I checked the behavior of Glassfish Metro web services runtime (v 2.3)
using the same security policy and it matches the one of Apache Rampart,
i.e. the response contains a single signature over the timestamp element.
I'm attaching the respective request and response messages for reference.
Detelin
On Thu, Jul 24, 2014 at 1:30 AM, <[email protected]> wrote:
> Hi CXF devs,
> I'm running into an interoperability issue between Apache Axis2 and CXF
> and I need some help in identifying which framework is acting according to
> the WS Security policy spec. The policy my customer is using is an
> Asymmetric binding without integrity and confidentiality protection (no
> signed/encrypted parts and elements) but using an additional x509 endorsing
> supporting token that must sign certain parts (body & addressing To
> header). The binding also requires that a timestamp is included.
> The request message generated with both frameworks is similar
> (Axis2/Rampart adds one additional BST but since the x509 token protection
> token is same as the endorsing one, I assume this is not a problem).
> However, I'm observing different behavior when generating the security
> header of the response:
> - Axis2/Rampart is signing just the timestamp element
> - CXF is signing the same, plus the Body and the addressing To header
>
> I'm attaching CXF request/response messages for reference.
>
> I looked in the CXF code and find out that prior version 2.4.4, the
> AsymmetricBindingHandler handled the supporting tokens on the requestor
> side only. However, as part of CXF-3970
> <https://issues.apache.org/jira/browse/CXF-3970>, it has been changed to
> always handle them:
>
>
> https://fisheye6.atlassian.com/viewrep/cxf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?r1&r2=ec64c5d373f28de7d346c976b6834bb7e3c11fde
>
> I believe this change results in the observed behavior and I'm wondering
> whether this is according to the spec and Apache Rampart should follow the
> same approach?
>
> I'm attaching a patch for CXF's EndorsingSupportingTokenTest
> <https://svn.apache.org/repos/asf/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/EndorsingSupportingTokenTest.java>
> that adds this scenario to the test case so whoever is interested can repro
> it.
>
> I will be glad if someone can help me to clarify this.
>
> Thanks,
> Detelin
>
>
>
>
>
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing";
wsu:Id="_5002">http://localhost:8081/jaxws-mcs/simple</To>
<Action xmlns="http://www.w3.org/2005/08/addressing";
xmlns:S="http://www.w3.org/2003/05/soap-envelope";
S:mustUnderstand="true">http://xmlsoap.org/DAB</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<FaultTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</FaultTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:b1a2f5c7-0775-4f8f-9e96-7abc86e31111</MessageID>
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_3">
<wsu:Created>2014-07-24T10:05:11Z</wsu:Created>
<wsu:Expires>2014-07-24T10:10:11Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="uuid_96b4aa99-69d8-4bbb-868b-80410d38eff3">MIIDDzCCAnigAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4XDTA3MDMxMjEwMjQ0MFoXDTE3MDMwOTEwMjQ0MFowbzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VOMRowGAYDVQQDExF4d3NzZWN1cml0eWNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYxVZKIzVdGMSBkW4bYnV80MV/RgQKV1bf/DoMTX8laMO45P6rlEarxQiOYrgzuYp+snzz2XM0S6o3JGQtXQuzDwcwPkH55bHFwHgtOMzxG4SQ653a5Dzh04nsmJvxvbncNH/XNaWfHaC0JHBEfNCMwRebYocxYM92pq/G5OGyECAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/mItfvuFdS7A0GCysE71TFRxP2cwfgYDVR0jBHcwdYAUZ7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6KijjANBgkqhkiG9w0BAQQFAAOBgQBEnRdcQeMyCYqOHw2jbPOPUlvu07bZe7sI3ly/Qz+4mkrFctqMSupghQtLv9dZcqDOUFLCGMse7+l5MG00VawzsoVe242iXzJB111ePzhhppIPOHXXtflj/JD2U4Qz75C/dfdd5AAZbqGSFtZh7pyE8Ot1vOq7R48/bHuvTsEVUQ==</wsse:BinarySecurityToken>
<wsse:BinarySecurityToken
