[jira] [Created] (CXF-5056) EndorsingSupportingTokens with both transport security and message layer security applied

Wed, 05 Jun 2013 09:03:18 -0700 

Chance BJ created CXF-5056:
------------------------------

             Summary: EndorsingSupportingTokens with both transport security 
and message layer security applied
                 Key: CXF-5056
                 URL: https://issues.apache.org/jira/browse/CXF-5056
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.6.2
            Reporter: Chance BJ


According to WS-SecurityPolicy, EndorsingSupportingTokens signs timestamp if 
using transport security, and sign main message signature if using message 
layer security. 

In CXF WS-Security,   if TLS is used (regardless of Transport policy applied or 
not), it always requires timestamp be signed, without checking if message layer 
security is configured and main message signature is endorsed.

AbstractSupportingTokenPolicyValidator.java

    /**
     * Check the endorsing supporting token policy. If we're using the 
Transport Binding then
     * check that the Timestamp is signed. Otherwise, check that the signature 
is signed.
     * 
     * @return true if the endorsed supporting token policy is correct
     */
    private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults) {
        if (isTLSInUse()) {
            return checkTimestampIsSigned(tokenResults);
        }
        return checkSignatureIsSigned(tokenResults);
    }


Say  we have a ws-security policy which requires main message signature be 
endorsed, timestamp itself is not signed by endorsing token, and transport 
policy is not applied/attached.
If we run the test case over plain HTTP, the test case passes.
If we run the test case over HTTPS, the test case fails.

This raises following questions:
1. If you have both transport security and message layer security, which one to 
check? or which one first? or both?
2. When enforcing EndorsingSupportingToken, does "Transport security" in 
EndorsingSupportingToken means "Transport Policy Applied" or  "SSL applied 
regardless of  Transport policy applied".

I just want to bring this up for discussion first. If we have a conclusion on 
how it should work, I will submit a patch.

Thanks


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to