In testing Metro interop I noticed that if I only specified:
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:Body/>
</sp:SignedParts>
CXF happily generated messages signing only the Body, but Metro
apparently requires the WS-A headers (at least MessageID) to be signed
anyway:
Feb 13, 2014 3:51:55 PM
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
SEVERE: WSS0206: Security in the incoming message does not conform to
the SecurityPolicy configured at the Recipient.
Feb 13, 2014 3:51:55 PM
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
SEVERE: WSS0814: policy verification error, missing target MessageID for
Signature
Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube
processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.PolicyViolationException:
com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing
target MessageID for Signature
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
at
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
It's certainly best practice to sign the WS-A headers, but AFAIK it
isn't required. Is this an error on Metro's part, or should we be
requiring signing of the WS-A headers too?
Thanks,
- Dennis
