You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ted Roeloffzen <te...@gmail.com> on 2013/08/13 09:08:33 UTC
CXF Security policy signature method
Hi All,
How does CXF determine which signature method to use?
Does it retrieve it from the security-policy in the WSDL or do you have to
configure it?
kind regards,
Ted
Re: Using WS-Policy to specify order of signing and encryption
Posted by Sam <j2...@gmail.com>.
Cool. Thanks Colm.
Sam
On 16/08/2013 8:39 p.m., Colm O hEigeartaigh wrote:
> Hi Sam,
>
>> If not specified, the default order is to sign and encrypt.
>> And I rarely see any use of this tag so I assume the default order is
> always right?
>
> If "sp:EncryptBeforeSigning" is not specified, then the default is always
> to sign before encrypting.
>
>> Am I right to say the order of <sp:EncryptedParts> and <sp:SignedParts>
> elements do not specify the order of encryption and signing in
>> both request and response?
> Correct.
>
> Colm.
>
>
>
> On Fri, Aug 16, 2013 at 9:18 AM, Sam <j2...@gmail.com> wrote:
>
>> Hi all,
>>
>> Could someone confirm my understanding for the order of encryption &
>> signing using WS-SecurityPolicy in WSDL?
>>
>> I saw in http://fusesource.com/docs/**esb/4.4/cxf_security/**
>> MsgProtect-SOAP-**SymmetricPolicy.html<http://fusesource.com/docs/esb/4.4/cxf_security/MsgProtect-SOAP-SymmetricPolicy.html>that says the order is specified
>> in sp:EncryptBeforeSigning. If not specified, the default order is to sign
>> and encrypt.
>>
>> And I rarely see any use of this tag so I assume the default order is
>> always right?
>>
>> What I do see in almost all WS-Policy file that comes with WSDL is
>> something like
>>
>> ...
>> <wsp:Policy wsu:Id="DoubleItBinding_**DoubleIt_Input_Policy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> *<sp:EncryptedParts>*
>> <sp:Body />
>> </sp:EncryptedParts>
>> *<sp:SignedParts>*
>> <sp:Body />
>> <sp:Header Namespace="..." />
>> </sp:SignedParts>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> <wsp:Policy wsu:Id="DoubleItBinding_**DoubleIt_Output_Policy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> *<sp:EncryptedParts>*
>> <sp:Body />
>> </sp:EncryptedParts>
>> *<sp:SignedParts>*
>> <sp:Body />
>> <sp:Header Namespace="..." />
>> </sp:SignedParts>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> </wsdl:definitions>
>>
>>
>> Am I right to say the order of <sp:EncryptedParts> and <sp:SignedParts>
>> elements do not specify the order of encryption and signing in both request
>> and response?
>>
>> Thanks in advance,
>> Sam
>>
>
>
Re: Using WS-Policy to specify order of signing and encryption
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Sam,
> If not specified, the default order is to sign and encrypt.
> And I rarely see any use of this tag so I assume the default order is
always right?
If "sp:EncryptBeforeSigning" is not specified, then the default is always
to sign before encrypting.
> Am I right to say the order of <sp:EncryptedParts> and <sp:SignedParts>
elements do not specify the order of encryption and signing in
> both request and response?
Correct.
Colm.
On Fri, Aug 16, 2013 at 9:18 AM, Sam <j2...@gmail.com> wrote:
> Hi all,
>
> Could someone confirm my understanding for the order of encryption &
> signing using WS-SecurityPolicy in WSDL?
>
> I saw in http://fusesource.com/docs/**esb/4.4/cxf_security/**
> MsgProtect-SOAP-**SymmetricPolicy.html<http://fusesource.com/docs/esb/4.4/cxf_security/MsgProtect-SOAP-SymmetricPolicy.html>that says the order is specified
> in sp:EncryptBeforeSigning. If not specified, the default order is to sign
> and encrypt.
>
> And I rarely see any use of this tag so I assume the default order is
> always right?
>
> What I do see in almost all WS-Policy file that comes with WSDL is
> something like
>
> ...
