You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Dennis Sosnoski (JIRA)" <ji...@apache.org> on 2010/10/06 11:37:33 UTC
[jira] Created: (CXF-3041) AsymmetricBinding used only for response
causes error
AsymmetricBinding used only for response causes error
-----------------------------------------------------
Key: CXF-3041
URL: https://issues.apache.org/jira/browse/CXF-3041
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.2.10
Reporter: Dennis Sosnoski
When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
org.w3c.dom.DOMException: Cannot find Reference in Manifest
at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
xmlns:wns="http://ws.sosnoski.com/library/wsdl"
xmlns:tns="http://ws.sosnoski.com/library/types"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
<!-- Policy for asymmetric binding with the certificate included in the message from
client to server but only a thumbprint on messages from the server to the client. -->
<wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:Policy>
<!-- Policy for signing the message body. -->
<wsp:Policy wsu:Id="SignBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">
<wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="getBook">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
<wsdlsoap:operation soapAction="urn:getBook"/>
<wsdl:input name="getBookRequest">
<wsdlsoap:body use="literal"/>
</wsdl:input>
<wsdl:output name="getBookResponse">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
...
</wsdl:binding>
...
</wsdl:definitions>
Here's the actual request message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoDCCAgkCBEnhw2IwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAk5aMRMwEQYDVQQIEwpXZWxsaW5ndG9uMRowGAYDVQQHExFQYXJhcGFyYXVtdSBCZWFjaDEqMCgGA1UEChMhU29zbm9za2kgU29mdHdhcmUgQXNzb2NpYXRlcyBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRgwFgYDVQQDEw9EZW5uaXMgU29zbm9za2kwHhcNMDkwNDEyMTAzMzA2WhcNMzYwODI3MTAzMzA2WjCBljELMAkGA1UEBhMCTloxEzARBgNVBAgTCldlbGxpbmd0b24xGjAYBgNVBAcTEVBhcmFwYXJhdW11IEJlYWNoMSowKAYDVQQKEyFTb3Nub3NraSBTb2Z0d2FyZSBBc3NvY2lhdGVzIEx0ZC4xEDAOBgNVBAsTB1Vua25vd24xGDAWBgNVBAMTD0Rlbm5pcyBTb3Nub3NraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhOVyNK8xyxtb4DnKtU6mF9KoiFqCk7eKoLE26+9h410CtTkxzWAfgnR+8i+LPbdsPY+yXAo6NYpCCKolXfDLe+AG2GwnMZGrIl6+BLF3hqTmIXBFTLGUmC7A7uBTivaWgdH1w3hb33rASoVU67BVtQ3QQi99juZX4vU9o9pScocCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBMNPo1KAGbz8Jl6HGbtAcetieSJ3bEAXmv1tcjysBS67AXzdu1Ac+onHh2EpzBM7kuGbw+trU+AhulooPpewIQRApXP1F0KHRDcbqWjwvknS6HnomN9572giLGKn2601bHiRUj35hiA8aLmMUBppIRPFFAoQ0QUBCPx+m8/0n33w==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</ds:SignedInfo>
<ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
<wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
<getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
<isbn>0061020052</isbn>
</getBook>
</soap:Body></soap:Envelope>
To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918720#action_12918720 ]
Dennis Sosnoski commented on CXF-3041:
--------------------------------------
I think Thilina's blog is based on his understanding of this feature for the Rampart implementation, so I can't see it as a very definitive reference. As far as the standard goes, I don't see anything in the AsymmetricBinding description which defines it as a purely two-way street. What in particular are you looking at with this?
WSSP does say that AsymmetricBinding can be used at either the endpoint or the operation level, and that the actual SignedParts or EncryptedParts can be used at the message level, so this does give a way of creating policies that apply signing or encryption to only certain messages. This would be difficult to make work in the fully general case - for instance, if you only wanted to encrypt the response from the server using the client's certificate, without that certificate being used in the request - but this case only requires that each side have access to it's own private key and the certificate of the other side.
