You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by COURTAULT Francois <Fr...@gemalto.com> on 2013/12/19 18:36:00 UTC
Need your help again ;-)
Hello everyone,
We are using only AsymmetricBinding assertion to a recipient with :
* InitiatorSignatureToken (IncludeToken/AlwaysToRecipient)
* RecipientEncryptionToken (IncludeToken/Never)
* IncludeTimestamp
* ProtectTokens
* OnlySignEntireHeadersAndBody
* Wss11
o sp:MustSupportRefKeyIdentifier
o sp:MustSupportRefIssuerSerial
o sp:MustSupportRefThumbprint
o sp:MustSupportRefEncryptedKey
o sp:RequireSignatureConfirmation
Could we attached this AsymmetricBinding assertion to a WS endpoint as it is, meaning without providing any details regarding what we want to sign and encrypt ?
In the spec (http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826608) it is stated that:
- "The specified token populates the [Initiator Signature Token] property and is used for the message signature from initiator to recipient.". So it means that a SOAP client has to provide a message signature in the SOAP request sent to the recipient: right ?
- "The specified token populates the [Recipient Encryption Token] property and is used for the message encryption from recipient to Recipient.": is there any typo here ? from recipient to Recipient ? If this is not a typo what does that mean ? Because otherwise I will interpret it as initiator to Recipient: right ? In such case, the SOAP request sent to the recipient should contain some encryption: right ?
Best Regards.
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
RE: Need your help again ;-)
Posted by COURTAULT Francois <Fr...@gemalto.com>.
Hello,
Thanks a lot for the pointer :-)
Best Regards.
-----Original Message-----
From: Dennis Sosnoski [mailto:dms@sosnoski.com]
Sent: samedi 21 décembre 2013 03:37
To: users@cxf.apache.org
Subject: Re: Need your help again ;-)
Hi Francois,
You're going to have some things signed even without <SignedParts>, in particular the Timestamp and tokens (the latter because you're using ProtectTokens), . See
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573671
Regards,
- Dennis
Dennis M. Sosnoski
Java Web Services Consulting <http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
On 12/21/2013 12:03 AM, COURTAULT Francois wrote:
> Hello Colm,
>
> First, thanks for answering.
> In fact we are using Weblogic predefined policy and the one we want to use contains only the policy assertions I have listed. So what will be the behavior with such policy ?
>
> So if I read between the lines you answer, if we have only this assertions list, nothing should be done in term of encryption and signature: right ?
> What about my spec questions: could you reply please ?
>
> Regarding what we want to do, initially we want to sign the request and encrypt the response: what should we add ?
>
> Probably:
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> And
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> Right ?
>
> Best Regards.
>
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: vendredi 20 décembre 2013 11:36
> To: COURTAULT Francois
> Cc: users@cxf.apache.org
> Subject: Re: Need your help again ;-)
>
>
> What do you actually want to sign/encrypt? Why not start from there + then figure out an appropriate policy? Typically you will add in SignedParts or EncryptedParts policies to cover what you want signed/encrypted.
>
> Colm.
>
> On Thu, Dec 19, 2013 at 5:36 PM, COURTAULT Francois <Fr...@gemalto.com>> wrote:
> Hello everyone,
>
> We are using only AsymmetricBinding assertion to a recipient with :
>
> * InitiatorSignatureToken (IncludeToken/AlwaysToRecipient)
>
> * RecipientEncryptionToken (IncludeToken/Never)
>
> * IncludeTimestamp
>
> * ProtectTokens
>
> * OnlySignEntireHeadersAndBody
>
> * Wss11
>
> o sp:MustSupportRefKeyIdentifier
>
> o sp:MustSupportRefIssuerSerial
>
> o sp:MustSupportRefThumbprint
>
> o sp:MustSupportRefEncryptedKey
>
> o sp:RequireSignatureConfirmation
>
> Could we attached this AsymmetricBinding assertion to a WS endpoint as it is, meaning without providing any details regarding what we want to sign and encrypt ?
