You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Chris <cz...@ybs.co.uk> on 2014/10/14 15:12:26 UTC
Current situation: CXF client send nonce and timestamp
I have not yet been able to build a simple test case, but it seems clear that
the <sp13:Created /> and
<sp13:Nonce /> elements are ignored in the client code. As I mentioned in a
previous message
<http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749800.html>
these are being read correctly by the
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
at the beginning of
protected UsernameToken assertTokens(SoapMessage message, String
localname, boolean signed)
in org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor
but not being returned in the token produced by that method.
Meanwhile I came up with a "fix" by modifying the UsernameTokenInterceptor:
/ protected void addToken(SoapMessage message) {
UsernameToken tok = assertTokens(message);
Header h = findSecurityHeader(message, true);
WSSecUsernameToken utBuilder =
addUsernameToken(message, tok);
if (utBuilder == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais =
getAllAssertionsByLocalname(aim,
SPConstants.USERNAME_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
}
}
return;
}
//***************************
// Beginning of Modification
//***************************
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
boolean haveNonce = false;
boolean haveCreated = false;
Collection<AssertionInfo> nonces =
aim.getAssertionInfo(SP13Constants.NONCE);
for(AssertionInfo nonce: nonces) {
if (nonce.isAsserted()) {
haveNonce = true;
}
}
Collection<AssertionInfo> createds =
aim.getAssertionInfo(SP13Constants.CREATED);
for(AssertionInfo created: createds) {
if(created.isAsserted()) {
haveCreated = true;
}
}
if (haveCreated) {
utBuilder.addCreated();
}
if (haveNonce) {
utBuilder.addNonce();
}
//***************************
// End of modification
//***************************
Element el = (Element)h.getObject();
utBuilder.prepare(el.getOwnerDocument());
el.appendChild(utBuilder.getUsernameTokenElement());
}
/
So I thought "all well and good" and then tried the username token with
message protection only to find that it uses a totally different class to
generate the embedded username token, and the changed code is not called! As
soon as I set the server to "created time and nonce required" it fails! This
also appears to be much more complex processing so finding where to fix the
code is a little difficult.
BTW I know that my "fix" is probably not the right way to do it, fixing the
underlying code to produce the correct values in the token, then passing
that through to the builder looked like much to much work within our
timescales
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749873.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: I have a wotking fix in the signed/encrypted version now (and
thanks Colm)
Posted by Chris <cz...@ybs.co.uk>.
Thanks,
That's unfortunate because Oracle's
*oracle/wss11_username_token_with_message_protection_service_policy* and
*oracle/wss11_message_protection_service_policy* don't behave themselves and
come up with an error:
BSP:R5215: Any SECURITY_TOKEN_REFERENCE to a PKIPATH_TOKEN MUST contain a
wsse11:TokenType attribute with a value of
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"
(the response contains
<wsse:SecurityTokenReference
TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
)
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749957.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: I have a wotking fix in the signed/encrypted version now (and
thanks Colm)
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok you are using a WS-SecurityPolicy 1.1 policy. sp13:Created + sp13:Nonce
do not apply for this version of the specification, and so that is why they
are not in the message.
Colm.
On Wed, Oct 15, 2014 at 12:13 PM, Chris <cz...@ybs.co.uk> wrote:
> Here is the policy from the WSDL:
>
> /<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="Service6Soap1p2Soap12HttpPort_Fault_Policy">
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> <sp:SignedElements
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> <sp:EncryptedParts
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> <sp:EncryptedElements
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> </wsp:Policy>
> <wsp:Policy xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="Service6Soap1p2Soap12HttpPort_Input_Policy">
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> <sp:Header Name="fmw-context"
> Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
> <sp:Header Name="" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name=""
> Namespace="
> http://schemas.xmlsoap.org/ws/2004/08/addressing" />
> </sp:SignedParts>
> <sp:SignedElements
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> <sp:EncryptedParts
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> <sp:Header Name="fmw-context"
> Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
> </sp:EncryptedParts>
> <sp:EncryptedElements
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> </wsp:Policy>
> <wsp:Policy xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="Service6Soap1p2Soap12HttpPort_Output_Policy">
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:SignedParts>
> <sp:SignedElements
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> <sp:EncryptedParts
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:EncryptedParts>
> <sp:EncryptedElements
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
> </wsp:Policy>
> <wsp:Policy xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
>
> wsu:Id="wss10_username_token_with_message_protection_service_policy_timestamp_nonce">
> <sp:AsymmetricBinding
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy />
> </sp:Wss10>
> <sp:SignedSupportingTokens
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
>
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy
>
> xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">
> <sp:WssUsernameToken10 />
> <sp13:Created />
> <sp13:Nonce />
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> </wsp:Policy>
> /
> The following is the usename token part as produced by oracle, I added the
> Created and Nonce myself. Oracle does not request them even if if you set
> "required" on the server:
>
> /<sp:SignedSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
>
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssUsernameToken10 />
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> </wsp:Policy>/
>
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749913.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: I have a wotking fix in the signed/encrypted version now (and
thanks Colm)
Posted by Chris <cz...@ybs.co.uk>.
