I would say bug in Metro.
The very first example in the WS-SecurityPolicy spec: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573554 specifically shows that if you want the WS-A headers also signed, you should be: <sp:SignedParts> <sp:Body/> <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> </sp:SignedParts> If the sp:Body element wasn’t in there (so empty SignedParts element) a case could likely be made that the WS-Addressing headers should be signed as the spec says: "If no child elements are specified, all message headers targeted at the UltimateReceiver role [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity protected." Anyway, that’s my reading of it. Dan On Feb 13, 2014, at 6:43 PM, Dennis Sosnoski <[email protected]> wrote: > In testing Metro interop I noticed that if I only specified: > > <sp:SignedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body/> > </sp:SignedParts> > > CXF happily generated messages signing only the Body, but Metro apparently > requires the WS-A headers (at least MessageID) to be signed anyway: > > Feb 13, 2014 3:51:55 PM > com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl > resolveAndVerifyTargets > SEVERE: WSS0206: Security in the incoming message does not conform to the > SecurityPolicy configured at the Recipient. > Feb 13, 2014 3:51:55 PM > com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl > resolveAndVerifyTargets > SEVERE: WSS0814: policy verification error, missing target MessageID for > Signature > Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube > processRequest > SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message. > com.sun.xml.wss.impl.PolicyViolationException: > com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing > target MessageID for Signature > at > com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151) > at > com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016) > at > com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252) > at > com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455) > at > com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295) > > It's certainly best practice to sign the WS-A headers, but AFAIK it isn't > required. Is this an error on Metro's part, or should we be requiring signing > of the WS-A headers too? > > Thanks, > > - Dennis > -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
