You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Claude Libois <cl...@gmail.com> on 2016/09/23 08:30:34 UTC
How to avoid default X509IssuerSerial as SecurityTokenReference with
a Policy
Hello,
I would like to enforce my endpoint to return a reference to the embedded
binarySecurityToken instead of the serial+issuer name such as:
<wsse:SecurityTokenReference xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
wsu:Id="STR-a65f2369-4c86-4e01-9663-0ec7b90b5ac9">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
IssuerName
</ds:X509IssuerName>
<ds:X509SerialNumber>124284142324952637825</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
I was told by Colm O hEigeartaigh(thank you btw) that I could use the
signatureKeyIdentifier
property with "Directreference" value. TBH as I'm on a servicemix which
cxf+wss4J, it's quite complicate to know where to set this property value
but that's not the point here. I'm using a policy to define my ws-security
and found it was possible to definie something
like <sp:RequireEmbeddedTokenReference/> in the X509 tag. However, I'm
still receiving the X509IssuerSerial....
Does anybody knows how to define this correctly in a policy. Here is my
policy only applied on the server response:
*<wsp:Policy wsu:Id="signAndTsPolicy">*
* <wsp:ExactlyOne>*
* <wsp:All>*
* <sp:AsymmetricBinding>*
* <wsp:Policy>*
* <sp:IncludeTimestamp/>*
* <sp:InitiatorSignatureToken>>*
* <wsp:Policy>*
* <sp:X509Token*
*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
* <wsp:Policy>*
* <sp:WssX509PkiPathV1Token10/>*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:InitiatorSignatureToken>*
* >*
* <sp:RecipientSignatureToken>*
* <wsp:Policy>*
* <sp:X509Token*
*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">
<!-- Never? -->*
* <wsp:Policy>*
* <sp:WssX509PkiPathV1Token10/>*
*
<sp:RequireEmbeddedTokenReference/>*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:RecipientSignatureToken>*
* <sp:AlgorithmSuite>*
* <wsp:Policy>*
* <sp:Basic256Sha256/>*
* </wsp:Policy>*
* </sp:AlgorithmSuite>*
* <sp:Layout> *
* <wsp:Policy>*
* <sp:Lax/>*
* </wsp:Policy>*
* </sp:Layout>*
* <sp:ProtectTokens/>*
* <sp:OnlySignEntireHeadersAndBody/>*
* </wsp:Policy>*
* </sp:AsymmetricBinding>*
* <sp:SignedParts> *
* <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing
<http://www.w3.org/2005/08/addressing>"/>*
* <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing
<http://www.w3.org/2005/08/addressing>"/>*
* <sp:Body/>*
* </sp:SignedParts>*
* <sp:Wss10>*
* <sp:Policy>*
* <sp:MustSupportRefKeyIdentifier/>*
* </sp:Policy>*
* </sp:Wss10>*
* </wsp:All>*
* </wsp:ExactlyOne>*
* </wsp:Policy>*
To be honnest, I'm rather new in the ws-security with policy on cxf+wss4j.
I must say that it was quite complicate to find complete information to
achieve my goal.
That's why I'm asking some help now.
Best Regards,
Claude
Re: How to avoid default X509IssuerSerial as SecurityTokenReference
with a Policy
Posted by Claude Libois <cl...@gmail.com>.
Thank you for the answer. I found that replacing <sp:
RequireEmbeddedTokenReference/> by <sp:RequireKeyIdentifierReference/> did
the trick and now it works. I have read the specs but feel a bit short to
fully understand every parameter with only this document
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html.
Any pointer to something that could help me in my ws security learning path
?
For your remark about includeToken type I'm not sure I have to set it to
always as certificate is correctly set in the binary token for both
reciption and initiator with my configuration. Maybe this is because I
have a RecipientSignatureToken and an InitiatorSignatureToken ? Is it
possible that the "Recipient" as 2 meaning depending of the SignatureToken
type ieg that for the first token Recipient mean the client and the server
for the second token ?
Hope this is clear enough though I'm not sure of this. :p
Best Regards,
Claude
2016-09-23 18:15 GMT+02:00 Colm O hEigeartaigh <co...@apache.org>:
> Hi Claude,
>
> The answer I gave on the WSS4J JIRA was when you are configuring security
> manually. When using WS-SecurityPolicy you don't need to do it. If you use
> the following policy for the RecipientSignatureToken it should work, I
> verified it with the CXF systests:
>
> <sp:RecipientSignatureToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientSignatureToken>
>
> "AlwaysToRecipient" as per the policy you had above is not valid, as it
> would not then send the token to the initiator...