Here is the policy from the WSDL:
/<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Service6Soap1p2Soap12HttpPort_Fault_Policy">
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
<sp:SignedElements
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
<sp:EncryptedElements
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
</wsp:Policy>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Service6Soap1p2Soap12HttpPort_Input_Policy">
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="fmw-context"
Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
<sp:Header Name="" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name=""
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
</sp:SignedParts>
<sp:SignedElements
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="fmw-context"
Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
</sp:EncryptedParts>
<sp:EncryptedElements
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
</wsp:Policy>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Service6Soap1p2Soap12HttpPort_Output_Policy">
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
<sp:SignedElements
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
<sp:EncryptedElements
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" />
</wsp:Policy>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="wss10_username_token_with_message_protection_service_policy_timestamp_nonce">
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy />
</sp:Wss10>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">
<sp:WssUsernameToken10 />
<sp13:Created />
<sp13:Nonce />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:Policy>
/
The following is the usename token part as produced by oracle, I added the
Created and Nonce myself. Oracle does not request them even if if you set
"required" on the server:
/<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:Policy>/
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749913.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: I have a wotking fix in the signed/encrypted version now (and
thanks Colm)
Posted by Colm O hEigeartaigh <co...@apache.org>.
And what does the security policy in question look like?
Colm.
On Wed, Oct 15, 2014 at 11:34 AM, Chris <cz...@ybs.co.uk> wrote:
> At the time the lines you show are called the token "created" and "nonce"
> are
> false, and password type null:
>
> <http://cxf.547215.n5.nabble.com/file/n5749908/eclipse-ide.png>
>
> Tracing where and how these whould be set would have been too hard in the
> time I have, my fix is a "work-around" rather than a nice solution.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749908.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: I have a wotking fix in the signed/encrypted version now (and
thanks Colm)
Posted by Chris <cz...@ybs.co.uk>.
At the time the lines you show are called the token "created" and "nonce" are
false, and password type null:
<http://cxf.547215.n5.nabble.com/file/n5749908/eclipse-ide.png>
Tracing where and how these whould be set would have been too hard in the
time I have, my fix is a "work-around" rather than a nice solution.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749908.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: I have a wotking fix in the signed/encrypted version now (and
thanks Colm)
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Chris,
I'm confused by your mail. Nonce + Created are already supported in the
AbstractBindingBuilder:
if (token.isCreated() && token.getPasswordType() !=
UsernameToken.PasswordType.HashPassword) {
utBuilder.addCreated();
}
if (token.isNonce() && token.getPasswordType() !=
UsernameToken.PasswordType.HashPassword) {
utBuilder.addNonce();
}
Can I see the exact encrypted + signed security policy that is not working?
Colm.
On Wed, Oct 15, 2014 at 11:03 AM, Chris <cz...@ybs.co.uk> wrote:
> coheigea wrote
> > Actually, the UsernameTokenInterceptor (which is used when there is no
> > security binding) does not support Nonce + Created. I've added support
> > here:
> >
> > https://issues.apache.org/jira/browse/CXF-6051
> >
> > Colm.
>
> Thanks Colm,
> It is also not supported with the encrypred and signed username token
> policy
> (Oracle server with
> *oracle/wss10_username_token_with_message_protection_service_policy*).
>
> Again I have a "working fix" to CXF 3.0.1, which I will give here
>
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor.java
>
> In/ PolicyBasedWSS4JOutInterceptorInternal.public void
> handleMessage(SoapMessage message) throws Fault / (at about line 140),
> here we assert the "Created" and Nonce if they are present so that they can
> be picked up from "aim" later.
