[
https://issues.apache.org/jira/browse/CXF-5056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13677040#comment-13677040
]
Colm O hEigeartaigh commented on CXF-5056:
------------------------------------------
Hi,
What is the use-case of a non-TransportBinding with TLS? If you are using TLS
then why not just use a TransportBinding policy?
Colm.
> EndorsingSupportingTokens with both transport security and message layer
> security applied
> -----------------------------------------------------------------------------------------
>
> Key: CXF-5056
> URL: https://issues.apache.org/jira/browse/CXF-5056
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.2
> Reporter: Chance BJ
> Labels: newbie
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> According to WS-SecurityPolicy, EndorsingSupportingTokens signs timestamp if
> using transport security, and sign main message signature if using message
> layer security.
> In CXF WS-Security, if TLS is used (regardless of Transport policy applied
> or not), it always requires timestamp be signed, without checking if message
> layer security is configured and main message signature is endorsed.
> AbstractSupportingTokenPolicyValidator.java
> /**
> * Check the endorsing supporting token policy. If we're using the
> Transport Binding then
> * check that the Timestamp is signed. Otherwise, check that the
> signature is signed.
> *
> * @return true if the endorsed supporting token policy is correct
> */
> private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults) {
> if (isTLSInUse()) {
> return checkTimestampIsSigned(tokenResults);
> }
> return checkSignatureIsSigned(tokenResults);
> }
> Say we have a ws-security policy which requires main message signature be
> endorsed, timestamp itself is not signed by endorsing token, and transport
> policy is not applied/attached.
> If we run the test case over plain HTTP, the test case passes.
> If we run the test case over HTTPS, the test case fails.
> This raises following questions:
> 1. If you have both transport security and message layer security, which one
> to check? or which one first? or both?
> 2. When enforcing EndorsingSupportingToken, does "Transport security" in
> EndorsingSupportingToken means "Transport Policy Applied" or "SSL applied
> regardless of Transport policy applied".
> I just want to bring this up for discussion first. If we have a conclusion on
> how it should work, I will submit a patch.
> Thanks
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
