[
https://issues.apache.org/jira/browse/CXF-3461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated CXF-3461:
-------------------------------------
Fix Version/s: 2.4.1
> EndorsingSupportingTokens policy reports not satisfied when using TLS with
> signed timestamp
> -------------------------------------------------------------------------------------------
>
> Key: CXF-3461
> URL: https://issues.apache.org/jira/browse/CXF-3461
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Alistair Phipps
> Assignee: Colm O hEigeartaigh
> Fix For: 2.4.1
>
>
> WS-SecurityPolicy 1.2 spec states: If transport security is used, the
> signature (Sig2) MUST cover the message timestamp
> However, when sending a request to a CXF service requiring
> EndorsingSupportingTokens with a signed message timestamp, the
> EndorsingSupportingTokens policy is reported not satisfied.
> It appears the PolicyBasedWSS4JInterceptor.doResults will only mark this
> satisfied if "hasEndorsement" is set, which is in turn based on a signature
> on the entire message. This is only true when using MLS, not TLS.
> Example policy fragment:
> <sp:EndorsingSupportingTokens>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> Example message portion:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1">
> <wsse:BinarySecurityToken
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
> wsu:Id="CertId-xxx">xxx</wsse:BinarySecurityToken>
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="Timestamp-1">
> <wsu:Created>2011-04-19T15:46:35.705Z</wsu:Created>
> <wsu:Expires>2011-04-19T15:51:35.705Z</wsu:Expires>
> </wsu:Timestamp>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="Signature-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#Timestamp-1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>xxx</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>xxx</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-xxx">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STRId-xxx">
> <wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> URI="#CertId-xxx"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> </soap:Envelope>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
