> But I would like to only take care of the UsernameToken element and skip the > Timestamp and Signature elements.
In this case you could disable the Timestamp and Signature Processors using WSSConfig. > What I also don't understand is why wss4j take care of the Signature element > which is not in the wsse:Security element. The signature element *is* in the wsse:Security element. > The actor attribute should be added by the client ? What is the goal of this > attribute. You can specify multiple security headers targeted at different recipients. Colm. On Mon, Jul 25, 2011 at 4:34 PM, Nicolas Buisson <[email protected]> wrote: > > Hi Colm, > > Thanks a lot for your answer: > > Here is the header I received : > > <soap:Header> > <wsse:Security soap:mustUnderstand="1"> > <wsu:Timestamp wsu:Id="Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c"> > <wsu:Created>2011-07-22T14:26:05Z</wsu:Created> > <wsu:Expires>2011-07-22T14:31:05Z</wsu:Expires> > </wsu:Timestamp> > <wsse:UsernameToken > wsu:Id="SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e"> > <wsse:Username>xxx</wsse:Username> > <wsse:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>xxx</wsse:Password> > <wsse:Nonce>8PfBYBg1vo84GAlUVshpSA==</wsse:Nonce> > <wsu:Created>2011-07-22T14:26:05Z</wsu:Created> > </wsse:UsernameToken> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> > <Reference URI="#Id-68a23867-f268-4e07-8df5-e5de2511ab11"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>8ldWcRrq+AinkfWayJEieHUTZ7E=</DigestValue> > </Reference> > <Reference URI="#Id-5b7ed34a-b987-4984-a231-82c19ce1f132"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>BPUCRJEi6qoe/3lS0qTG81VsYFc=</DigestValue> > </Reference> > <Reference URI="#Id-4e37fd76-bd14-4035-acdb-e38b98630761"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>RNJRrCK+5ewoyAN5onKm05siJ9o=</DigestValue> > </Reference> > <Reference URI="#Id-c248e36a-4e62-4ec2-971a-069b5eeb26a8"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>FMUsGZGuIKQDpi+WTngvhQml4qI=</DigestValue> > </Reference> > <Reference URI="#Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>PstX8mJwKMKhjyNojsHghW3myk4=</DigestValue> > </Reference> > <Reference URI="#Id-ebb3ef9a-9057-4ad8-b7ac-f790d2587b56"> > <Transforms> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>1ySbGzd5DD8gu340swQji66xGuc=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue>PuY5HJCIC8ZoX+KtnJwqXdJIFMA=</SignatureValue> > <KeyInfo> > <wsse:SecurityTokenReference> > <wsse:Reference URI="#SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/> > </wsse:SecurityTokenReference> > </KeyInfo> > </Signature> > </wsse:Security> > </soap:Header> > > And wss4j is trying to validate the Signature element. > > But I would like to only take care of the UsernameToken element and skip the > Timestamp and Signature elements. > > What I also don't understand is why wss4j take care of the Signature element > which is not in the wsse:Security element. > > The actor attribute should be added by the client ? What is the goal of this > attribute. > > Again, thanks a lot for your answer :) > > > Colm O hEigeartaigh-2 wrote: >> >> Hi Nicolas, >> >> What are the invalid security header elements that you want to avoid >> processing? If the service only cares about the UsernameToken, the >> correct thing to do is to add an "actor" attribute to a security >> header that is only meant to be processed by the service provider, and >> only put the UsernameToken in this security header. >> >> You can disable processors by the QName of the element they are meant >> to process via WSSConfig: >> >> https://svn.apache.org/repos/asf/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSConfig.java >> >> Colm. >> >> On Fri, Jul 22, 2011 at 10:25 PM, Nicolas B <[email protected]> wrote: >>> >>> Dear all, >>> >>> I'm trying to understand the default map processors initialize in the >>> WSSConfig class of wss4j. >>> >>> As explained in this ticket >>> http://forum.springsource.org/showthread.php?112450-WSSecurityException-while-validating-WS-Security-headers >>> I'm trying to validate my incoming SOAP messages based on the >>> UernameToken. >>> >>> So I want to only take care of this header element ;) When one of my >>> client >>> attacks my web service he is sending the right UsernameToken but also >>> other >>> elements, and the WSSecurityEngine is trying to validate ALL the >>> elements. >>> >>> How can I configure wss4j to only validate my UsernameToken and ignore >>> others. Is this the good way ? Is it to my client to respect what the >>> server >>> is waiting ? >>> >>> Thanks a lot in advance, and thanks for wss4j ;) >>> >>> Best Regards, >>> -- >>> View this message in context: >>> http://old.nabble.com/WSSConfig-processors-tp32118532p32118532.html >>> Sent from the WSS4J mailing list archive at Nabble.com. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> >> >> >> -- >> Colm O hEigeartaigh >> >> http://coheigea.blogspot.com/ >> Talend - http://www.talend.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >> > > -- > View this message in context: > http://old.nabble.com/WSSConfig-processors-tp32118532p32132801.html > Sent from the WSS4J mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