Unfortunately, WSSP defines a structure for expressing what you want done without ever saying exactly what is or is not supposed to work. Personally, I think any standard of this type should be required to provide a fairly comprehensive set of examples to help resolve just this type of issue. FWIW, Metro is able to handle this case.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoDCCAgkCBEnhw2IwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAk5aMRMwEQYDVQQIEwpXZWxsaW5ndG9uMRowGAYDVQQHExFQYXJhcGFyYXVtdSBCZWFjaDEqMCgGA1UEChMhU29zbm9za2kgU29mdHdhcmUgQXNzb2NpYXRlcyBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRgwFgYDVQQDEw9EZW5uaXMgU29zbm9za2kwHhcNMDkwNDEyMTAzMzA2WhcNMzYwODI3MTAzMzA2WjCBljELMAkGA1UEBhMCTloxEzARBgNVBAgTCldlbGxpbmd0b24xGjAYBgNVBAcTEVBhcmFwYXJhdW11IEJlYWNoMSowKAYDVQQKEyFTb3Nub3NraSBTb2Z0d2FyZSBBc3NvY2lhdGVzIEx0ZC4xEDAOBgNVBAsTB1Vua25vd24xGDAWBgNVBAMTD0Rlbm5pcyBTb3Nub3NraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhOVyNK8xyxtb4DnKtU6mF9KoiFqCk7eKoLE26+9h410CtTkxzWAfgnR+8i+LPbdsPY+yXAo6NYpCCKolXfDLe+AG2GwnMZGrIl6+BLF3hqTmIXBFTLGUmC7A7uBTivaWgdH1w3hb33rASoVU67BVtQ3QQi99juZX4vU9o9pScocCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBMNPo1KAGbz8Jl6HGbtAcetieSJ3bEAXmv1tcjysBS67AXzdu1Ac+onHh2EpzBM7kuGbw+trU+AhulooPpewIQRApXP1F0KHRDcbqWjwvknS6HnomN9572giLGKn2601bHiRUj35hiA8aLmMUBppIRPFFAoQ0QUBCPx+m8/0n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918782#action_12918782 ]
Dennis Sosnoski commented on CXF-3041:
--------------------------------------
Glen, I understand that you're assuming the default should be to sign and encrypt everything if AsymmetricBinding is defined. However, I can see nothing in the WS-SP standard that backs up this assumption. Just because asymmetric encryption can be used in both directions doesn't mean it should automatically be applied to everything.
WS-SP has specific assertions for specifying what message components are to be signed and/or encrypted, the SignedParts/SignedElements and EncryptedParts/EncryptedElements/ContentEncryptedElements assertions. If the intent of the WS-SP writers was to make these values default to "everything", I would have expected them to make some statement to that effect.
As for explicitly shutting off signing at the message level, AFAIK WS-SP does not provide any way of doing this.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12919071#action_12919071 ]
Dennis Sosnoski commented on CXF-3041:
--------------------------------------
Yes, *if* you include an empty sp:SignedParts assertion, *then* the body and certain headers must be signed. How do you use that to justify the assumption that if you *don't* include an sp:SignedParts assertion the same thing is supposed to occur? The writers of the standard specifically stated one case, don't you think they would have specifically stated the other case, too, if that's what they intended?
I did a quick search and found at least one documented example of AsymmetricBinding used only for encrypting one component of the message, only sent in one direction. In this case it's used for just encrypting a UsernameToken: http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/twbs_configmsglvlpolicyset.html For most people this example would be enough to show that your arguments are wrong, but I suspect you won't be convinced. :-)
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918484#action_12918484 ]
Glen Mazza commented on CXF-3041:
---------------------------------
In the behavior of such "one way Asymmetric Binding" defined anywhere -- I'm not sure how this is supposed to work.
Main things I could find on the 'Net, a blog explanation[1] and the WS-SecPol 1.2 explanation[2], both appeared to define AsymmetricBinding as a purely two-way street.