>
> In the spec (http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826608) it is stated that:
>
> - "The specified token populates the [Initiator Signature Token] property and is used for the message signature from initiator to recipient.". So it means that a SOAP client has to provide a message signature in the SOAP request sent to the recipient: right ?
>
> - "The specified token populates the [Recipient Encryption Token] property and is used for the message encryption from recipient to Recipient.": is there any typo here ? from recipient to Recipient ? If this is not a typo what does that mean ? Because otherwise I will interpret it as initiator to Recipient: right ? In such case, the SOAP request sent to the recipient should contain some encryption: right ?
>
>
> Best Regards.
>
> ________________________________
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this
> transmission free from viruses, the sender will not be liable for
> damages caused by a transmitted virus
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ________________________________
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this
> transmission free from viruses, the sender will not be liable for
> damages caused by a transmitted virus
>
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
Re: Need your help again ;-)
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
Hi Francois,
You're going to have some things signed even without <SignedParts>, in
particular the Timestamp and tokens (the latter because you're using
ProtectTokens), . See
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573671
Regards,
- Dennis
Dennis M. Sosnoski
Java Web Services Consulting <http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
On 12/21/2013 12:03 AM, COURTAULT Francois wrote:
> Hello Colm,
>
> First, thanks for answering.
> In fact we are using Weblogic predefined policy and the one we want to use contains only the policy assertions I have listed. So what will be the behavior with such policy ?
>
> So if I read between the lines you answer, if we have only this assertions list, nothing should be done in term of encryption and signature: right ?
> What about my spec questions: could you reply please ?
>
> Regarding what we want to do, initially we want to sign the request and encrypt the response: what should we add ?
>
> Probably:
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> And
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> Right ?
>
> Best Regards.
>
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: vendredi 20 décembre 2013 11:36
> To: COURTAULT Francois
> Cc: users@cxf.apache.org
> Subject: Re: Need your help again ;-)
>
>
> What do you actually want to sign/encrypt? Why not start from there + then figure out an appropriate policy? Typically you will add in SignedParts or EncryptedParts policies to cover what you want signed/encrypted.
>
> Colm.
>
> On Thu, Dec 19, 2013 at 5:36 PM, COURTAULT Francois <Fr...@gemalto.com>> wrote:
> Hello everyone,
>
> We are using only AsymmetricBinding assertion to a recipient with :
>
> * InitiatorSignatureToken (IncludeToken/AlwaysToRecipient)
>
> * RecipientEncryptionToken (IncludeToken/Never)
>
> * IncludeTimestamp
>
> * ProtectTokens
>
> * OnlySignEntireHeadersAndBody
>
> * Wss11
>
> o sp:MustSupportRefKeyIdentifier
>
> o sp:MustSupportRefIssuerSerial
>
> o sp:MustSupportRefThumbprint
>
> o sp:MustSupportRefEncryptedKey
>
> o sp:RequireSignatureConfirmation
>
> Could we attached this AsymmetricBinding assertion to a WS endpoint as it is, meaning without providing any details regarding what we want to sign and encrypt ?
>
> In the spec (http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826608) it is stated that:
>
> - "The specified token populates the [Initiator Signature Token] property and is used for the message signature from initiator to recipient.". So it means that a SOAP client has to provide a message signature in the SOAP request sent to the recipient: right ?
>
> - "The specified token populates the [Recipient Encryption Token] property and is used for the message encryption from recipient to Recipient.": is there any typo here ? from recipient to Recipient ? If this is not a typo what does that mean ? Because otherwise I will interpret it as initiator to Recipient: right ? In such case, the SOAP request sent to the recipient should contain some encryption: right ?
>
>
> Best Regards.
>
> ________________________________
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ________________________________
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
>
RE: Need your help again ;-)
Posted by COURTAULT Francois <Fr...@gemalto.com>.
Hello Colm,
First, thanks for answering.
In fact we are using Weblogic predefined policy and the one we want to use contains only the policy assertions I have listed. So what will be the behavior with such policy ?
