You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Sam <j2...@gmail.com> on 2013/08/19 14:54:32 UTC
UsernameToken authentication with X509Token symmetric binding question
Hi all,
I have run the sample code for tutorial from
http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption successfully
(i.e. server response returned OK)
To be exact, it's the UsernameToken authentication with X509Token
symmetric binding for message protection, like the one from IBM doc
http://pic.dhe.ibm.com/infocenter/radhelp/v9/index.jsp?topic=%2Fcom.ibm.websphere.wlp.nd.multiplatform.doc%2Fae%2Fcwlp_wssec_templates_scenario6.html
WS-Policy in WSDL is
<wsp:Policy wsu:Id="DoubleItUTSymmetricX509Policy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false" />
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
...
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
...
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
After examing the generated soap request from client code, to my
surprose, there is no <wsse:UsernameToken> at all even though the policy
above clearly
states the use of UsernameToken.
* So my question is, is this the expected behaviour for UsernameToken
authentication with X509Token symmetric binding or am I missing something?
* Am I right to assume that for UsernameToken authentication with
X509Token asymmetric binding, I should expect to see
<wsse:UsernameToken> in soap request?
Thanks in advance,
Sam
Re: UsernameToken authentication with X509Token symmetric binding question
Posted by Colm O hEigeartaigh <co...@apache.org>.
You're not seeing the UsernameToken as it's encrypted. You should see a
"wsse:EncryptedData" structure in the security header of the request
instead.
Colm.
On Mon, Aug 19, 2013 at 1:54 PM, Sam <j2...@gmail.com> wrote:
> Hi all,
>
> I have run the sample code for tutorial from
> http://www.jroller.com/gmazza/**entry/usernametoken_**
> messagelayer_encryption<http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption>successfully (i.e. server response returned OK)
> To be exact, it's the UsernameToken authentication with X509Token
> symmetric binding for message protection, like the one from IBM doc
> http://pic.dhe.ibm.com/**infocenter/radhelp/v9/index.**
> jsp?topic=%2Fcom.ibm.**websphere.wlp.nd.**multiplatform.doc%2Fae%2Fcwlp_**
> wssec_templates_scenario6.html<http://pic.dhe.ibm.com/infocenter/radhelp/v9/index.jsp?topic=%2Fcom.ibm.websphere.wlp.nd.multiplatform.doc%2Fae%2Fcwlp_wssec_templates_scenario6.html>
>
> WS-Policy in WSDL is
>
> <wsp:Policy wsu:Id="**DoubleItUTSymmetricX509Policy"**>
> <wsp:ExactlyOne>
> <wsp:All>
> <wsam:Addressing wsp:Optional="false" />
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.**oasis-open.org/ws-sx/ws-**
> securitypolicy/200702/**IncludeToken/Never<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never>
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> <sp:**RequireIssuerSerialReference />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:**OnlySignEntireHeadersAndBody />
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> </wsp:Policy>
> </sp:Wss11>
> <sp:**SignedEncryptedSupportingToken**s>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.**oasis-open.org/ws-sx/ws-**
> securitypolicy/200702/**IncludeToken/AlwaysToRecipient<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient>
> **">
> <wsp:Policy>
> <sp:WssUsernameToken10 />
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:**SignedEncryptedSupportingToken**s>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="DoubleItBinding_**DoubleIt_Input_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header Name="To"
> Namespace="http://www.w3.org/**2005/08/addressing<http://www.w3.org/2005/08/addressing>"
> />
> ...
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="DoubleItBinding_**DoubleIt_Output_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header Name="To"
> Namespace="http://www.w3.org/**2005/08/addressing<http://www.w3.org/2005/08/addressing>"
> />
> ...
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> After examing the generated soap request from client code, to my surprose,
> there is no <wsse:UsernameToken> at all even though the policy above clearly
> states the use of UsernameToken.
>
> * So my question is, is this the expected behaviour for UsernameToken
> authentication with X509Token symmetric binding or am I missing something?
>
> * Am I right to assume that for UsernameToken authentication with
> X509Token asymmetric binding, I should expect to see <wsse:UsernameToken>
> in soap request?
>
> Thanks in advance,
>
> Sam
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com