You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Giriraj Bhojak <gi...@gmail.com> on 2016/03/22 04:17:12 UTC
Encrypting timestamp or other security headers using WS-SecurityPolicy
Hello,
I need to sign and encrypt the timestamp WS-Security header.
My policy file has following assertions:
<sp:SignedParts>
<sp:Body />
<sp:Header Namespace="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
<sp:Header Namespace="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
" />
</sp:EncryptedParts>
Above namespace belongs to wsu element.
I can still see following entry in the wsse:Security element:
<wsu:Timestamp wsu:Id="TS-A91AE37C42BC91148914586148175181">
<wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created>
<wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires>
</wsu:Timestamp>
If I try to add the namespace of wsse into the signed and encrypted parts
above in order to encrypt and sign entire header as follows:
<sp:SignedParts>
<sp:Body />
<sp:Header Namespace="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
<sp:Header Namespace="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
" />
</sp:EncryptedParts>
Then on the CXF server I get:
org.apache.cxf.interceptor.Fault- Exception Message: Found element {
http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not find
matching RPC/Literal part
I am using CXF v2.7.11.
Am I doing something wrong?
Thanks,
Giriraj
Re: Encrypting timestamp or other security headers using WS-SecurityPolicy
Posted by Giriraj Bhojak <gi...@gmail.com>.
Thank you Colm, that policy did help out.
Thanks,
Giriraj
On Mar 23, 2016 1:57 PM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
> See here:
>
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl;h=dcf01b23c124795a04be170f5d8079102a516b35;hb=HEAD
>
> On Wed, Mar 23, 2016 at 5:50 PM, Giriraj Bhojak <gi...@gmail.com>
> wrote:
>
>> Thank you Colm.
>> Would you have a policy example of using EncryptedElements instead of
>> using EncryptedParts?
>> I tried few combinations, but they didn't work out.
>>
>> Thanks,
>> Giriraj
>> On Mar 23, 2016 12:58 PM, "Colm O hEigeartaigh" <co...@apache.org>
>> wrote:
>>
>>> Answers inline.
>>>
>>> On Wed, Mar 23, 2016 at 4:49 PM, Giriraj Bhojak <gi...@gmail.com>
>>> wrote:
>>>
>>>> Do you mean to say the timestamp is not just signed but encrypted as
>>>> well if it is part of the AsymmetricBinding?
>>>>
>>> No, just signed.
>>>
>>>> In my policy I have also added username token as a supporting token,
>>>> outside of AsymmetricBinding. Would this token be signed and encrypted too?
>>>>
>>>
>>> No. However it would be if you specified a
>>> "SignedEncryptedSupportingToken" policy instead of "SupportingToken".
>>>
>>> Colm.
>>>
>>>
>>>> I have written a Java client that is able to successfully send and
>>>> receive a response using the policy. I have a requirement to test the
>>>> endpoint using SoapUI tool as well and that's where I am facing issues
>>>> since I couldn't just import the policy SoapUI.
>>>>
>>>> Thanks,
>>>> Giriraj
>>>> On Mar 23, 2016 7:04 AM, "Colm O hEigeartaigh" <co...@apache.org>
>>>> wrote:
>>>>
>>>>> If you are using the SymmetricBinding or AsymmetricBinding policies,
>>>>> the
>>>>> Timestamp is automatically signed if the "IncludeTimestamp" policy is
>>>>> in
>>>>> the Binding policy.
>>>>>
>>>>> The "sp:Header" policy in SignedParts/EncryptedParts is designed to be
>>>>> used
>>>>> for SOAP headers, not for internal headers in the security header
>>>>> (such as
>>>>> Timestamp). Instead, use an "EncryptedElements" policy, with an XPath
>>>>> expression pointing to the Timestamp.
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Tue, Mar 22, 2016 at 3:17 AM, Giriraj Bhojak <gi...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> > Hello,
>>>>> >
>>>>> >
>>>>> > I need to sign and encrypt the timestamp WS-Security header.