> <wsp:Policy wsu:Id="DoubleItBinding_**DoubleIt_Input_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> *<sp:EncryptedParts>*
> <sp:Body />
> </sp:EncryptedParts>
> *<sp:SignedParts>*
> <sp:Body />
> <sp:Header Namespace="..." />
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="DoubleItBinding_**DoubleIt_Output_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> *<sp:EncryptedParts>*
> <sp:Body />
> </sp:EncryptedParts>
> *<sp:SignedParts>*
> <sp:Body />
> <sp:Header Namespace="..." />
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </wsdl:definitions>
>
>
> Am I right to say the order of <sp:EncryptedParts> and <sp:SignedParts>
> elements do not specify the order of encryption and signing in both request
> and response?
>
> Thanks in advance,
> Sam
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Using WS-Policy to specify order of signing and encryption
Posted by Sam <j2...@gmail.com>.
Hi all,
Could someone confirm my understanding for the order of encryption &
signing using WS-SecurityPolicy in WSDL?
I saw in
http://fusesource.com/docs/esb/4.4/cxf_security/MsgProtect-SOAP-SymmetricPolicy.html
that says the order is specified
in sp:EncryptBeforeSigning. If not specified, the default order is to
sign and encrypt.
And I rarely see any use of this tag so I assume the default order is
always right?
What I do see in almost all WS-Policy file that comes with WSDL is
something like
...
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
*<sp:EncryptedParts>*
<sp:Body />
</sp:EncryptedParts>
*<sp:SignedParts>*
<sp:Body />
<sp:Header Namespace="..." />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
*<sp:EncryptedParts>*
<sp:Body />
</sp:EncryptedParts>
*<sp:SignedParts>*
<sp:Body />
<sp:Header Namespace="..." />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
Am I right to say the order of <sp:EncryptedParts> and <sp:SignedParts>
elements do not specify the order of encryption and signing in both
request and response?
Thanks in advance,
Sam
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes, you could try overriding the default AlgorithmSuite. See this blog
post for more information:
http://coheigea.blogspot.ie/2011/09/specifying-custom-algorithmsuite.html
Colm.
On Tue, Aug 13, 2013 at 2:48 PM, Ted Roeloffzen <te...@gmail.com>wrote:
> Thank you for creating the JIRA.
>
> In this case i'm screwed i think.
> As far as I know, RSA-SHA256 is mandatory for this service to work.
> Is there a to work around it?
>
> Is there a class that I can inherit from to make it work?
>
> Ted
>
>
>
> 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
>
> > SHA-256 is only used for the digest algorithm for any of the standard
> > WS-SecurityPolicy AlgorithmSuites. The Signature Algorithm is always
> > RSA-SHA1 and cannot be configured. Ideally, we would have a new
> > specification to cater for newer security algorithms, but this does not
> > appear likely from my understanding.
> >
> > I've created a JIRA to find a way around this problem:
> >
> > https://issues.apache.org/jira/browse/CXF-5200
> >
> > I think I will add a configuration option to override the default
> RSA-SHA1
> > signature algorithm.
> >
> > Colm.
> >
> >
> > On Tue, Aug 13, 2013 at 2:19 PM, Ted Roeloffzen <
> ted.roeloffzen@gmail.com
> > >wrote:
> >
> > > I was afraid of that.
> > >
> > > The policy that is used is as follows:
> > >
> > > <wsp:Policy wsu:Id="...">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:AsymmetricBinding>
> > > <wsp:Policy>
> > > <sp:InitiatorToken>
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken="
> > >
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > > ">
> > > <wsp:Policy>
> > > <sp:RequireThumbprintReference/>
> > > <sp:WssX509V3Token10/>
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:InitiatorToken>
> > > <sp:RecipientToken>
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken="
> > >
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator
> > > ">
> > > <wsp:Policy>
> > > <sp:RequireThumbprintReference/>
> > > <sp:WssX509V3Token10/>
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:RecipientToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > > <sp:Basic256Sha256Rsa15/>
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Lax/>
> > > </wsp:Policy>
> > > </sp:Layout>
> > > <sp:IncludeTimestamp/>
> > > <sp:OnlySignEntireHeadersAndBody/>
> > > </wsp:Policy>
> > > </sp:AsymmetricBinding>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > >
> > > When I look at this policy, I'd think that SHA256 would be used i
> thought
> > > RSA-SHA256 would be used as the signature-algorithm, but when I look at
> > the
> > > XML that is output by CXF RSA-SHA1 is used.
