Yes, that certainly makes sense. I'll run some other tests to verify the
Metro behavior, and see about entering a bug report.
- Dennis
On 02/14/2014 01:39 PM, Daniel Kulp wrote:
I would say bug in Metro.
The very first example in the WS-SecurityPolicy spec:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573554
specifically shows that if you want the WS-A headers also signed, you should be:
<sp:SignedParts>
<sp:Body/>
<sp:Header
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing";
/>
</sp:SignedParts>
If the sp:Body element wasn’t in there (so empty SignedParts element) a case
could likely be made that the WS-Addressing headers should be signed as the
spec says:
"If no child elements are specified, all message headers targeted at the
UltimateReceiver role [SOAP12] or actor [SOAP11] and the body of the message MUST be
integrity protected."
Anyway, that’s my reading of it.
Dan
On Feb 13, 2014, at 6:43 PM, Dennis Sosnoski <[email protected]> wrote:
In testing Metro interop I noticed that if I only specified:
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:Body/>
</sp:SignedParts>
CXF happily generated messages signing only the Body, but Metro apparently
requires the WS-A headers (at least MessageID) to be signed anyway:
Feb 13, 2014 3:51:55 PM
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
SEVERE: WSS0206: Security in the incoming message does not conform to the
SecurityPolicy configured at the Recipient.
Feb 13, 2014 3:51:55 PM
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl
resolveAndVerifyTargets
SEVERE: WSS0814: policy verification error, missing target MessageID for
Signature
Feb 13, 2014 3:51:55 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube
processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.PolicyViolationException:
com.sun.xml.wss.XWSSecurityException: Policy verification error:Missing target
MessageID for Signature
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:151)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1016)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:455)
at
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
It's certainly best practice to sign the WS-A headers, but AFAIK it isn't
required. Is this an error on Metro's part, or should we be requiring signing
of the WS-A headers too?
Thanks,
- Dennis