>>>>> >
>>>>> > My policy file has following assertions:
>>>>> >
>>>>> >
>>>>> >
>>>>> > <sp:SignedParts>
>>>>> >
>>>>> > <sp:Body />
>>>>> >
>>>>> > <sp:Header Namespace="
>>>>> >
>>>>> >
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>> > " />
>>>>> >
>>>>> > </sp:SignedParts>
>>>>> >
>>>>> > <sp:EncryptedParts>
>>>>> >
>>>>> > <sp:Body />
>>>>> >
>>>>> > <sp:Header Namespace="
>>>>> >
>>>>> >
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>> > " />
>>>>> >
>>>>> > </sp:EncryptedParts>
>>>>> >
>>>>> > Above namespace belongs to wsu element.
>>>>> >
>>>>> > I can still see following entry in the wsse:Security element:
>>>>> >
>>>>> >
>>>>> >
>>>>> > <wsu:Timestamp
>>>>> > wsu:Id="TS-A91AE37C42BC91148914586148175181">
>>>>> >
>>>>> >
>>>>> > <wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created>
>>>>> >
>>>>> >
>>>>> > <wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires>
>>>>> >
>>>>> > </wsu:Timestamp>
>>>>> >
>>>>> >
>>>>> >
>>>>> > If I try to add the namespace of wsse into the signed and encrypted
>>>>> parts
>>>>> > above in order to encrypt and sign entire header as follows:
>>>>> >
>>>>> > <sp:SignedParts>
>>>>> >
>>>>> > <sp:Body />
>>>>> >
>>>>> > <sp:Header Namespace="
>>>>> >
>>>>> >
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>>>> > " />
>>>>> >
>>>>> > </sp:SignedParts>
>>>>> >
>>>>> > <sp:EncryptedParts>
>>>>> >
>>>>> > <sp:Body />
>>>>> >
>>>>> > <sp:Header Namespace="
>>>>> >
>>>>> >
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>>>> > " />
>>>>> >
>>>>> > </sp:EncryptedParts>
>>>>> >
>>>>> >
>>>>> >
>>>>> > Then on the CXF server I get:
>>>>> >
>>>>> > org.apache.cxf.interceptor.Fault- Exception Message: Found element {
>>>>> > http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not
>>>>> find
>>>>> > matching RPC/Literal part
>>>>> >
>>>>> > I am using CXF v2.7.11.
>>>>> >
>>>>> > Am I doing something wrong?
>>>>> >
>>>>> > Thanks,
>>>>> > Giriraj
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>>>
>>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Encrypting timestamp or other security headers using WS-SecurityPolicy
Posted by Colm O hEigeartaigh <co...@apache.org>.
See here:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl;h=dcf01b23c124795a04be170f5d8079102a516b35;hb=HEAD
On Wed, Mar 23, 2016 at 5:50 PM, Giriraj Bhojak <gi...@gmail.com> wrote:
> Thank you Colm.
> Would you have a policy example of using EncryptedElements instead of
> using EncryptedParts?
> I tried few combinations, but they didn't work out.
>
> Thanks,
> Giriraj
> On Mar 23, 2016 12:58 PM, "Colm O hEigeartaigh" <co...@apache.org>
> wrote:
>
>> Answers inline.
>>
>> On Wed, Mar 23, 2016 at 4:49 PM, Giriraj Bhojak <gi...@gmail.com>
>> wrote:
>>
>>> Do you mean to say the timestamp is not just signed but encrypted as
>>> well if it is part of the AsymmetricBinding?
>>>
>> No, just signed.
>>
>>> In my policy I have also added username token as a supporting token,
>>> outside of AsymmetricBinding. Would this token be signed and encrypted too?
>>>
>>
>> No. However it would be if you specified a
>> "SignedEncryptedSupportingToken" policy instead of "SupportingToken".
>>
>> Colm.
>>
>>
>>> I have written a Java client that is able to successfully send and
>>> receive a response using the policy. I have a requirement to test the
>>> endpoint using SoapUI tool as well and that's where I am facing issues
>>> since I couldn't just import the policy SoapUI.