> > >
> > > Where am I going wrong?
> > >
> > > Ted
> > >
> > >
> > >
> > >
> > > 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> > >
> > > > You can't set the SignatureAlgorithm if you are using
> > WS-SecurityPolicy,
> > > > as it defaults to that of the spec. What requirements do you have?
> What
> > > > signature algorithm do you want to use?
> > > >
> > > > Colm.
> > > >
> > > >
> > > > On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen <
> > > ted.roeloffzen@gmail.com>wrote:
> > > >
> > > >> Hi Colm,
> > > >>
> > > >> The WSS4JOutInterceptor is created and configured automatically by
> > CXF,
> > > >> right?
> > > >> Can I somehow retrieve the WSS4JOutInterceptor during the process
> and
> > > set
> > > >> the signatureAlgorithm tag, without having to configure the entire
> > > >> interceptor?
> > > >>
> > > >> Ted
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> > > >>
> > > >>> If you are using WS-SecurityPolicy, then the spec defines the
> > signature
> > > >>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
> > > >>> Symmetric Signature. Otherwise, you can set it via the
> > > >>> "signatureAlgorithm"
> > > >>> configuration tag on the WSS4JOutInterceptor.
> > > >>>
> > > >>> Colm.
> > > >>>
> > > >>>
> > > >>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <
> > > >>> ted.roeloffzen@gmail.com>wrote:
> > > >>>
> > > >>> > Hi All,
> > > >>> >
> > > >>> > How does CXF determine which signature method to use?
> > > >>> > Does it retrieve it from the security-policy in the WSDL or do
> you
> > > >>> have to
> > > >>> > configure it?
> > > >>> >
> > > >>> > kind regards,
> > > >>> >
> > > >>> > Ted
> > > >>> >
> > > >>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>> Colm O hEigeartaigh
> > > >>>
> > > >>> Talend Community Coder
> > > >>> http://coders.talend.com
> > > >>>
> > > >>
> > > >>
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF Security policy signature method
Posted by Ted Roeloffzen <te...@gmail.com>.
Thank you for creating the JIRA.
In this case i'm screwed i think.
As far as I know, RSA-SHA256 is mandatory for this service to work.
Is there a to work around it?
Is there a class that I can inherit from to make it work?
Ted
2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> SHA-256 is only used for the digest algorithm for any of the standard
> WS-SecurityPolicy AlgorithmSuites. The Signature Algorithm is always
> RSA-SHA1 and cannot be configured. Ideally, we would have a new
> specification to cater for newer security algorithms, but this does not
> appear likely from my understanding.
>
> I've created a JIRA to find a way around this problem:
>
> https://issues.apache.org/jira/browse/CXF-5200
>
> I think I will add a configuration option to override the default RSA-SHA1
> signature algorithm.
>
> Colm.
>
>
> On Tue, Aug 13, 2013 at 2:19 PM, Ted Roeloffzen <ted.roeloffzen@gmail.com
> >wrote:
>
> > I was afraid of that.
> >
> > The policy that is used is as follows:
> >
> > <wsp:Policy wsu:Id="...">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:AsymmetricBinding>
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> > <sp:RequireThumbprintReference/>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator
> > ">
> > <wsp:Policy>
> > <sp:RequireThumbprintReference/>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256Sha256Rsa15/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > <sp:OnlySignEntireHeadersAndBody/>
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> >
> > When I look at this policy, I'd think that SHA256 would be used i thought
> > RSA-SHA256 would be used as the signature-algorithm, but when I look at
> the
> > XML that is output by CXF RSA-SHA1 is used.
> >
> > Where am I going wrong?
> >
> > Ted
> >
> >
> >
> >
> > 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> >
> > > You can't set the SignatureAlgorithm if you are using
> WS-SecurityPolicy,
> > > as it defaults to that of the spec. What requirements do you have? What
> > > signature algorithm do you want to use?
