You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by "Thomas P. Fuller" <th...@coherentlogic.com> on 2011/02/11 16:18:44 UTC

Security timestamp

Hi,

 

I have a C# client which calls a (CXF) web service which we have secured.

 

The client works fine on a desktop machine however it receives a soap fault
when the same call is sent from a low profile handset (PDT).

 

We have traced the problem to the timestamp. If we manually modify the PDT
packet so that TimeStamp element is outside of the Security element (as with
the PC request) it works.

 

IBM has a post on one of their forums which describes the same problem and
indicates the solution is to:

 

".change the default behavior in the TimestampGenerator to include the
Timestamp before the signature when using the Strict layout. The
TimestampConsumer now also verifies that the Timestamp is indeed put before
the signature on an incoming message when following the Strict layout. This
fixes the problem of interoperability."

 

http://www-01.ibm.com/support/docview.wss?uid=swg1PK55563

 

Would anyone know if this will fix this problem and, if so, how I would go
about it using CXF?

 

I suspect we'll need a cxf.xml configuration file, but more help with this
would be appreciated

 

Thanks in advance for your assistance,

 

Tom

RE: Security timestamp

Posted by "Thomas P. Fuller" <th...@coherentlogic.com>.

Hi Colm,

We've managed to fix this problem -- there was a platform dependent switch
that messed up the order of the elements on the low profile device. 

Tom

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: 14 February 2011 11:29
To: users@cxf.apache.org; thomas.fuller@coherentlogic.com
Subject: Re: Security timestamp

Hi,

> Would anyone know if this will fix this problem and, if so, how I 
> would go about it using CXF?

Do the C# client and the PDT client generate a SOAP request with the same
security header layout? If so then the link you reference does not sound
like the problem. If you manually move the Timestamp element outside of the
security header then it does not get processed. Could it be that the
Timestamp is expired by the time the CXF service processes it? Could you
post the security header that is sent in the SOAP request for the PDT
client, and the exception generated by the CXF service?

Colm.

On Fri, Feb 11, 2011 at 3:18 PM, Thomas P. Fuller
<th...@coherentlogic.com> wrote:
> Hi,
>
>
>
> I have a C# client which calls a (CXF) web service which we have secured.
>
>
>
> The client works fine on a desktop machine however it receives a soap 
> fault when the same call is sent from a low profile handset (PDT).
>
>
>
> We have traced the problem to the timestamp. If we manually modify the 
> PDT packet so that TimeStamp element is outside of the Security 
> element (as with the PC request) it works.
>
>
>
> IBM has a post on one of their forums which describes the same problem 
> and indicates the solution is to:
>
>
>
> ".change the default behavior in the TimestampGenerator to include the 
> Timestamp before the signature when using the Strict layout. The 
> TimestampConsumer now also verifies that the Timestamp is indeed put 
> before the signature on an incoming message when following the Strict 
> layout. This fixes the problem of interoperability."
>
>
>
> http://www-01.ibm.com/support/docview.wss?uid=swg1PK55563
>
>
>
> Would anyone know if this will fix this problem and, if so, how I 
> would go about it using CXF?
>
>
>
> I suspect we'll need a cxf.xml configuration file, but more help with 
> this would be appreciated
>
>
>
> Thanks in advance for your assistance,
>
>
>
> Tom
>
>

Re: Security timestamp

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi,

> Would anyone know if this will fix this problem and, if so, how I would go
> about it using CXF?

Do the C# client and the PDT client generate a SOAP request with the
same security header layout? If so then the link you reference does
not sound like the problem. If you manually move the Timestamp element
outside of the security header then it does not get processed. Could
it be that the Timestamp is expired by the time the CXF service
processes it? Could you post the security header that is sent in the
SOAP request for the PDT client, and the exception generated by the
CXF service?

Colm.

On Fri, Feb 11, 2011 at 3:18 PM, Thomas P. Fuller
<th...@coherentlogic.com> wrote:
> Hi,
>
>
>
> I have a C# client which calls a (CXF) web service which we have secured.
>
>
>
> The client works fine on a desktop machine however it receives a soap fault
> when the same call is sent from a low profile handset (PDT).
>
>
>
> We have traced the problem to the timestamp. If we manually modify the PDT
> packet so that TimeStamp element is outside of the Security element (as with
> the PC request) it works.
>
>
>
> IBM has a post on one of their forums which describes the same problem and
> indicates the solution is to:
>
>
>
> ".change the default behavior in the TimestampGenerator to include the
> Timestamp before the signature when using the Strict layout. The
> TimestampConsumer now also verifies that the Timestamp is indeed put before
> the signature on an incoming message when following the Strict layout. This
> fixes the problem of interoperability."
>
>
>
> http://www-01.ibm.com/support/docview.wss?uid=swg1PK55563
>
>
>
> Would anyone know if this will fix this problem and, if so, how I would go
> about it using CXF?
>
>
>
> I suspect we'll need a cxf.xml configuration file, but more help with this
> would be appreciated
>
>
>
> Thanks in advance for your assistance,
>
>
>
> Tom
>
>