[1] http://thilinamb.wordpress.com/2009/08/19/ws-security-policy-assymetric-binding-explained/
[2] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826560
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoDCCAgkCBEnhw2IwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAk5aMRMwEQYDVQQIEwpXZWxsaW5ndG9uMRowGAYDVQQHExFQYXJhcGFyYXVtdSBCZWFjaDEqMCgGA1UEChMhU29zbm9za2kgU29mdHdhcmUgQXNzb2NpYXRlcyBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRgwFgYDVQQDEw9EZW5uaXMgU29zbm9za2kwHhcNMDkwNDEyMTAzMzA2WhcNMzYwODI3MTAzMzA2WjCBljELMAkGA1UEBhMCTloxEzARBgNVBAgTCldlbGxpbmd0b24xGjAYBgNVBAcTEVBhcmFwYXJhdW11IEJlYWNoMSowKAYDVQQKEyFTb3Nub3NraSBTb2Z0d2FyZSBBc3NvY2lhdGVzIEx0ZC4xEDAOBgNVBAsTB1Vua25vd24xGDAWBgNVBAMTD0Rlbm5pcyBTb3Nub3NraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhOVyNK8xyxtb4DnKtU6mF9KoiFqCk7eKoLE26+9h410CtTkxzWAfgnR+8i+LPbdsPY+yXAo6NYpCCKolXfDLe+AG2GwnMZGrIl6+BLF3hqTmIXBFTLGUmC7A7uBTivaWgdH1w3hb33rASoVU67BVtQ3QQi99juZX4vU9o9pScocCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBMNPo1KAGbz8Jl6HGbtAcetieSJ3bEAXmv1tcjysBS67AXzdu1Ac+onHh2EpzBM7kuGbw+trU+AhulooPpewIQRApXP1F0KHRDcbqWjwvknS6HnomN9572giLGKn2601bHiRUj35hiA8aLmMUBppIRPFFAoQ0QUBCPx+m8/0n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918778#action_12918778 ]
Glen Mazza commented on CXF-3041:
---------------------------------
quote: "Even though the AsymmetricBinding is set at the operation level, nothing is specified for signing or encrypting in the request message."
Oh, but by default then everything should be signed and encrypted in the request message. So long as AsymmetricBinding is defined at the operation level, it should not be necessary to define message-level encryption and signature policy reference rules in order to activate either--deactivate maybe, but not activate. I don't see why the default should be nothing.
To answer your earlier question: "As far as the standard goes, I don't see anything in the AsymmetricBinding description which defines it as a purely two-way street. What in particular are you looking at with this?"
In particular, the sentence: "The AsymmetricBinding assertion is used in scenarios in which message protection is provided by means defined in WSS: SOAP Message Security using asymmetric key (Public Key) technology."
Here, we need a definition of what "asymmetric key technology" is. Thilna's non-normative definition from the blog entry is:
In asymmetric binding, message encryption and signing takes place using the Public Key Infrastructure(PKI), i.e. sender encrypts messages using the public key of the recipient and sign the messages using his private key. Then the recipient can decrypt the received messages using his private key and verify the signature of the message using the public key of the sender. This way, the confidentiality, integrity and the non-repudiation properties of the message exchanges can be assured.
The Wikipedia entry (http://en.wikipedia.org/wiki/Public-key_cryptography) says much the same. That should be the default (as it's the most idiot-proof setting)--sign and encrypt everything in both directions. As of this moment, I don't see the bug here.
quote: "The CXF client is generating a signature for the request message, which was not requested."
I'm not an expert at reading policy, but I would argue it *was* requested, because you did not explicitly shut it off at the message level, no?
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918945#action_12918945 ]
Glen Mazza commented on CXF-3041:
---------------------------------
I think I can get a little bit more authoritative:
>From here: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512
If you just specify /sp:SignedParts, with no child elements, body and certain headers *must* be signed. Quote: This assertion specifies the parts of the message that need integrity protection. If no child elements are specified, all message headers targeted at the UltimateReceiver role [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity protected.
>From here: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826515
If you just specify /sp:EncryptedParts, body alone must be encrypted: This assertion specifies the parts of the message that need confidentiality protection. The single child element of this assertion specifies the set of message parts using an extensible dialect. If no child elements are specified, the body of the message MUST be confidentiality protected.