> > >
> > > Colm.
> > >
> > >
> > > On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen <
> > ted.roeloffzen@gmail.com>wrote:
> > >
> > >> Hi Colm,
> > >>
> > >> The WSS4JOutInterceptor is created and configured automatically by
> CXF,
> > >> right?
> > >> Can I somehow retrieve the WSS4JOutInterceptor during the process and
> > set
> > >> the signatureAlgorithm tag, without having to configure the entire
> > >> interceptor?
> > >>
> > >> Ted
> > >>
> > >>
> > >>
> > >>
> > >> 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> > >>
> > >>> If you are using WS-SecurityPolicy, then the spec defines the
> signature
> > >>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
> > >>> Symmetric Signature. Otherwise, you can set it via the
> > >>> "signatureAlgorithm"
> > >>> configuration tag on the WSS4JOutInterceptor.
> > >>>
> > >>> Colm.
> > >>>
> > >>>
> > >>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <
> > >>> ted.roeloffzen@gmail.com>wrote:
> > >>>
> > >>> > Hi All,
> > >>> >
> > >>> > How does CXF determine which signature method to use?
> > >>> > Does it retrieve it from the security-policy in the WSDL or do you
> > >>> have to
> > >>> > configure it?
> > >>> >
> > >>> > kind regards,
> > >>> >
> > >>> > Ted
> > >>> >
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Colm O hEigeartaigh
> > >>>
> > >>> Talend Community Coder
> > >>> http://coders.talend.com
> > >>>
> > >>
> > >>
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes the fix will also be available in the 3.1.3 release. I'm not sure when
that release will be as we have only released 3.1.2 a few weeks back - we
normally release every 2 months or so.
Colm.
On Tue, Aug 18, 2015 at 6:05 PM, jsmith828 <je...@putnam.com> wrote:
> Thanks Colm. Looks like the change was to SAMLUtils and
> SamlCallbackHandler.
> I'll clone the cxf-3.0.x-fixes branch and give that a shot. Will this be
> available in the 3.1.3 release of CXF and if so can you let me know around
> when that might be available? Cheers!
>
>
>
> -----
> -Jeff
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760265.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF Security policy signature method
Posted by jsmith828 <je...@putnam.com>.
Thanks Colm. Looks like the change was to SAMLUtils and SamlCallbackHandler.
I'll clone the cxf-3.0.x-fixes branch and give that a shot. Will this be
available in the 3.1.3 release of CXF and if so can you let me know around
when that might be available? Cheers!
-----
-Jeff
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760265.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
It's a bug, now fixed:
https://issues.apache.org/jira/browse/CXF-6543
Colm.
On Thu, Aug 13, 2015 at 3:10 PM, jsmith828 <je...@putnam.com> wrote:
> It's the "action" approach. I've written a custom CallbackHandler to
> create
> my SAML assertion and defined it in my security.saml-callback-handler
> property of my JAXRSClientFactoryBean. I've tried setting the following in
> my CallbackHandler but it still doesn't work.
>
>
> callback.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
>
> callback.setSignatureDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA256);
>
> The SignatureMethod alg is still "rsa-sha1" and the DigestMethod alg is
> "sha1". No errors reported it's just not using the set algorithm.
> Unrestricted policies in place. Not sure what I am still missing -Jeff
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760065.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF Security policy signature method
Posted by jsmith828 <je...@putnam.com>.
It's the "action" approach. I've written a custom CallbackHandler to create
my SAML assertion and defined it in my security.saml-callback-handler
property of my JAXRSClientFactoryBean. I've tried setting the following in
my CallbackHandler but it still doesn't work.
callback.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
callback.setSignatureDigestAlgorithm(SignatureConstants.ALGO_ID_DIGEST_SHA256);
The SignatureMethod alg is still "rsa-sha1" and the DigestMethod alg is
"sha1". No errors reported it's just not using the set algorithm.