So if I read between the lines you answer, if we have only this assertions list, nothing should be done in term of encryption and signature: right ?
What about my spec questions: could you reply please ?
Regarding what we want to do, initially we want to sign the request and encrypt the response: what should we add ?
Probably:
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
And
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
Right ?
Best Regards.
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: vendredi 20 décembre 2013 11:36
To: COURTAULT Francois
Cc: users@cxf.apache.org
Subject: Re: Need your help again ;-)
What do you actually want to sign/encrypt? Why not start from there + then figure out an appropriate policy? Typically you will add in SignedParts or EncryptedParts policies to cover what you want signed/encrypted.
Colm.
On Thu, Dec 19, 2013 at 5:36 PM, COURTAULT Francois <Fr...@gemalto.com>> wrote:
Hello everyone,
We are using only AsymmetricBinding assertion to a recipient with :
* InitiatorSignatureToken (IncludeToken/AlwaysToRecipient)
* RecipientEncryptionToken (IncludeToken/Never)
* IncludeTimestamp
* ProtectTokens
* OnlySignEntireHeadersAndBody
* Wss11
o sp:MustSupportRefKeyIdentifier
o sp:MustSupportRefIssuerSerial
o sp:MustSupportRefThumbprint
o sp:MustSupportRefEncryptedKey
o sp:RequireSignatureConfirmation
Could we attached this AsymmetricBinding assertion to a WS endpoint as it is, meaning without providing any details regarding what we want to sign and encrypt ?
In the spec (http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826608) it is stated that:
- "The specified token populates the [Initiator Signature Token] property and is used for the message signature from initiator to recipient.". So it means that a SOAP client has to provide a message signature in the SOAP request sent to the recipient: right ?
- "The specified token populates the [Recipient Encryption Token] property and is used for the message encryption from recipient to Recipient.": is there any typo here ? from recipient to Recipient ? If this is not a typo what does that mean ? Because otherwise I will interpret it as initiator to Recipient: right ? In such case, the SOAP request sent to the recipient should contain some encryption: right ?
Best Regards.
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
Re: Need your help again ;-)
Posted by Colm O hEigeartaigh <co...@apache.org>.
What do you actually want to sign/encrypt? Why not start from there + then
figure out an appropriate policy? Typically you will add in SignedParts or
EncryptedParts policies to cover what you want signed/encrypted.
Colm.
On Thu, Dec 19, 2013 at 5:36 PM, COURTAULT Francois <
Francois.COURTAULT@gemalto.com> wrote:
> Hello everyone,
>
>
>
> We are using only AsymmetricBinding assertion to a recipient with :
>
> · InitiatorSignatureToken (IncludeToken/AlwaysToRecipient)
>
> · RecipientEncryptionToken (IncludeToken/Never)
>
> · IncludeTimestamp
>
> · ProtectTokens
>
> · OnlySignEntireHeadersAndBody
>
> · Wss11
>
> o sp:MustSupportRefKeyIdentifier
>
> o sp:MustSupportRefIssuerSerial
>
> o sp:MustSupportRefThumbprint
>
> o sp:MustSupportRefEncryptedKey
>
> o sp:RequireSignatureConfirmation
>
>
>
> Could we attached this AsymmetricBinding assertion to a WS endpoint as it
> is, meaning without providing any details regarding what we want to sign
> and encrypt ?
>
>
>
> In the spec (
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826608)
> it is stated that:
>
> - “The specified token populates the [Initiator Signature Token]
> property and is used for the message signature from initiator to
> recipient.”. So it means that a SOAP client has to provide a message
> signature in the SOAP request sent to the recipient: right ?
>
> - “The specified token populates the [Recipient Encryption
> Token] property and is used for the message encryption from recipient to
> Recipient.”: is there any typo here ? from recipient to Recipient ? If this
> is not a typo what does that mean ? Because otherwise I will interpret it
> as initiator to Recipient: right ? In such case, the SOAP request sent to
> the recipient should contain some encryption: right ?
>
>
>
> Best Regards.
>
> ------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com