In other words, the spec folk have already defined the most idiot-proof defaults if you just use this:
<wsp:Policy>
<sp:SignedParts/>
<sp:EncryptedParts/>
</wsp:Policy>
I would submit that those should be the same defaults if you fail to attach a Policy at all to the message. However, I concede there's nothing in the spec to suggest that (or the contrary for that matter). As WS-SecPol 1.3 is still in development, perhaps you can make suggestions to them on providing an ability to clearly and unambiguously shutting off of encryption and/or signing from either the request or response. At the very least, to have them clearly specify what the default message level encryption/signature policy is if you don't attach a message policy reference to the message.
Your quote: For example, it makes sense to sign responses from a government server providing official information, so that the response can be saved and provided if proof of the response is needed later (the equivalent of a certified document).
Actually, that's not the point, I need to know why it is so important *not* to sign the request or encrypt in both directions, I understand you don't care about it being signed, but why MUST it not be signed? Performance is certainly an argument, but not enough in my view to trump idiot-proofing.
Incidentally, you can probably do what you want in CXF by *not* using Policy statements but just the traditional interceptors instead:
http://www.jroller.com/gmazza/entry/cxf_x509_profile
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918748#action_12918748 ]
Glen Mazza commented on CXF-3041:
---------------------------------
I think we're talking two different things, with me misunderstanding you. If I understand you correctly now, you just want to encrypt the SOAP request but not sign it, and CXF is complaining about that, correct? As message-level encryption allows you to define what needs signing and what needs encrypting, it is probably indeed a CXF bug if it is requiring the SOAP request to be signed while the WS-SecPol statements are not requiring it.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12919192#action_12919192 ]
Glen Mazza commented on CXF-3041:
---------------------------------
Your first two questions I answered as well as I could in my immediately preceding response. I believe your next step is to go to the WS-SecPol WG and get clarification from them to get more ammo before coming back here.
I'm not sure what your example is showing, it just overrides the defaults by -->explicitly<-- signing/encrypting one thing, the UsernameToken--nothing about what happens when you omit the SignedParts/EncryptedParts tags entirely. Also, nothing one way or the other is being said about the response. At any rate, when I had earlier showed the Axis2/Rampart example *not* supporting what you had wanted you had dismissed individual implementations as not sufficiently definitive enough on how things should be implemented.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-3041) AsymmetricBinding used only for response
causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Sosnoski updated CXF-3041:
---------------------------------
Description:
When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
org.w3c.dom.DOMException: Cannot find Reference in Manifest
at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
xmlns:wns="http://ws.sosnoski.com/library/wsdl"
xmlns:tns="http://ws.sosnoski.com/library/types"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
<!-- Policy for asymmetric binding with the certificate included in the message from
client to server but only a thumbprint on messages from the server to the client. -->
<wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:Policy>
<!-- Policy for signing the message body. -->
<wsp:Policy wsu:Id="SignBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">
<wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="getBook">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
<wsdlsoap:operation soapAction="urn:getBook"/>
<wsdl:input name="getBookRequest">
<wsdlsoap:body use="literal"/>
</wsdl:input>
<wsdl:output name="getBookResponse">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
...
</wsdl:binding>
...
</wsdl:definitions>
Here's the actual request message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</ds:SignedInfo>
<ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
<wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
<getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
<isbn>0061020052</isbn>
</getBook>
</soap:Body></soap:Envelope>
To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
was:
When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
org.w3c.dom.DOMException: Cannot find Reference in Manifest
at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
xmlns:wns="http://ws.sosnoski.com/library/wsdl"
xmlns:tns="http://ws.sosnoski.com/library/types"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
<!-- Policy for asymmetric binding with the certificate included in the message from
client to server but only a thumbprint on messages from the server to the client. -->
<wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:Policy>
<!-- Policy for signing the message body. -->
<wsp:Policy wsu:Id="SignBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">
<wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="getBook">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
<wsdlsoap:operation soapAction="urn:getBook"/>
<wsdl:input name="getBookRequest">
<wsdlsoap:body use="literal"/>
</wsdl:input>
<wsdl:output name="getBookResponse">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
...
</wsdl:binding>
...