>
> / ais = getAllAssertionsByLocalname(aim,
> SPConstants.SYMMETRIC_BINDING);
> if (!ais.isEmpty()) {
> for (AssertionInfo ai : ais) {
> transport = (AbstractBinding)ai.getAssertion();
> ai.setAsserted(true);
> }
> }
>
> //**************************
> // BEGIN MODIFICATION
> //**************************
> ais = aim.get(SP13Constants.CREATED);
> if (ais != null && !ais.isEmpty()) {
> for (AssertionInfo ai : ais) {
> ai.setAsserted(true);
> }
> }
>
>
> ais = aim.get(SP13Constants.NONCE);
>
> if (ais != null && !ais.isEmpty()) {
> for (AssertionInfo ai : ais) {
> ai.setAsserted(true);
> }
> }
> //**************************
> // END MODIFICATION
> //**************************
>
> if (transport == null && isRequestor(message)) {
> Policy policy = new Policy();
> transport = new
> TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
> policy);
> }/
>
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.java
>
> In /protected void handleUsernameTokenSupportingToken( UsernameToken token,
> boolean endorse, boolean encryptedToken, List<SupportingToken> ret ) throws
> WSSecurityException/ (around line 596), here we set the properties in the
> utBuilder if they are asserted in the "aim":
> /
> } else {
>
> WSSecUsernameToken utBuilder = addUsernameToken(token);
> if (utBuilder != null) {
>
> //***************************
> // Beginning of Modification
> //***************************
> AssertionInfoMap aim = message.get(AssertionInfoMap.class);
> boolean haveNonce = false;
> boolean haveCreated = false;
>
> Collection<AssertionInfo> nonces =
> aim.getAssertionInfo(SP13Constants.NONCE);
> for(AssertionInfo nonce: nonces) {
> if (nonce.isAsserted()) {
> haveNonce = true;
> }
> }
>
> Collection<AssertionInfo> createds =
> aim.getAssertionInfo(SP13Constants.CREATED);
> for(AssertionInfo created: createds) {
> if(created.isAsserted()) {
> haveCreated = true;
> }
> }
>
> if (haveCreated) {
> utBuilder.addCreated();
> }
>
> if (haveNonce) {
> utBuilder.addNonce();
> }
>
> //***************************
> // End of modification
> //***************************
> utBuilder.prepare(saaj.getSOAPPart());
>
> Element e = utBuilder.getUsernameTokenElement();
>
> //********************************************
> // Beginning of Modification (Logging only)
> //********************************************
>
> if(LOG.isLoggable(Level.FINE)) {
> Document d = e.getOwnerDocument();
> DOMImplementationLS domImplLS =
> (DOMImplementationLS)
> d.getImplementation();
> LSSerializer serializer =
> domImplLS.createLSSerializer();
> LOG.fine("Username Token: " +
> serializer.writeToString(e));
> }
> //********************************************
> // End of Modification (Logging only)
> //********************************************
>
> addSupportingElement(utBuilder.getUsernameTokenElement());
> ret.add(new SupportingToken(token, utBuilder));
>
> //WebLogic and WCF always encrypt these/
>
> Also I just wanted to sat thank you for your support to get a "real" fix
> info a future release, so hopefully we can use vanilla unpached code in
> future.
>
>
>
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749905.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
I have a wotking fix in the signed/encrypted version now (and
thanks Colm)
Posted by Chris <cz...@ybs.co.uk>.
coheigea wrote
> Actually, the UsernameTokenInterceptor (which is used when there is no
> security binding) does not support Nonce + Created. I've added support
> here:
>
> https://issues.apache.org/jira/browse/CXF-6051
>
> Colm.
Thanks Colm,
It is also not supported with the encrypred and signed username token policy
(Oracle server with
*oracle/wss10_username_token_with_message_protection_service_policy*).
Again I have a "working fix" to CXF 3.0.1, which I will give here
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor.java
In/ PolicyBasedWSS4JOutInterceptorInternal.public void
handleMessage(SoapMessage message) throws Fault / (at about line 140),
here we assert the "Created" and Nonce if they are present so that they can
be picked up from "aim" later.