>>>
>>> Thanks,
>>> Giriraj
>>> On Mar 23, 2016 7:04 AM, "Colm O hEigeartaigh" <co...@apache.org>
>>> wrote:
>>>
>>>> If you are using the SymmetricBinding or AsymmetricBinding policies,
>>>> the
>>>> Timestamp is automatically signed if the "IncludeTimestamp" policy is in
>>>> the Binding policy.
>>>>
>>>> The "sp:Header" policy in SignedParts/EncryptedParts is designed to be
>>>> used
>>>> for SOAP headers, not for internal headers in the security header (such
>>>> as
>>>> Timestamp). Instead, use an "EncryptedElements" policy, with an XPath
>>>> expression pointing to the Timestamp.
>>>>
>>>> Colm.
>>>>
>>>> On Tue, Mar 22, 2016 at 3:17 AM, Giriraj Bhojak <gi...@gmail.com>
>>>> wrote:
>>>>
>>>> > Hello,
>>>> >
>>>> >
>>>> > I need to sign and encrypt the timestamp WS-Security header.
>>>> >
>>>> > My policy file has following assertions:
>>>> >
>>>> >
>>>> >
>>>> > <sp:SignedParts>
>>>> >
>>>> > <sp:Body />
>>>> >
>>>> > <sp:Header Namespace="
>>>> >
>>>> >
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>> > " />
>>>> >
>>>> > </sp:SignedParts>
>>>> >
>>>> > <sp:EncryptedParts>
>>>> >
>>>> > <sp:Body />
>>>> >
>>>> > <sp:Header Namespace="
>>>> >
>>>> >
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>> > " />
>>>> >
>>>> > </sp:EncryptedParts>
>>>> >
>>>> > Above namespace belongs to wsu element.
>>>> >
>>>> > I can still see following entry in the wsse:Security element:
>>>> >
>>>> >
>>>> >
>>>> > <wsu:Timestamp
>>>> > wsu:Id="TS-A91AE37C42BC91148914586148175181">
>>>> >
>>>> >
>>>> > <wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created>
>>>> >
>>>> >
>>>> > <wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires>
>>>> >
>>>> > </wsu:Timestamp>
>>>> >
>>>> >
>>>> >
>>>> > If I try to add the namespace of wsse into the signed and encrypted
>>>> parts
>>>> > above in order to encrypt and sign entire header as follows:
>>>> >
>>>> > <sp:SignedParts>
>>>> >
>>>> > <sp:Body />
>>>> >
>>>> > <sp:Header Namespace="
>>>> >
>>>> >
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>>> > " />
>>>> >
>>>> > </sp:SignedParts>
>>>> >
>>>> > <sp:EncryptedParts>
>>>> >
>>>> > <sp:Body />
>>>> >
>>>> > <sp:Header Namespace="
>>>> >
>>>> >
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>>> > " />
>>>> >
>>>> > </sp:EncryptedParts>
>>>> >
>>>> >
>>>> >
>>>> > Then on the CXF server I get:
>>>> >
>>>> > org.apache.cxf.interceptor.Fault- Exception Message: Found element {
>>>> > http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not find
>>>> > matching RPC/Literal part
>>>> >
>>>> > I am using CXF v2.7.11.
>>>> >
>>>> > Am I doing something wrong?
>>>> >
>>>> > Thanks,
>>>> > Giriraj
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>>>
>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Encrypting timestamp or other security headers using WS-SecurityPolicy
Posted by Giriraj Bhojak <gi...@gmail.com>.
Thank you Colm.
Would you have a policy example of using EncryptedElements instead of
using EncryptedParts?
I tried few combinations, but they didn't work out.
Thanks,
Giriraj
On Mar 23, 2016 12:58 PM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
> Answers inline.
>
> On Wed, Mar 23, 2016 at 4:49 PM, Giriraj Bhojak <gi...@gmail.com>
> wrote:
>
>> Do you mean to say the timestamp is not just signed but encrypted as well
>> if it is part of the AsymmetricBinding?
