[
https://issues.apache.org/jira/browse/CXF-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13059187#comment-13059187
]
Glen Mazza commented on CXF-3630:
---------------------------------
I'm confused -- you first mention that "WSS4JInInterceptor does not assert the
policies" which is true, because there aren't supposed to be WS-SecurityPolicy
statements if you're using WSS4JInInterceptor; this older object was created
before CXF had support for reading (and basing security on) WS-SecPol
statements--or if there are such statements, they're to be ignored as usage of
WSS4JInInterceptor means you want manual configuration and don't care what the
WS-SecPol statements, if any, say.
So you switched to the WS-Policy-reading object instead, which means security
is to be defined by SecPol statements are within the WSDL being read by the
client and web service provider. But then you write "I need the following
requirement, Saml Assertion needs to be signed, Timestamp needs to be
signed"--is this a manual requirement on your part, or a requirement already
declared within SecPol statements in the WSDL? AFAIK it's gonna have to be the
latter with PolicyBasedWSS4JInInterceptor. Your usage of an action element
with PolicyBasedWSS4JInInterceptor seems strange--because the required actions
should already be defined in the WSDL--I don't even see "action" as an option
for SecPol: https://cwiki.apache.org/CXF20DOC/ws-securitypolicy.html
Finally: "Hence I had to use the PolicyBasedWSS4JInInterceptor, but it does not
have the constructor. Hence I had to add the constructor." -- I think there's a
reason for no constructor, again, it's supposed to be reading the WSDL and
basing all security rules on SecPol statements within it, no?
> WSS4JIn Interceptor Issue
> -------------------------------
>
> Key: CXF-3630
> URL: https://issues.apache.org/jira/browse/CXF-3630
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.4
> Reporter: Srinivasa Kukatla
>
> WSS4JInInterceptor does not assert the policies. Hence I had to use the
> PolicyBasedWSS4JInInterceptor, but it does not have the constructor. Hence I
> had to add the constructor. Here is another problem:
> I need the following requirement, Saml Assertion needs to be signed,
> Timestamp needs to be signed:
> But, on the wss4jOutInterceptor, if I say Timestamp, SAMLTokenSigned, and
> Signature, the actions are mismatching. Hence i had to use only the first two
> actions.
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned"/>
> <entry key="timeToLive"
> value="${timestamp.expiration.property}"/>
> <entry key="user" value="${client.signature.username}"/>
> <entry>
> <key>
>
> <value>passwordCallbackRef</value>
> </key>
> <ref
> bean="passwordCallBackHandler"/>
> </entry>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="samlPropFile" value="${client.saml.properties}"/>
> <entry key="signaturePropFile"
> value="${client.signature.properties}" />
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <entry key="signatureDigestAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#sha1"; />
> <entry key="signatureParts"
> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> </map>
> </constructor-arg>
> But, on the WSS4JInInterceptor, I needed to configure 3 actions as shown
> below:
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp SAMLTokenSigned
> Signature "/>
> <entry key="timeToLive"
> value="${timestamp.expiration.property}"/>
> <entry key="passwordType" value="PasswordDigest" />
> <entry key="signaturePropFile"
> value="${server.signature.properties}" />
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <entry key="signatureDigestAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#sha1"; />
> <entry key="signatureParts"
> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"/>
> <entry key="enableSignatureConfirmation" value="true" />
> </map>
> </constructor-arg>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