Unrestricted policies in place. Not sure what I am still missing -Jeff
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760065.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
Are you using WS-Security via the "action" approach or via
WS-SecurityPolicy?
a) Action approach. Simply specify the following algorithms in the
WSS4JOutInterceptor configuration:
signatureDigestAlgorithm - http://www.w3.org/2001/04/xmlenc#sha256
signatureAlgorithm - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
b) WS-SecurityPolicy approach.
Digest: Use one of the AlgorithmSuites that ends in "Sha256", e.g.
"sp:Basic256Sha256".
Signature: Set the JAX-WS property
"ws-security.asymmetric.signature.algorithm" to "
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
Colm.
On Thu, Aug 13, 2015 at 12:58 AM, jsmith828 <je...@putnam.com>
wrote:
> I actually have the same issue in that my sec engineering department will
> not
> allow any SHA-1 algorithms of any kind and require a minimum of SHA-256 for
> the digest algorithm. I am using CXF-3.1.0 and I was hoping the ability to
> override SHA-1 was now available and if so how can I do it.
>
> Thanks!
> -Jeff
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760020.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF Security policy signature method
Posted by jsmith828 <je...@putnam.com>.
I actually have the same issue in that my sec engineering department will not
allow any SHA-1 algorithms of any kind and require a minimum of SHA-256 for
the digest algorithm. I am using CXF-3.1.0 and I was hoping the ability to
override SHA-1 was now available and if so how can I do it.
Thanks!
-Jeff
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Security-policy-signature-method-tp5732250p5760020.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
SHA-256 is only used for the digest algorithm for any of the standard
WS-SecurityPolicy AlgorithmSuites. The Signature Algorithm is always
RSA-SHA1 and cannot be configured. Ideally, we would have a new
specification to cater for newer security algorithms, but this does not
appear likely from my understanding.
I've created a JIRA to find a way around this problem:
https://issues.apache.org/jira/browse/CXF-5200
I think I will add a configuration option to override the default RSA-SHA1
signature algorithm.
Colm.
On Tue, Aug 13, 2013 at 2:19 PM, Ted Roeloffzen <te...@gmail.com>wrote:
> I was afraid of that.
>
> The policy that is used is as follows:
>
> <wsp:Policy wsu:Id="...">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator
> ">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Sha256Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> When I look at this policy, I'd think that SHA256 would be used i thought
> RSA-SHA256 would be used as the signature-algorithm, but when I look at the
> XML that is output by CXF RSA-SHA1 is used.
>
> Where am I going wrong?
>
> Ted
>
>
>
>
> 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
>
> > You can't set the SignatureAlgorithm if you are using WS-SecurityPolicy,
> > as it defaults to that of the spec. What requirements do you have? What
> > signature algorithm do you want to use?
> >
> > Colm.
> >
> >
> > On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen <
> ted.roeloffzen@gmail.com>wrote:
> >
> >> Hi Colm,
> >>
> >> The WSS4JOutInterceptor is created and configured automatically by CXF,
> >> right?
> >> Can I somehow retrieve the WSS4JOutInterceptor during the process and
> set
> >> the signatureAlgorithm tag, without having to configure the entire
> >> interceptor?
> >>
> >> Ted
> >>
> >>
> >>
> >>
> >> 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> >>
> >>> If you are using WS-SecurityPolicy, then the spec defines the signature
> >>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
> >>> Symmetric Signature. Otherwise, you can set it via the
> >>> "signatureAlgorithm"
> >>> configuration tag on the WSS4JOutInterceptor.
> >>>
> >>> Colm.
> >>>
> >>>
> >>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <
> >>> ted.roeloffzen@gmail.com>wrote:
> >>>
> >>> > Hi All,
> >>> >
> >>> > How does CXF determine which signature method to use?
> >>> > Does it retrieve it from the security-policy in the WSDL or do you
> >>> have to
> >>> > configure it?
> >>> >
> >>> > kind regards,
> >>> >
> >>> > Ted
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Colm O hEigeartaigh
> >>>
> >>> Talend Community Coder
> >>> http://coders.talend.com
> >>>
> >>
> >>
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Fwd: CXF Security policy signature method
Posted by Ted Roeloffzen <te...@gmail.com>.
I was afraid of that.