/ ais = getAllAssertionsByLocalname(aim,
SPConstants.SYMMETRIC_BINDING);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
transport = (AbstractBinding)ai.getAssertion();
ai.setAsserted(true);
}
}
//**************************
// BEGIN MODIFICATION
//**************************
ais = aim.get(SP13Constants.CREATED);
if (ais != null && !ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
ais = aim.get(SP13Constants.NONCE);
if (ais != null && !ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
//**************************
// END MODIFICATION
//**************************
if (transport == null && isRequestor(message)) {
Policy policy = new Policy();
transport = new
TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
policy);
}/
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.java
In /protected void handleUsernameTokenSupportingToken( UsernameToken token,
boolean endorse, boolean encryptedToken, List<SupportingToken> ret ) throws
WSSecurityException/ (around line 596), here we set the properties in the
utBuilder if they are asserted in the "aim":
/
} else {
WSSecUsernameToken utBuilder = addUsernameToken(token);
if (utBuilder != null) {
//***************************
// Beginning of Modification
//***************************
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
boolean haveNonce = false;
boolean haveCreated = false;
Collection<AssertionInfo> nonces =
aim.getAssertionInfo(SP13Constants.NONCE);
for(AssertionInfo nonce: nonces) {
if (nonce.isAsserted()) {
haveNonce = true;
}
}
Collection<AssertionInfo> createds =
aim.getAssertionInfo(SP13Constants.CREATED);
for(AssertionInfo created: createds) {
if(created.isAsserted()) {
haveCreated = true;
}
}
if (haveCreated) {
utBuilder.addCreated();
}
if (haveNonce) {
utBuilder.addNonce();
}
//***************************
// End of modification
//***************************
utBuilder.prepare(saaj.getSOAPPart());
Element e = utBuilder.getUsernameTokenElement();
//********************************************
// Beginning of Modification (Logging only)
//********************************************
if(LOG.isLoggable(Level.FINE)) {
Document d = e.getOwnerDocument();
DOMImplementationLS domImplLS = (DOMImplementationLS)
d.getImplementation();
LSSerializer serializer = domImplLS.createLSSerializer();
LOG.fine("Username Token: " + serializer.writeToString(e));
}
//********************************************
// End of Modification (Logging only)
//********************************************
addSupportingElement(utBuilder.getUsernameTokenElement());
ret.add(new SupportingToken(token, utBuilder));
//WebLogic and WCF always encrypt these/
Also I just wanted to sat thank you for your support to get a "real" fix
info a future release, so hopefully we can use vanilla unpached code in
future.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749905.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Current situation: CXF client send nonce and timestamp
Posted by Colm O hEigeartaigh <co...@apache.org>.
Actually, the UsernameTokenInterceptor (which is used when there is no
security binding) does not support Nonce + Created. I've added support here:
https://issues.apache.org/jira/browse/CXF-6051
Colm.
On Tue, Oct 14, 2014 at 2:12 PM, Chris <cz...@ybs.co.uk> wrote:
> I have not yet been able to build a simple test case, but it seems clear
> that
> the <sp13:Created /> and
> <sp13:Nonce /> elements are ignored in the client code. As I mentioned in a
> previous message
> <
> http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749800.html
> >
> these are being read correctly by the
>
> AssertionInfoMap aim = message.get(AssertionInfoMap.class);
>
> at the beginning of
> protected UsernameToken assertTokens(SoapMessage message, String
> localname, boolean signed)
>
> in org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor
>
> but not being returned in the token produced by that method.
>
> Meanwhile I came up with a "fix" by modifying the UsernameTokenInterceptor:
>
> / protected void addToken(SoapMessage message) {
> UsernameToken tok = assertTokens(message);
>
> Header h = findSecurityHeader(message, true);
> WSSecUsernameToken utBuilder =
> addUsernameToken(message, tok);
> if (utBuilder == null) {
> AssertionInfoMap aim = message.get(AssertionInfoMap.class);
> Collection<AssertionInfo> ais =
> getAllAssertionsByLocalname(aim,
> SPConstants.USERNAME_TOKEN);
> for (AssertionInfo ai : ais) {
> if (ai.isAsserted()) {
> ai.setAsserted(false);
> }
> }
> return;
> }
>
> //***************************
> // Beginning of Modification
> //***************************
> AssertionInfoMap aim = message.get(AssertionInfoMap.class);
> boolean haveNonce = false;
> boolean haveCreated = false;
>
> Collection<AssertionInfo> nonces =
> aim.getAssertionInfo(SP13Constants.NONCE);
> for(AssertionInfo nonce: nonces) {
> if (nonce.isAsserted()) {
> haveNonce = true;
> }
>
> }
>
> Collection<AssertionInfo> createds =
> aim.getAssertionInfo(SP13Constants.CREATED);
> for(AssertionInfo created: createds) {
> if(created.isAsserted()) {
> haveCreated = true;
> }
> }
>
> if (haveCreated) {
> utBuilder.addCreated();
> }
>
> if (haveNonce) {
> utBuilder.addNonce();
> }
>
> //***************************
> // End of modification
> //***************************
>
> Element el = (Element)h.getObject();
> utBuilder.prepare(el.getOwnerDocument());
> el.appendChild(utBuilder.getUsernameTokenElement());
> }
> /
>
>
> So I thought "all well and good" and then tried the username token with
> message protection only to find that it uses a totally different class to
> generate the embedded username token, and the changed code is not called!