>>
> No, just signed.
>
>> In my policy I have also added username token as a supporting token,
>> outside of AsymmetricBinding. Would this token be signed and encrypted too?
>>
>
> No. However it would be if you specified a
> "SignedEncryptedSupportingToken" policy instead of "SupportingToken".
>
> Colm.
>
>
>> I have written a Java client that is able to successfully send and
>> receive a response using the policy. I have a requirement to test the
>> endpoint using SoapUI tool as well and that's where I am facing issues
>> since I couldn't just import the policy SoapUI.
>>
>> Thanks,
>> Giriraj
>> On Mar 23, 2016 7:04 AM, "Colm O hEigeartaigh" <co...@apache.org>
>> wrote:
>>
>>> If you are using the SymmetricBinding or AsymmetricBinding policies, the
>>> Timestamp is automatically signed if the "IncludeTimestamp" policy is in
>>> the Binding policy.
>>>
>>> The "sp:Header" policy in SignedParts/EncryptedParts is designed to be
>>> used
>>> for SOAP headers, not for internal headers in the security header (such
>>> as
>>> Timestamp). Instead, use an "EncryptedElements" policy, with an XPath
>>> expression pointing to the Timestamp.
>>>
>>> Colm.
>>>
>>> On Tue, Mar 22, 2016 at 3:17 AM, Giriraj Bhojak <gi...@gmail.com>
>>> wrote:
>>>
>>> > Hello,
>>> >
>>> >
>>> > I need to sign and encrypt the timestamp WS-Security header.
>>> >
>>> > My policy file has following assertions:
>>> >
>>> >
>>> >
>>> > <sp:SignedParts>
>>> >
>>> > <sp:Body />
>>> >
>>> > <sp:Header Namespace="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> > " />
>>> >
>>> > </sp:SignedParts>
>>> >
>>> > <sp:EncryptedParts>
>>> >
>>> > <sp:Body />
>>> >
>>> > <sp:Header Namespace="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> > " />
>>> >
>>> > </sp:EncryptedParts>
>>> >
>>> > Above namespace belongs to wsu element.
>>> >
>>> > I can still see following entry in the wsse:Security element:
>>> >
>>> >
>>> >
>>> > <wsu:Timestamp
>>> > wsu:Id="TS-A91AE37C42BC91148914586148175181">
>>> >
>>> >
>>> > <wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created>
>>> >
>>> >
>>> > <wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires>
>>> >
>>> > </wsu:Timestamp>
>>> >
>>> >
>>> >
>>> > If I try to add the namespace of wsse into the signed and encrypted
>>> parts
>>> > above in order to encrypt and sign entire header as follows:
>>> >
>>> > <sp:SignedParts>
>>> >
>>> > <sp:Body />
>>> >
>>> > <sp:Header Namespace="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> > " />
>>> >
>>> > </sp:SignedParts>
>>> >
>>> > <sp:EncryptedParts>
>>> >
>>> > <sp:Body />
>>> >
>>> > <sp:Header Namespace="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> > " />
>>> >
>>> > </sp:EncryptedParts>
>>> >
>>> >
>>> >
>>> > Then on the CXF server I get:
>>> >
>>> > org.apache.cxf.interceptor.Fault- Exception Message: Found element {
>>> > http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not find
>>> > matching RPC/Literal part
>>> >
>>> > I am using CXF v2.7.11.
>>> >
>>> > Am I doing something wrong?
>>> >
>>> > Thanks,
>>> > Giriraj
>>> >
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Encrypting timestamp or other security headers using WS-SecurityPolicy
Posted by Colm O hEigeartaigh <co...@apache.org>.
Answers inline.
On Wed, Mar 23, 2016 at 4:49 PM, Giriraj Bhojak <gi...@gmail.com> wrote:
> Do you mean to say the timestamp is not just signed but encrypted as well
> if it is part of the AsymmetricBinding?
>
No, just signed.
> In my policy I have also added username token as a supporting token,
> outside of AsymmetricBinding. Would this token be signed and encrypted too?
