You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Penmatsa, Vinay" <vi...@sap.com> on 2011/09/28 01:03:42 UTC
Signature only in policy for Username Token
Hi,
With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt?
------
<wsp:Policy wsu:Id="UsernameToken"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
<!-- To use the export grade encryption that comes bundled in the
JDK, comment out the above Basic256 algorithm and uncomment the below Basic128. -->
<!-- <sp:Basic128 /> -->
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
---
Regards,
Vinay
Re: Signature only in policy for Username Token
Posted by Glen Mazza <gm...@talend.com>.
Actually, sounds like a good safety mechanism. I'm not sure if CXF
should allow itself to be configured in a way that you can send out
unencrypted username tokens.
Glen
On 09/28/2011 10:45 AM, Daniel Kulp wrote:
> On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote:
>> Hi Colm,
>> Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but
>> I was wondering why when I use "SignedSupportingTokens", the message is
>> automatically encrypted too instead of only signed.
> Compatibility with MS and Weblogic and a few others. Despite it being only
> "SignedSupportingTokens", they will refuse to accept Username tokens if the
> data is not encrypted. It can either be via encrypting the element or by
> using some sort of secure transport (like HTTPs).
>
> Dan
>
>
>
>> Regards,
>> Vinay
>>
>>
>> -----Original Message-----
>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>> Sent: Wednesday, September 28, 2011 4:24 AM
>> To: users@cxf.apache.org
>> Subject: Re: Signature only in policy for Username Token
>>
>> You can set the following jax-ws property
>> "ws-security.username-token.always.encrypted" to "false". See the
>> "ALWAYS_ENCRYPT_UT" variable here:
>>
>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac
>> he/cxf/ws/security/SecurityConstants.java?view=markup
>>
>> Why would you want to send an unencrypted UsernameToken across the
>> wire? An eavesdropper could just harvest the username/password.
>>
>> Colm.
>>
>> On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay
>>
>> <vi...@sap.com> wrote:
>>> Hi,
>>> With the following policy definition, the header is sent encrypted. How
>>> can I get the client to only sign and not encrypt?
>>>
>>> ------
>>> <wsp:Policy wsu:Id="UsernameToken"
>>>
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
>>> ecurity-utility-1.0.xsd"
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:AsymmetricBinding>
>>> <wsp:Policy>
>>> <sp:InitiatorToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>>
>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
>>> 0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
>>> <sp:WssX509V3Token10/>
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:InitiatorToken>
>>> <sp:RecipientToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>>
>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
>>> 0702/IncludeToken/Never"> <wsp:Policy>
>>> <sp:WssX509V3Token10/>
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:RecipientToken>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Lax
>>> />
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>>
>>> <sp:Basic128 /> <!-- To use the export grade encryption that comes
>>> bundled in the JDK, comment out the above Basic256 algorithm and
>>> uncomment the below Basic128. --> <!--<sp:Basic128 /> -->
>>> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy>
>>> </sp:AsymmetricBinding>
>>> <sp:Wss10
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:MustSupportRefKeyIdentifier/>
>>> </wsp:Policy>
>>> </sp:Wss10>
>>> <sp:SignedSupportingTokens>
>>> <wsp:Policy>
>>> <sp:UsernameToken
>>>
>>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
>>> 0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
>>> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken>
>>> </wsp:Policy>
>>> </sp:SignedSupportingTokens>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>> ---
>>>
>>>
>>> Regards,
>>> Vinay
--
Glen Mazza
Talend - http://www.talend.com/products/tsf
Blog - http://www.jroller.com/gmazza
Twitter - glenmazza
Re: Signature only in policy for Username Token
Posted by Daniel Kulp <dk...@apache.org>.
On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote:
> Hi Colm,
> Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but
> I was wondering why when I use "SignedSupportingTokens", the message is
> automatically encrypted too instead of only signed.