</wsdl:definitions>
Here's the actual request message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoDCCAgkCBEnhw2IwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAk5aMRMwEQYDVQQIEwpXZWxsaW5ndG9uMRowGAYDVQQHExFQYXJhcGFyYXVtdSBCZWFjaDEqMCgGA1UEChMhU29zbm9za2kgU29mdHdhcmUgQXNzb2NpYXRlcyBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRgwFgYDVQQDEw9EZW5uaXMgU29zbm9za2kwHhcNMDkwNDEyMTAzMzA2WhcNMzYwODI3MTAzMzA2WjCBljELMAkGA1UEBhMCTloxEzARBgNVBAgTCldlbGxpbmd0b24xGjAYBgNVBAcTEVBhcmFwYXJhdW11IEJlYWNoMSowKAYDVQQKEyFTb3Nub3NraSBTb2Z0d2FyZSBBc3NvY2lhdGVzIEx0ZC4xEDAOBgNVBAsTB1Vua25vd24xGDAWBgNVBAMTD0Rlbm5pcyBTb3Nub3NraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhOVyNK8xyxtb4DnKtU6mF9KoiFqCk7eKoLE26+9h410CtTkxzWAfgnR+8i+LPbdsPY+yXAo6NYpCCKolXfDLe+AG2GwnMZGrIl6+BLF3hqTmIXBFTLGUmC7A7uBTivaWgdH1w3hb33rASoVU67BVtQ3QQi99juZX4vU9o9pScocCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBMNPo1KAGbz8Jl6HGbtAcetieSJ3bEAXmv1tcjysBS67AXzdu1Ac+onHh2EpzBM7kuGbw+trU+AhulooPpewIQRApXP1F0KHRDcbqWjwvknS6HnomN9572giLGKn2601bHiRUj35hiA8aLmMUBppIRPFFAoQ0QUBCPx+m8/0n33w==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</ds:SignedInfo>
<ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
<wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
<getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
<isbn>0061020052</isbn>
</getBook>
</soap:Body></soap:Envelope>
To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
Cut out most of the certificate data so this will fit in a more-reasonable width.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918881#action_12918881 ]
Dennis Sosnoski commented on CXF-3041:
--------------------------------------
Glen, you're the one who's making all kind of bold statements about how this all works, without any justification in the standard (instead drawing on blogs, Wikipedia general articles on encryption, and... hotel room door analogies?). If one-way encryption or signing is *not* intended to be supported by the standard, why does the standard not make signing or encrypting the default (which it does not, no matter how much you think it *should* do so)? And why does the standard explicitly allow the SignedParts/EncryptedParts assertions to be attached at the message level? This would make no sense if the intent was to always apply signing and encryption in both directions.
As to the use case, there are many situations where only one direction of information flow needs to be signed. For example, it makes sense to sign responses from a government server providing official information, so that the response can be saved and provided if proof of the response is needed later (the equivalent of a certified document). It's a little more difficult to come up with examples where encryption is only needed in one direction, but I'm sure there are real situations of that type, too.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918772#action_12918772 ]
Dennis Sosnoski commented on CXF-3041:
--------------------------------------
Actually I want to only sign the response message, as specified by the policy. Even though the AsymmetricBinding is set at the operation level, nothing is specified for signing or encrypting in the request message.