>
No. However it would be if you specified a "SignedEncryptedSupportingToken"
policy instead of "SupportingToken".
Colm.
> I have written a Java client that is able to successfully send and receive
> a response using the policy. I have a requirement to test the endpoint
> using SoapUI tool as well and that's where I am facing issues since I
> couldn't just import the policy SoapUI.
>
> Thanks,
> Giriraj
> On Mar 23, 2016 7:04 AM, "Colm O hEigeartaigh" <co...@apache.org>
> wrote:
>
>> If you are using the SymmetricBinding or AsymmetricBinding policies, the
>> Timestamp is automatically signed if the "IncludeTimestamp" policy is in
>> the Binding policy.
>>
>> The "sp:Header" policy in SignedParts/EncryptedParts is designed to be
>> used
>> for SOAP headers, not for internal headers in the security header (such as
>> Timestamp). Instead, use an "EncryptedElements" policy, with an XPath
>> expression pointing to the Timestamp.
>>
>> Colm.
>>
>> On Tue, Mar 22, 2016 at 3:17 AM, Giriraj Bhojak <gi...@gmail.com>
>> wrote:
>>
>> > Hello,
>> >
>> >
>> > I need to sign and encrypt the timestamp WS-Security header.
>> >
>> > My policy file has following assertions:
>> >
>> >
>> >
>> > <sp:SignedParts>
>> >
>> > <sp:Body />
>> >
>> > <sp:Header Namespace="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> > " />
>> >
>> > </sp:SignedParts>
>> >
>> > <sp:EncryptedParts>
>> >
>> > <sp:Body />
>> >
>> > <sp:Header Namespace="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> > " />
>> >
>> > </sp:EncryptedParts>
>> >
>> > Above namespace belongs to wsu element.
>> >
>> > I can still see following entry in the wsse:Security element:
>> >
>> >
>> >
>> > <wsu:Timestamp
>> > wsu:Id="TS-A91AE37C42BC91148914586148175181">
>> >
>> >
>> > <wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created>
>> >
>> >
>> > <wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires>
>> >
>> > </wsu:Timestamp>
>> >
>> >
>> >
>> > If I try to add the namespace of wsse into the signed and encrypted
>> parts
>> > above in order to encrypt and sign entire header as follows:
>> >
>> > <sp:SignedParts>
>> >
>> > <sp:Body />
>> >
>> > <sp:Header Namespace="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> > " />
>> >
>> > </sp:SignedParts>
>> >
>> > <sp:EncryptedParts>
>> >
>> > <sp:Body />
>> >
>> > <sp:Header Namespace="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> > " />
>> >
>> > </sp:EncryptedParts>
>> >
>> >
>> >
>> > Then on the CXF server I get:
>> >
>> > org.apache.cxf.interceptor.Fault- Exception Message: Found element {
>> > http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not find
>> > matching RPC/Literal part
>> >
>> > I am using CXF v2.7.11.
>> >
>> > Am I doing something wrong?
>> >
>> > Thanks,
>> > Giriraj
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Encrypting timestamp or other security headers using WS-SecurityPolicy
Posted by Giriraj Bhojak <gi...@gmail.com>.
Thanks Colm.
Do you mean to say the timestamp is not just signed but encrypted as well
if it is part of the AsymmetricBinding?
In my policy I have also added username token as a supporting token,
outside of AsymmetricBinding. Would this token be signed and encrypted too?
I have written a Java client that is able to successfully send and receive
a response using the policy. I have a requirement to test the endpoint
using SoapUI tool as well and that's where I am facing issues since I
couldn't just import the policy SoapUI.
Thanks,
Giriraj
On Mar 23, 2016 7:04 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:
> If you are using the SymmetricBinding or AsymmetricBinding policies, the
> Timestamp is automatically signed if the "IncludeTimestamp" policy is in
> the Binding policy.
>
> The "sp:Header" policy in SignedParts/EncryptedParts is designed to be used
> for SOAP headers, not for internal headers in the security header (such as
> Timestamp). Instead, use an "EncryptedElements" policy, with an XPath
> expression pointing to the Timestamp.
