You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Dennis Sosnoski <dm...@sosnoski.com> on 2014/02/14 00:43:49 UTC
Signing of WS-Addressing headers
In testing Metro interop I noticed that if I only specified:
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
</sp:SignedParts>
CXF happily generated messages signing only the Body, but Metro
apparently requires the WS-A headers (at least MessageID) to be signed
anyway:
Feb 13, 2014 3:51:55 PM
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
SEVERE: WSS0206: Security in the incoming message does not conform to
the SecurityPolicy configured at the Recipient.
Feb 13, 2014 3:51:55 PM
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
SEVERE: WSS0814: policy verification error, missing target MessageID for
Signature
Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube
processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.PolicyViolationException:
com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing
target MessageID for Signature
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
at
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
It's certainly best practice to sign the WS-A headers, but AFAIK it
isn't required. Is this an error on Metro's part, or should we be
requiring signing of the WS-A headers too?
Thanks,
- Dennis
Re: Signing of WS-Addressing headers
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
Yes, that certainly makes sense. I'll run some other tests to verify the
Metro behavior, and see about entering a bug report.
- Dennis
On 02/14/2014 01:39 PM, Daniel Kulp wrote:
>
> I would say bug in Metro.
>
> The very first example in the WS-SecurityPolicy spec:
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573554
>
> specifically shows that if you want the WS-A headers also signed, you should be:
>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header
> Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"
> />
> </sp:SignedParts>
>
>
> If the sp:Body element wasn’t in there (so empty SignedParts element) a case could likely be made that the WS-Addressing headers should be signed as the spec says:
>
> "If no child elements are specified, all message headers targeted at the UltimateReceiver role [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity protected."
>
>
> Anyway, that’s my reading of it.
>
>
> Dan
>
>
>
> On Feb 13, 2014, at 6:43 PM, Dennis Sosnoski <dm...@sosnoski.com> wrote:
>
>> In testing Metro interop I noticed that if I only specified:
>>
>> <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>> <sp:Body/>
>> </sp:SignedParts>
>>
>> CXF happily generated messages signing only the Body, but Metro apparently requires the WS-A headers (at least MessageID) to be signed anyway:
>>
>> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl resolveAndVerifyTargets
>> SEVERE: WSS0206: Security in the incoming message does not conform to the SecurityPolicy configured at the Recipient.
>> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl resolveAndVerifyTargets
>> SEVERE: WSS0814: policy verification error, missing target MessageID for Signature
>> Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
>> SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
>> com.sun.xml.wss.impl.PolicyViolationException: com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing target MessageID for Signature
>> at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
>> at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
>> at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
>> at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
>> at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
>>
>> It's certainly best practice to sign the WS-A headers, but AFAIK it isn't required. Is this an error on Metro's part, or should we be requiring signing of the WS-A headers too?
>>
>> Thanks,
>>
>> - Dennis
>>
Re: Signing of WS-Addressing headers
Posted by Daniel Kulp <dk...@apache.org>.
I would say bug in Metro.
The very first example in the WS-SecurityPolicy spec:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573554
specifically shows that if you want the WS-A headers also signed, you should be:
<sp:SignedParts>
<sp:Body/>
<sp:Header
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"
/>
</sp:SignedParts>
If the sp:Body element wasn’t in there (so empty SignedParts element) a case could likely be made that the WS-Addressing headers should be signed as the spec says:
"If no child elements are specified, all message headers targeted at the UltimateReceiver role [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity protected."
Anyway, that’s my reading of it.
Dan
On Feb 13, 2014, at 6:43 PM, Dennis Sosnoski <dm...@sosnoski.com> wrote:
> In testing Metro interop I noticed that if I only specified:
>
> <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:Body/>
> </sp:SignedParts>
>
> CXF happily generated messages signing only the Body, but Metro apparently requires the WS-A headers (at least MessageID) to be signed anyway:
>
> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl resolveAndVerifyTargets
> SEVERE: WSS0206: Security in the incoming message does not conform to the SecurityPolicy configured at the Recipient.
> Feb 13, 2014 3:51:55 PM com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl resolveAndVerifyTargets
> SEVERE: WSS0814: policy verification error, missing target MessageID for Signature
> Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
> SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
> com.sun.xml.wss.impl.PolicyViolationException: com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing target MessageID for Signature
> at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
> at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
> at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
> at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
> at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
>
> It's certainly best practice to sign the WS-A headers, but AFAIK it isn't required. Is this an error on Metro's part, or should we be requiring signing of the WS-A headers too?
>
> Thanks,
>
> - Dennis
>
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com