> As
> soon as I set the server to "created time and nonce required" it fails!
> This
> also appears to be much more complex processing so finding where to fix the
> code is a little difficult.
>
> BTW I know that my "fix" is probably not the right way to do it, fixing the
> underlying code to produce the correct values in the token, then passing
> that through to the builder looked like much to much work within our
> timescales
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749873.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Current situation: CXF client send nonce and timestamp
Posted by Jason Pell <ja...@pellcorp.com>.
I think you need to be looking in the wss4j out interceptor.
We use WS policy based cxf clients and it all just works. If your wsdl
includes the policies might be good to give that a go.
Lots of samples in the systests and also on my github project too.
On 15/10/2014 12:12 AM, "Chris" <cz...@ybs.co.uk> wrote:
> I have not yet been able to build a simple test case, but it seems clear
> that
> the <sp13:Created /> and
> <sp13:Nonce /> elements are ignored in the client code. As I mentioned in a
> previous message
> <
> http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749800.html
> >
> these are being read correctly by the
>
> AssertionInfoMap aim = message.get(AssertionInfoMap.class);
>
> at the beginning of
> protected UsernameToken assertTokens(SoapMessage message, String
> localname, boolean signed)
>
> in org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor
>
> but not being returned in the token produced by that method.
>
> Meanwhile I came up with a "fix" by modifying the UsernameTokenInterceptor:
>
> / protected void addToken(SoapMessage message) {
> UsernameToken tok = assertTokens(message);
>
> Header h = findSecurityHeader(message, true);
> WSSecUsernameToken utBuilder =
> addUsernameToken(message, tok);
> if (utBuilder == null) {
> AssertionInfoMap aim = message.get(AssertionInfoMap.class);
> Collection<AssertionInfo> ais =
> getAllAssertionsByLocalname(aim,
> SPConstants.USERNAME_TOKEN);
> for (AssertionInfo ai : ais) {
> if (ai.isAsserted()) {
> ai.setAsserted(false);
> }
> }
> return;
> }
>
> //***************************
> // Beginning of Modification
> //***************************
> AssertionInfoMap aim = message.get(AssertionInfoMap.class);
> boolean haveNonce = false;
> boolean haveCreated = false;
>
> Collection<AssertionInfo> nonces =
> aim.getAssertionInfo(SP13Constants.NONCE);
> for(AssertionInfo nonce: nonces) {
> if (nonce.isAsserted()) {
> haveNonce = true;
> }
>
> }
>
> Collection<AssertionInfo> createds =
> aim.getAssertionInfo(SP13Constants.CREATED);
> for(AssertionInfo created: createds) {
> if(created.isAsserted()) {
> haveCreated = true;
> }
> }
>
> if (haveCreated) {
> utBuilder.addCreated();
> }
>
> if (haveNonce) {
> utBuilder.addNonce();
> }
>
> //***************************
> // End of modification
> //***************************
>
> Element el = (Element)h.getObject();
> utBuilder.prepare(el.getOwnerDocument());
> el.appendChild(utBuilder.getUsernameTokenElement());
> }
> /
>
>
> So I thought "all well and good" and then tried the username token with
> message protection only to find that it uses a totally different class to
> generate the embedded username token, and the changed code is not called!
> As
> soon as I set the server to "created time and nonce required" it fails!
> This
> also appears to be much more complex processing so finding where to fix the
> code is a little difficult.
>
> BTW I know that my "fix" is probably not the right way to do it, fixing the
> underlying code to produce the correct values in the token, then passing
> that through to the builder looked like much to much work within our
> timescales
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749873.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>