>
> Colm.
>
> On Tue, Mar 22, 2016 at 3:17 AM, Giriraj Bhojak <gi...@gmail.com>
> wrote:
>
> > Hello,
> >
> >
> > I need to sign and encrypt the timestamp WS-Security header.
> >
> > My policy file has following assertions:
> >
> >
> >
> > <sp:SignedParts>
> >
> > <sp:Body />
> >
> > <sp:Header Namespace="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > " />
> >
> > </sp:SignedParts>
> >
> > <sp:EncryptedParts>
> >
> > <sp:Body />
> >
> > <sp:Header Namespace="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > " />
> >
> > </sp:EncryptedParts>
> >
> > Above namespace belongs to wsu element.
> >
> > I can still see following entry in the wsse:Security element:
> >
> >
> >
> > <wsu:Timestamp
> > wsu:Id="TS-A91AE37C42BC91148914586148175181">
> >
> >
> > <wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created>
> >
> >
> > <wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires>
> >
> > </wsu:Timestamp>
> >
> >
> >
> > If I try to add the namespace of wsse into the signed and encrypted parts
> > above in order to encrypt and sign entire header as follows:
> >
> > <sp:SignedParts>
> >
> > <sp:Body />
> >
> > <sp:Header Namespace="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > " />
> >
> > </sp:SignedParts>
> >
> > <sp:EncryptedParts>
> >
> > <sp:Body />
> >
> > <sp:Header Namespace="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > " />
> >
> > </sp:EncryptedParts>
> >
> >
> >
> > Then on the CXF server I get:
> >
> > org.apache.cxf.interceptor.Fault- Exception Message: Found element {
> > http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not find
> > matching RPC/Literal part
> >
> > I am using CXF v2.7.11.
> >
> > Am I doing something wrong?
> >
> > Thanks,
> > Giriraj
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Encrypting timestamp or other security headers using WS-SecurityPolicy
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you are using the SymmetricBinding or AsymmetricBinding policies, the
Timestamp is automatically signed if the "IncludeTimestamp" policy is in
the Binding policy.
The "sp:Header" policy in SignedParts/EncryptedParts is designed to be used
for SOAP headers, not for internal headers in the security header (such as
Timestamp). Instead, use an "EncryptedElements" policy, with an XPath
expression pointing to the Timestamp.
Colm.
On Tue, Mar 22, 2016 at 3:17 AM, Giriraj Bhojak <gi...@gmail.com> wrote:
> Hello,
>
>
> I need to sign and encrypt the timestamp WS-Security header.
>
> My policy file has following assertions:
>
>
>
> <sp:SignedParts>
>
> <sp:Body />
>
> <sp:Header Namespace="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> " />
>
> </sp:SignedParts>
>
> <sp:EncryptedParts>
>
> <sp:Body />
>
> <sp:Header Namespace="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> " />
>
> </sp:EncryptedParts>
>
> Above namespace belongs to wsu element.
>
> I can still see following entry in the wsse:Security element:
>
>
>
> <wsu:Timestamp
> wsu:Id="TS-A91AE37C42BC91148914586148175181">
>
>
> <wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created>
>
>
> <wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires>
>
> </wsu:Timestamp>
>
>
>
> If I try to add the namespace of wsse into the signed and encrypted parts
> above in order to encrypt and sign entire header as follows:
>
> <sp:SignedParts>
>
> <sp:Body />
>
> <sp:Header Namespace="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> " />
>
> </sp:SignedParts>
>
> <sp:EncryptedParts>
>
> <sp:Body />
>
> <sp:Header Namespace="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> " />
>
> </sp:EncryptedParts>
>
>
>
> Then on the CXF server I get:
>
> org.apache.cxf.interceptor.Fault- Exception Message: Found element {
> http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not find
> matching RPC/Literal part
>
> I am using CXF v2.7.11.
>
> Am I doing something wrong?
>
> Thanks,
> Giriraj
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com