>
> Colm.
>
> On Fri, Sep 23, 2016 at 9:30 AM, Claude Libois <cl...@gmail.com>
> wrote:
>
> > Hello,
> > I would like to enforce my endpoint to return a reference to the embedded
> > binarySecurityToken instead of the serial+issuer name such as:
> > <wsse:SecurityTokenReference xmlns:wsse="
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> > wssecurity-secext-1.0.xsd
> > "
> > xmlns:wsu="
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> > wssecurity-utility-1.0.xsd
> > "
> > wsu:Id="STR-a65f2369-4c86-
> 4e01-9663-0ec7b90b5ac9">
> > <ds:X509Data>
> > <ds:X509IssuerSerial>
> > <ds:X509IssuerName>
> > IssuerName
> > </ds:X509IssuerName>
> > <ds:X509SerialNumber>124284142324952637825</ds:X509SerialNumber>
> > </ds:X509IssuerSerial>
> > </ds:X509Data>
> > </wsse:SecurityTokenReference>
> > I was told by Colm O hEigeartaigh(thank you btw) that I could use the
> > signatureKeyIdentifier
> > property with "Directreference" value. TBH as I'm on a servicemix which
> > cxf+wss4J, it's quite complicate to know where to set this property value
> > but that's not the point here. I'm using a policy to define my
> ws-security
> > and found it was possible to definie something
> > like <sp:RequireEmbeddedTokenReference/> in the X509 tag. However, I'm
> > still receiving the X509IssuerSerial....
> > Does anybody knows how to define this correctly in a policy. Here is my
> > policy only applied on the server response:
> > *<wsp:Policy wsu:Id="signAndTsPolicy">*
> >
> > * <wsp:ExactlyOne>*
> > * <wsp:All>*
> > * <sp:AsymmetricBinding>*
> > * <wsp:Policy>*
> > * <sp:IncludeTimestamp/>*
> > * <sp:InitiatorSignatureToken>>*
> > * <wsp:Policy>*
> > * <sp:X509Token*
> > *
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> > IncludeToken/AlwaysToRecipient
> > <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> > IncludeToken/AlwaysToRecipient>">*
> > * <wsp:Policy>*
> > * <sp:WssX509PkiPathV1Token10/>*
> > * </wsp:Policy>*
> > * </sp:X509Token>*
> > * </wsp:Policy>*
> > * </sp:InitiatorSignatureToken>*
> > * >*
> > * <sp:RecipientSignatureToken>*
> > * <wsp:Policy>*
> > * <sp:X509Token*
> > *
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> > IncludeToken/AlwaysToRecipient
> > <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> > IncludeToken/AlwaysToRecipient>">
> > <!-- Never? -->*
> > * <wsp:Policy>*
> > * <sp:WssX509PkiPathV1Token10/>*
> > *
> > <sp:RequireEmbeddedTokenReference/>*
> > * </wsp:Policy>*
> > * </sp:X509Token>*
> > * </wsp:Policy>*
> > * </sp:RecipientSignatureToken>*
> > * <sp:AlgorithmSuite>*
> > * <wsp:Policy>*
> > * <sp:Basic256Sha256/>*
> >
> > * </wsp:Policy>*
> > * </sp:AlgorithmSuite>*
> > * <sp:Layout> *
> > * <wsp:Policy>*
> > * <sp:Lax/>*
> > * </wsp:Policy>*
> > * </sp:Layout>*
> > * <sp:ProtectTokens/>*
> > * <sp:OnlySignEntireHeadersAndBody/>*
> > * </wsp:Policy>*
> > * </sp:AsymmetricBinding>*
> > * <sp:SignedParts> *
> > * <sp:Header Name="MessageID"
> > Namespace="http://www.w3.org/2005/08/addressing
> > <http://www.w3.org/2005/08/addressing>"/>*
> > * <sp:Header Name="RelatesTo"
> > Namespace="http://www.w3.org/2005/08/addressing
> > <http://www.w3.org/2005/08/addressing>"/>*
> > * <sp:Body/>*
> >
> > * </sp:SignedParts>*
> > * <sp:Wss10>*
> > * <sp:Policy>*
> > * <sp:MustSupportRefKeyIdentifier/>*
> > * </sp:Policy>*
> > * </sp:Wss10>*
> > * </wsp:All>*
> > * </wsp:ExactlyOne>*
> > * </wsp:Policy>*
> >
> > To be honnest, I'm rather new in the ws-security with policy on
> cxf+wss4j.
