead, which means security is to be defined by SecPol statements are within the WSDL being read by the client and web service provider. But then you write "I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed"--is this a manual requirement on your part, or a requirement already declared within SecPol statements in the WSDL? AFAIK it's gonna have to be the latter with PolicyBasedWSS4JInInterceptor. Your usage of an action element with PolicyBasedWSS4JInInterceptor seems strange--because the required actions should already be defined in the WSDL--I don't even see "action" as an option for SecPol: https://cwiki.apache.org/CXF20DOC/ws-securitypolicy.html
Finally: "Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor." -- I think there's a reason for no constructor, again, it's supposed to be reading the WSDL and basing all security rules on SecPol statements within it, no?
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
> <value>passwordCallbackRef</value>
> </key>
> <ref bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile" value="${client.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile" value="${server.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3630) WSS4JIn Interceptor Issue
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13100246#comment-13100246 ]
Colm O hEigeartaigh commented on CXF-3630:
------------------------------------------
Hi Srinivas,
Could you describe in more detail the scenario you want to recreate? Are you using the CallbackHandler approach to create a SAML Assertion? By specifying it as an EndorsingSupportingToken, do you expect the certificate of the Subject of the Assertion to endorse the signature?
Colm.
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
> Assignee: Colm O hEigeartaigh
> Fix For: Invalid
>
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
> <value>passwordCallbackRef</value>
> </key>
> <ref bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile" value="${client.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile" value="${server.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3630) WSS4JIn Interceptor Issue
Posted by "Srinivasa Kukatla (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13059879#comment-13059879 ]
Srinivasa Kukatla commented on CXF-3630:
----------------------------------------
Here is my requirement. I want all the messages leaving should have a Signed Saml Token, as well as the Timestamp which is signed. None of the body elements needs to be signed. We also want the wsdl to enforce the security policies. Here is the security policies configured in the WSDL.
<wsp:Policy wsu:Id="Security_Binding_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:RequireClientCertificate />
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11 />
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Please let me know, how do we achieve that.
We have used WSS4JOutInterceptor and WSS4JInInterceptor, and configured, as shown in the previous message.
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
> <value>passwordCallbackRef</value>
> </key>
> <ref bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile" value="${client.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile" value="${server.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3630) WSS4JIn Interceptor Issue
Posted by "Srinivasa Kukatla (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13098794#comment-13098794 ]
Srinivasa Kukatla commented on CXF-3630:
----------------------------------------
Colm,
It is been a long time. I realized that the issue is that currently CXF
does not have support for SamlToken as a EndorsingSupportingToken, if I use
the policy framework.
I am working on some project, where I need that support, hence I would
like to write / develop a patch for that. Could you please guide me how /
what do i need to do to complete that.
Please shed some light which classes, and files that i need to modify??
If you are busy, could you please hook me up with one of the developers?
Regards
Srinivas
On Wed, Jul 6, 2011 at 11:09 AM, Colm O hEigeartaigh (JIRA) <jira@apache.org
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
> Assignee: Colm O hEigeartaigh
> Fix For: Invalid
>
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
> <value>passwordCallbackRef</value>
> </key>
> <ref bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile" value="${client.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile" value="${server.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-3630) WSS4JIn Interceptor Issue
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-3630.
------------------------------
Resolution: Invalid
Fix Version/s: Invalid
Assignee: Colm O hEigeartaigh
As Colm and Glen mentioned, if using WS-SecurityPolicy to define the security requirements, you need to allow the Policy runtime to add the interceptors and provide the correct configuration for the SecurityPolicy interceptors.
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
> Assignee: Colm O hEigeartaigh
> Fix For: Invalid
>
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
> <value>passwordCallbackRef</value>
> </key>
> <ref bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile" value="${client.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile" value="${server.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3630) WSS4JIn Interceptor Issue
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13060626#comment-13060626 ]
Colm O hEigeartaigh commented on CXF-3630:
------------------------------------------
Hi Srinivasa,
CXF should be fully capable of parsing that security policy, and constructing the appropriate request. You shouldn't have to go near the interceptors, or specify any actions in order to send and process these kinds of requests. See the SamlTokenTest in the systests for an example:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?view=markup
This set of tests uses the following WSDL (with embedded security policies):
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?view=markup
Here is the spring configuration for the client:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?view=markup
You may also be interested in a write-up I did on a SAML sample in Talend Service Factory (based on Apache CXF 2.4.x):
http://coheigea.blogspot.com/2011/06/ws-securitypolicysaml-sample-in-talend.html
Colm.
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed, Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and Signature, the actions are mismatching. Hence i had to use only the first two actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
> <value>passwordCallbackRef</value>
> </key>
> <ref bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile" value="${client.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned Signature "/>
> <entry key="timeToLive" value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile" value="${server.signature.properties}" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira