You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "rn@dev" <ra...@gmail.com> on 2014/03/01 17:22:37 UTC
UserName Token , Signature and Timestamp profile
I am trying to have usernametoken, signature and timestamp in the security
header using ws-policy.Everything except UsernameToken is getting populated
in the security header.Below is my policy
<wsp:Policy
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsaw="http://www.w3.org/2005/08/addressing">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I am not sure what I m missing here...much appreciate any help.
Thank you.
--
View this message in context: http://cxf.547215.n5.nabble.com/UserName-Token-Signature-and-Timestamp-profile-tp5740670.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: UserName Token , Signature and Timestamp profile
Posted by Colm O hEigeartaigh <co...@apache.org>.
Just leave out all SignedParts + SignedElements policies. The Timestamp
will be signed by default by the AsymmetricBinding.
Colm.
On Mon, Mar 3, 2014 at 2:37 PM, rn@dev <ra...@gmail.com>wrote:
> I need to sign only Timestamp, how can I do this with same policy?
>
> I am trying with
> <wsp:Policy>
> <sp:SignedElements>
>
> <sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
> and
> local-name()='Envelope']/*[namespace-uri()='http://schemas.xml
> soap.org/soap/envelope/'
> and
>
> local-name()='Header']/*[namespace-uri()
> ='
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
> secext-1.0.xsd' and
>
> local-name()='Security']/*[namespace-uri()='http:
> //
> docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
> 1.0.xsd' and
> local-name()='Timestamp']
> </sp:XPath>
> <sp:XPath>/*[namespace-uri()='
> http://www.w3.org/2003/05/soap-envelope'
> and
>
> local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/
> soap-envelope' and
>
> local-name()='Header']/*[namespace-uri()='http://
>
> docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
> .xsd' and
>
> local-name()='Security']/*[namespace-uri()='http://docs.oasis
> -
> open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
> and
> local-name()='Timestamp']
> </sp:XPath>
> </sp:SignedElements>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:Policy>
>
> but looks like something I m missing here?
>
> Thanks.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/UserName-Token-Signature-and-Timestamp-profile-tp5740670p5740720.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: UserName Token , Signature and Timestamp profile
Posted by "rn@dev" <ra...@gmail.com>.
I need to sign only Timestamp, how can I do this with same policy?
I am trying with
<wsp:Policy>
<sp:SignedElements>
<sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Envelope']/*[namespace-uri()='http://schemas.xml
soap.org/soap/envelope/' and
local-name()='Header']/*[namespace-uri()
='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd' and
local-name()='Security']/*[namespace-uri()='http:
//docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd' and local-name()='Timestamp']
</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and
local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/
soap-envelope' and
local-name()='Header']/*[namespace-uri()='http://
docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
.xsd' and
local-name()='Security']/*[namespace-uri()='http://docs.oasis
-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
and
local-name()='Timestamp']
</sp:XPath>
</sp:SignedElements>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:Policy>
but looks like something I m missing here?
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/UserName-Token-Signature-and-Timestamp-profile-tp5740670p5740720.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: UserName Token , Signature and Timestamp profile
Posted by "rn@dev" <ra...@gmail.com>.
Yes I have a Encrypted block in the request,
"ws-security.username-token.always.encrypted" to "false" on the client
resolved my issue.
Thanks for looking in to this, appreciates it.
--
View this message in context: http://cxf.547215.n5.nabble.com/UserName-Token-Signature-and-Timestamp-profile-tp5740670p5740696.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: UserName Token , Signature and Timestamp profile
Posted by Colm O hEigeartaigh <co...@apache.org>.
What does the request look like? By default, CXF encrypts UsernameTokens
and so you should see a "EncryptedData" block in the security header. You
can turn this behaviour off by setting the property
"ws-security.username-token.always.encrypted" to "false" on the client.
Colm.
On Sat, Mar 1, 2014 at 4:22 PM, rn@dev <ra...@gmail.com>wrote:
> I am trying to have usernametoken, signature and timestamp in the security
> header using ws-policy.Everything except UsernameToken is getting populated
> in the security header.Below is my policy
>
> <wsp:Policy
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10 />
>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10 />
>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> I am not sure what I m missing here...much appreciate any help.
>
> Thank you.
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/UserName-Token-Signature-and-Timestamp-profile-tp5740670.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com