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="uuid_ad9691a6-33c0-4927-ac28-55f7648bd822">MIIDDzCCAnigAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4XDTA3MDMxMjEwMjQ0MFoXDTE3MDMwOTEwMjQ0MFowbzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VOMRowGAYDVQQDExF4d3NzZWN1cml0eWNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYxVZKIzVdGMSBkW4bYnV80MV/RgQKV1bf/DoMTX8laMO45P6rlEarxQiOYrgzuYp+snzz2XM0S6o3JGQtXQuzDwcwPkH55bHFwHgtOMzxG4SQ653a5Dzh04nsmJvxvbncNH/XNaWfHaC0JHBEfNCMwRebYocxYM92pq/G5OGyECAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/mItfvuFdS7A0GCysE71TFRxP2cwfgYDVR0jBHcwdYAUZ7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6KijjANBgkqhkiG9w0BAQQFAAOBgQBEnRdcQeMyCYqOHw2jbPOPUlvu07bZe7sI3ly/Qz+4mkrFctqMSupghQtLv9dZcqDOUFLCGMse7+l5MG00VawzsoVe242iXzJB111ePzhhppIPOHXXtflj/JD2U4Qz75C/dfdd5AAZbqGSFtZh7pyE8Ot1vOq7R48/bHuvTsEVUQ==</wsse:BinarySecurityToken>
<ds:Signature
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"; Id="_1">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_3">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DlTm+LD1G/9q4BdEf3RwPB+3c4E=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XPTf9eLUbmqf9Z5fckwFmzQ4/09ZQ2npKkvjvaDgPzaRniLSOz+qWT2nLmjOLD/n+DxI6PgbGEolzdGHYckWO4erzmGMAG/NLje8ROl5ecsupUZM1nVrrA7eN5d6+EKVUqhn8TQbPwTB6igF1203tF46Dc1LlD0vasUlhUdnr6w=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#uuid_96b4aa99-69d8-4bbb-868b-80410d38eff3"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<ds:Signature
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"; Id="_4">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>wTawfnIMMp2/+Bz9dcyZ6eGdQKw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>biWNs2zPV/B4n3u1ksUtZ2AeSRI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5003">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>MWNrbNoVWkN+5H0QmW3pKB+aDlg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>BEojE+EEgi4desB9ZzAVZXVP0kLnql8TQrfHLjkRyGR97xVsCyq3Sa0VPvycs6zphqo7yCmTPwPmfuamzacm2Pbde4LcAccFCC6NptoaPSJgGTk0twUYuXWlUb5aMmGdyR8rycSARoiqFaZM1j/x8cApHk7ltgoKYuW3bOttmkI=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#uuid_ad9691a6-33c0-4927-ac28-55f7648bd822"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<Department xmlns="http://xmlsoap.org/DAB"; wsu:Id="_5003">
<companyName>A</companyName>
<departmentName>B</departmentName>
</Department>
</S:Body>
</S:Envelope><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
<S:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing";
xmlns:S="http://www.w3.org/2003/05/soap-envelope";
S:mustUnderstand="true">http://xmlsoap.org/DAB</Action>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:6fb89230-ffdd-4d22-85f9-66ffad4094cd</MessageID>
<RelatesTo
xmlns="http://www.w3.org/2005/08/addressing";>uuid:b1a2f5c7-0775-4f8f-9e96-7abc86e31111</RelatesTo>
<To
xmlns="http://www.w3.org/2005/08/addressing";>http://www.w3.org/2005/08/addressing/anonymous</To>
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_3">
<wsu:Created>2014-07-24T10:05:11Z</wsu:Created>
<wsu:Expires>2014-07-24T10:10:11Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"; Id="_1">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces PrefixList="wsse
S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_3">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces
PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DlTm+LD1G/9q4BdEf3RwPB+3c4E=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>nc7+lLPnS5/k23JQ0NMV6+n/qJ6C+6MvQ1vdsicoVYnftYviBnWukvYGdKokIAwFPC86WnSaUABWTiG3ID4DVEXsaPqVHwKjRF/zc8tRO8q7gZauITzwll6lPL3t8Ia6PU30rhUpXzGsa/a9q0wyS9bg7yXsYPvJxChdIpeYSNA=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=SUNCA, OU=JWS,
O=SUN, ST=Some-State, C=AU</ds:X509IssuerName>
<ds:X509SerialNumber>2</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<AccountBalance
xmlns="http://xmlsoap.org/DAB";>1,000,000</AccountBalance>
</S:Body>
</S:Envelope>