Compatibility with MS and Weblogic and a few others. Despite it being only
"SignedSupportingTokens", they will refuse to accept Username tokens if the
data is not encrypted. It can either be via encrypting the element or by
using some sort of secure transport (like HTTPs).
Dan
>
> Regards,
> Vinay
>
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Wednesday, September 28, 2011 4:24 AM
> To: users@cxf.apache.org
> Subject: Re: Signature only in policy for Username Token
>
> You can set the following jax-ws property
> "ws-security.username-token.always.encrypted" to "false". See the
> "ALWAYS_ENCRYPT_UT" variable here:
>
> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac
> he/cxf/ws/security/SecurityConstants.java?view=markup
>
> Why would you want to send an unencrypted UsernameToken across the
> wire? An eavesdropper could just harvest the username/password.
>
> Colm.
>
> On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay
>
> <vi...@sap.com> wrote:
> > Hi,
> > With the following policy definition, the header is sent encrypted. How
> > can I get the client to only sign and not encrypt?
> >
> > ------
> > <wsp:Policy wsu:Id="UsernameToken"
> >
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> > ecurity-utility-1.0.xsd"
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:AsymmetricBinding>
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token
> >
> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
> > 0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token
> >
> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
> > 0702/IncludeToken/Never"> <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax
> > />
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> >
> > <sp:Basic128 /> <!-- To use the export grade encryption that comes
> > bundled in the JDK, comment out the above Basic256 algorithm and
> > uncomment the below Basic128. --> <!-- <sp:Basic128 /> -->
> > </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy>
> > </sp:AsymmetricBinding>
> > <sp:Wss10
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:MustSupportRefKeyIdentifier/>
> > </wsp:Policy>
> > </sp:Wss10>
> > <sp:SignedSupportingTokens>
> > <wsp:Policy>
> > <sp:UsernameToken
> >
> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
> > 0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
> > <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SignedSupportingTokens>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> > ---
> >
> >
> > Regards,
> > Vinay
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
RE: Signature only in policy for Username Token
Posted by "Penmatsa, Vinay" <vi...@sap.com>.
Hi Colm,
Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but I was wondering why when I use "SignedSupportingTokens", the message is automatically encrypted too instead of only signed.
Regards,
Vinay
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Wednesday, September 28, 2011 4:24 AM
To: users@cxf.apache.org
Subject: Re: Signature only in policy for Username Token
You can set the following jax-ws property
"ws-security.username-token.always.encrypted" to "false". See the
"ALWAYS_ENCRYPT_UT" variable here:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup
Why would you want to send an unencrypted UsernameToken across the
wire? An eavesdropper could just harvest the username/password.
Colm.
On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay
<vi...@sap.com> wrote:
>
> Hi,
> With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt?
>
> ------
> <wsp:Policy wsu:Id="UsernameToken"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> <!-- To use the export grade encryption that comes bundled in the
> JDK, comment out the above Basic256 algorithm and uncomment the below Basic128. -->
> <!-- <sp:Basic128 /> -->
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedSupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssUsernameToken10/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> ---
>
>
> Regards,
> Vinay
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
Re: Signature only in policy for Username Token
Posted by Colm O hEigeartaigh <co...@apache.org>.
You can set the following jax-ws property
"ws-security.username-token.always.encrypted" to "false". See the
"ALWAYS_ENCRYPT_UT" variable here:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup
Why would you want to send an unencrypted UsernameToken across the
wire? An eavesdropper could just harvest the username/password.
Colm.
On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay
<vi...@sap.com> wrote:
>
> Hi,
> With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt?
>
> ------
> <wsp:Policy wsu:Id="UsernameToken"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> <!-- To use the export grade encryption that comes bundled in the
> JDK, comment out the above Basic256 algorithm and uncomment the below Basic128. -->
> <!-- <sp:Basic128 /> -->
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedSupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssUsernameToken10/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> ---
>
>
> Regards,
> Vinay
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com