The policy that is used is as follows:
<wsp:Policy wsu:Id="...">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator
">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
When I look at this policy, I'd think that SHA256 would be used i thought
RSA-SHA256 would be used as the signature-algorithm, but when I look at the
XML that is output by CXF RSA-SHA1 is used.
Where am I going wrong?
Ted
2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> You can't set the SignatureAlgorithm if you are using WS-SecurityPolicy,
> as it defaults to that of the spec. What requirements do you have? What
> signature algorithm do you want to use?
>
> Colm.
>
>
> On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen <te...@gmail.com>wrote:
>
>> Hi Colm,
>>
>> The WSS4JOutInterceptor is created and configured automatically by CXF,
>> right?
>> Can I somehow retrieve the WSS4JOutInterceptor during the process and set
>> the signatureAlgorithm tag, without having to configure the entire
>> interceptor?
>>
>> Ted
>>
>>
>>
>>
>> 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
>>
>>> If you are using WS-SecurityPolicy, then the spec defines the signature
>>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
>>> Symmetric Signature. Otherwise, you can set it via the
>>> "signatureAlgorithm"
>>> configuration tag on the WSS4JOutInterceptor.
>>>
>>> Colm.
>>>
>>>
>>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <
>>> ted.roeloffzen@gmail.com>wrote:
>>>
>>> > Hi All,
>>> >
>>> > How does CXF determine which signature method to use?
>>> > Does it retrieve it from the security-policy in the WSDL or do you
>>> have to
>>> > configure it?
>>> >
>>> > kind regards,
>>> >
>>> > Ted
>>> >
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
You can't set the SignatureAlgorithm if you are using WS-SecurityPolicy, as
it defaults to that of the spec. What requirements do you have? What
signature algorithm do you want to use?
Colm.
On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen <te...@gmail.com>wrote:
> Hi Colm,
>
> The WSS4JOutInterceptor is created and configured automatically by CXF,
> right?
> Can I somehow retrieve the WSS4JOutInterceptor during the process and set
> the signatureAlgorithm tag, without having to configure the entire
> interceptor?
>
> Ted
>
>
>
>
> 2013/8/13 Colm O hEigeartaigh <co...@apache.org>
>
>> If you are using WS-SecurityPolicy, then the spec defines the signature
>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
>> Symmetric Signature. Otherwise, you can set it via the
>> "signatureAlgorithm"
>> configuration tag on the WSS4JOutInterceptor.
>>
>> Colm.
>>
>>
>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <ted.roeloffzen@gmail.com
>> >wrote:
>>
>> > Hi All,
>> >
>> > How does CXF determine which signature method to use?
>> > Does it retrieve it from the security-policy in the WSDL or do you have
>> to
>> > configure it?
>> >
>> > kind regards,
>> >
>> > Ted
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF Security policy signature method
Posted by Ted Roeloffzen <te...@gmail.com>.
Hi Colm,
The WSS4JOutInterceptor is created and configured automatically by CXF,
right?
Can I somehow retrieve the WSS4JOutInterceptor during the process and set
the signatureAlgorithm tag, without having to configure the entire
interceptor?
Ted
2013/8/13 Colm O hEigeartaigh <co...@apache.org>
> If you are using WS-SecurityPolicy, then the spec defines the signature
> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
> Symmetric Signature. Otherwise, you can set it via the "signatureAlgorithm"
> configuration tag on the WSS4JOutInterceptor.
>
> Colm.
>
>
> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <ted.roeloffzen@gmail.com
> >wrote:
>
> > Hi All,
> >
> > How does CXF determine which signature method to use?
> > Does it retrieve it from the security-policy in the WSDL or do you have
> to
> > configure it?
> >
> > kind regards,
> >
> > Ted
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: CXF Security policy signature method
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you are using WS-SecurityPolicy, then the spec defines the signature
method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for
Symmetric Signature. Otherwise, you can set it via the "signatureAlgorithm"
configuration tag on the WSS4JOutInterceptor.
Colm.
On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen <te...@gmail.com>wrote:
> Hi All,
>
> How does CXF determine which signature method to use?
> Does it retrieve it from the security-policy in the WSDL or do you have to
> configure it?
>
> kind regards,
>
> Ted
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com