The CXF client is generating a signature for the request message, which was not requested. The CXF server complains about this, which is probably correct.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-3041) AsymmetricBinding used only for response
causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Sosnoski updated CXF-3041:
---------------------------------
Attachment: effective3.tgz
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoDCCAgkCBEnhw2IwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAk5aMRMwEQYDVQQIEwpXZWxsaW5ndG9uMRowGAYDVQQHExFQYXJhcGFyYXVtdSBCZWFjaDEqMCgGA1UEChMhU29zbm9za2kgU29mdHdhcmUgQXNzb2NpYXRlcyBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRgwFgYDVQQDEw9EZW5uaXMgU29zbm9za2kwHhcNMDkwNDEyMTAzMzA2WhcNMzYwODI3MTAzMzA2WjCBljELMAkGA1UEBhMCTloxEzARBgNVBAgTCldlbGxpbmd0b24xGjAYBgNVBAcTEVBhcmFwYXJhdW11IEJlYWNoMSowKAYDVQQKEyFTb3Nub3NraSBTb2Z0d2FyZSBBc3NvY2lhdGVzIEx0ZC4xEDAOBgNVBAsTB1Vua25vd24xGDAWBgNVBAMTD0Rlbm5pcyBTb3Nub3NraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhOVyNK8xyxtb4DnKtU6mF9KoiFqCk7eKoLE26+9h410CtTkxzWAfgnR+8i+LPbdsPY+yXAo6NYpCCKolXfDLe+AG2GwnMZGrIl6+BLF3hqTmIXBFTLGUmC7A7uBTivaWgdH1w3hb33rASoVU67BVtQ3QQi99juZX4vU9o9pScocCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBMNPo1KAGbz8Jl6HGbtAcetieSJ3bEAXmv1tcjysBS67AXzdu1Ac+onHh2EpzBM7kuGbw+trU+AhulooPpewIQRApXP1F0KHRDcbqWjwvknS6HnomN9572giLGKn2601bHiRUj35hiA8aLmMUBppIRPFFAoQ0QUBCPx+m8/0n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918837#action_12918837 ]
Glen Mazza commented on CXF-3041:
---------------------------------
Dennis, you keep using phrases like "I can see nothing .... that suggests that...." to imply that there is something that states the opposite, i.e., what you want. Look at your statements:
However, I can see nothing in the WS-SP standard that backs up this assumption [that AB is a two-way street].
==> But there is equally nothing in the WS-SP standard that suggests it can be a one-way street.
If the intent of the WS-SP writers was to make these values default to "everything", I would have expected them to make some statement to that effect.
==> The statement above is just as valid with the word "nothing", i.e., what you want. I.e., the above sentence is meaningless if you are trying to make an argument in favor of what you want.
Even though the AsymmetricBinding is set at the operation level, nothing is specified for signing or encrypting in the request message.
==> Nothing is specified for *not* signing or encrypting the request message either.
These are for web services that can hold people's sensitive data, such as credit card information, so it would appear to me that the most secure option (sign & encrypt everything if nothing specified) should be the default to make things idiot-proof, i.e., for newbie or novice or lazy developers just setting up security without much attention to detail, everything will be handled perfectly securely. Those like you who know what they are doing can go in and reduce the amount of security, but it's dangerous to rely on newbies to properly *add* in security.
When hotel room doors shut, they lock by default. They don't stay unlocked and require the person staying there or leaving the room to manually lock the door. It's the same principle.
"As for explicitly shutting off signing at the message level, AFAIK WS-SP does not provide any way of doing this."
Maybe there's a reason for that--namely, that Assymmetric Binding is meant to provide both encryption and integrity/non-repudiation, and signatures are a vital part of the latter. Maybe the WS-SP writers wanted to make things idiot-proof by disallowing it. I don't know. Maybe if I could get a fuller use case of what you're trying to do I could understand the need for this better.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-3041) AsymmetricBinding used only for
response causes error
Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12927320#action_12927320 ]
Dennis Sosnoski commented on CXF-3041:
--------------------------------------
The WS-SecPolicy WG does not respond to questions about usage, as far as I've ever seen, so I think your suggestion is not intended to be helpful.
If you're correct that everything should be signed and encrypted by default, and that the standard somehow forgot to mention this seemingly crucial point, then both CXF and all the other stacks I'm aware are broken because they don't do this. If I'm correct that only those components specified by the policy should be signed or encrypted, then the issue is somewhat simpler in that CXF just needs to stop generating a signature block if no components are being signed. Either way, the current behavior is wrong.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it for the response message, the request message is sent with a signature and the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
>
> <!-- Policy for asymmetric binding with the certificate included in the message from
> client to server but only a thumbprint on messages from the server to the client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#CertId-797FFC48A8BEF2669712863570548321" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl" xmlns:ns2="http://ws.sosnoski.com/library/types">
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set the home directory for you CXF installation, and build with Ant (default target). This generates the .war, and you can then run the client with the Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.