> > I must say that it was quite complicate to find complete information to
> > achieve my goal.
> > That's why I'm asking some help now.
> > Best Regards,
> > Claude
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: How to avoid default X509IssuerSerial as SecurityTokenReference
with a Policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Claude,
The answer I gave on the WSS4J JIRA was when you are configuring security
manually. When using WS-SecurityPolicy you don't need to do it. If you use
the following policy for the RecipientSignatureToken it should work, I
verified it with the CXF systests:
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
"AlwaysToRecipient" as per the policy you had above is not valid, as it
would not then send the token to the initiator...
Colm.
On Fri, Sep 23, 2016 at 9:30 AM, Claude Libois <cl...@gmail.com>
wrote:
> Hello,
> I would like to enforce my endpoint to return a reference to the embedded
> binarySecurityToken instead of the serial+issuer name such as:
> <wsse:SecurityTokenReference xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> wssecurity-secext-1.0.xsd
> "
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> wssecurity-utility-1.0.xsd
> "
> wsu:Id="STR-a65f2369-4c86-4e01-9663-0ec7b90b5ac9">
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>
> IssuerName
> </ds:X509IssuerName>
> <ds:X509SerialNumber>124284142324952637825</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> I was told by Colm O hEigeartaigh(thank you btw) that I could use the
> signatureKeyIdentifier
> property with "Directreference" value. TBH as I'm on a servicemix which
> cxf+wss4J, it's quite complicate to know where to set this property value
> but that's not the point here. I'm using a policy to define my ws-security
> and found it was possible to definie something
> like <sp:RequireEmbeddedTokenReference/> in the X509 tag. However, I'm
> still receiving the X509IssuerSerial....
> Does anybody knows how to define this correctly in a policy. Here is my
> policy only applied on the server response:
> *<wsp:Policy wsu:Id="signAndTsPolicy">*
>
> * <wsp:ExactlyOne>*
> * <wsp:All>*
> * <sp:AsymmetricBinding>*
> * <wsp:Policy>*
> * <sp:IncludeTimestamp/>*
> * <sp:InitiatorSignatureToken>>*
> * <wsp:Policy>*
> * <sp:X509Token*
> *
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient>">*
> * <wsp:Policy>*
> * <sp:WssX509PkiPathV1Token10/>*
> * </wsp:Policy>*
> * </sp:X509Token>*
> * </wsp:Policy>*
> * </sp:InitiatorSignatureToken>*
> * >*
> * <sp:RecipientSignatureToken>*
> * <wsp:Policy>*
> * <sp:X509Token*
> *
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient>">
> <!-- Never? -->*
> * <wsp:Policy>*
> * <sp:WssX509PkiPathV1Token10/>*
> *
> <sp:RequireEmbeddedTokenReference/>*
> * </wsp:Policy>*
> * </sp:X509Token>*
> * </wsp:Policy>*
> * </sp:RecipientSignatureToken>*
> * <sp:AlgorithmSuite>*
> * <wsp:Policy>*
> * <sp:Basic256Sha256/>*
>
> * </wsp:Policy>*
> * </sp:AlgorithmSuite>*
> * <sp:Layout> *
> * <wsp:Policy>*
> * <sp:Lax/>*
> * </wsp:Policy>*
> * </sp:Layout>*
> * <sp:ProtectTokens/>*
> * <sp:OnlySignEntireHeadersAndBody/>*
> * </wsp:Policy>*
> * </sp:AsymmetricBinding>*
> * <sp:SignedParts> *
> * <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing
> <http://www.w3.org/2005/08/addressing>"/>*
> * <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing
> <http://www.w3.org/2005/08/addressing>"/>*
> * <sp:Body/>*
>
> * </sp:SignedParts>*
> * <sp:Wss10>*
> * <sp:Policy>*
> * <sp:MustSupportRefKeyIdentifier/>*
> * </sp:Policy>*
> * </sp:Wss10>*
> * </wsp:All>*
> * </wsp:ExactlyOne>*
> * </wsp:Policy>*
>
> To be honnest, I'm rather new in the ws-security with policy on cxf+wss4j.
> I must say that it was quite complicate to find complete information to
> achieve my goal.
> That's why I'm asking some help now.
> Best Regards,
> Claude
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com