You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@ws.apache.org by Kai Rommel <kr...@googlemail.com> on 2013/11/06 16:13:13 UTC

Re: Issue because elements within signedParts list are not optional

Hi Colm,
thanks for the information. I used WS-SecurityPolicy and I do not get the
exception. I am wondering whether there will be a fix for WSS4J to align
the behaviour, or is it recommended not to use WSS4JOutInterceptor but to
use WS-SecurityPolicy in the future.
Thanks.
Best regards
Kai


2013/10/25 Colm O hEigeartaigh <co...@apache.org>

> Hi Kai,
>
> Rather than using CXF's WSS4JOutInterceptor, you need to use
> WS-SecurityPolicy instead. When WSS4J is configured in this way, any
> SignedParts Element will only be signed if they exist in the message.
>
> Colm.
>
>
> On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel <kr...@googlemail.com>wrote:
>
>> Hi,
>> I am trying to consume a WebService which requires WSRM and that the SOAP
>> headers are signed.
>>
>> So I listed in the configuration of the interceptor
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint
>> the elemenst to sign:
>>  <entry key="signatureParts"
>>                     value="{Element}{
>> http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo;
>> ....
>>
>> Doing so leads to a successful CreateSequence message send to the
>> WS-Provider, which answers with a CreateSequenceResponse.
>> But now the cxf WS-Consumer endpoint tries to sign the One-Way message.
>> This message does not have the header "ReplyTo", and an exception is thrown
>> in the class org.apache.ws.security.message.WSSecSignatureBase
>>
>> It is in line 159, where the elementsToSign are checked.
>>
>> In the specification
>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512 following
>> is stated: "Note that this assertion does not require that a given part
>> appear in a message, just that if such a part appears, it requires
>> integrity protection."
>>
>> Is there a possibility to change the wss4j implementation so that only
>> these elements of the SignedParts configuration are signed, which are
>> available in the message (and not to throw an exception for the elements,
>> which are not available)? Or I am wrong with my interpretation?
>> If there is another possibitiy to configure it, please let me know.
>>
>> Best regards
>>  Kai
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Re: Issue because elements within signedParts list are not optional

Posted by Colm O hEigeartaigh <co...@apache.org>.

In WSS4J 2.0, there is/will be a "Optional" signatureParts configuration
that won't throw an exception if it doesn't encounter the Element to sign.

Colm.


On Wed, Nov 6, 2013 at 3:13 PM, Kai Rommel <kr...@googlemail.com>wrote:

> Hi Colm,
> thanks for the information. I used WS-SecurityPolicy and I do not get the
> exception. I am wondering whether there will be a fix for WSS4J to align
> the behaviour, or is it recommended not to use WSS4JOutInterceptor but to
> use WS-SecurityPolicy in the future.
> Thanks.
> Best regards
> Kai
>
>
> 2013/10/25 Colm O hEigeartaigh <co...@apache.org>
>
>> Hi Kai,
>>
>> Rather than using CXF's WSS4JOutInterceptor, you need to use
>> WS-SecurityPolicy instead. When WSS4J is configured in this way, any
>> SignedParts Element will only be signed if they exist in the message.
>>
>> Colm.
>>
>>
>> On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel <kr...@googlemail.com>wrote:
>>
>>> Hi,
>>> I am trying to consume a WebService which requires WSRM and that the
>>> SOAP headers are signed.
>>>
>>> So I listed in the configuration of the interceptor
>>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint
>>> the elemenst to sign:
>>>  <entry key="signatureParts"
>>>                     value="{Element}{
>>> http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo;
>>> ....
>>>
>>> Doing so leads to a successful CreateSequence message send to the
>>> WS-Provider, which answers with a CreateSequenceResponse.
>>> But now the cxf WS-Consumer endpoint tries to sign the One-Way message.
>>> This message does not have the header "ReplyTo", and an exception is thrown
>>> in the class org.apache.ws.security.message.WSSecSignatureBase
>>>
>>> It is in line 159, where the elementsToSign are checked.
>>>
>>> In the specification
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512 following
>>> is stated: "Note that this assertion does not require that a given part
>>> appear in a message, just that if such a part appears, it requires
>>> integrity protection."
>>>
>>> Is there a possibility to change the wss4j implementation so that only
>>> these elements of the SignedParts configuration are signed, which are
>>> available in the message (and not to throw an exception for the elements,
>>> which are not available)? Or I am wrong with my interpretation?
>>> If there is another possibitiy to configure it, please let me know.
>>>
>>> Best regards
>>>  Kai
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com