If you want to sign the SOAP Body, you'll have to add it to the
SignatureParts list:
> wss4jOut.setProperty(WSHandlerConstants.SIGNATURE_PARTS,
>
> "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;";);
The server is not throwing an error as you are using TLS and this
fulfills the message signing requirements.
Colm.
On Sat, Feb 11, 2012 at 8:59 PM, sram <[email protected]> wrote:
> I'm testing out a usecase combining DoubleIT_TransportEndorsingPolicy and
> #DoubleItBinding_DoubleIt_Input_Policy.
>
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> *<sp:IncludeTimestamp />
>
> <sp:OnlySignEntireHeadersAndBody /> *
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:TransportBinding>
>
>
>
> <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> *<sp:Body />*
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> On the client I generate signatures using WSS4j,
>
> wss4jOut.setProperty(WSHandlerConstants.ACTION,
> WSHandlerConstants.TIMESTAMP + " "
> + WSHandlerConstants.USERNAME_TOKEN + " " +
> WSHandlerConstants.SIGNATURE);
>
> wss4jOut.setProperty(WSHandlerConstants.SIGNATURE_PARTS,
>
> "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;";);
>
>
> All works fine, even if client signs only the timestamp part and not any
> message body part. Even though I add DoubleItBinding_DoubleIt_Input_Policy
> reference to my SOAP message input part, I suspect the server is only
> checking for timestamp.
>
>>>>>>>> WSDL
> <binding name="pingBinding" type="p0:pingPortType">
> <wsp:PolicyReference URI="#DoubleIT_TransportEndorsingPolicy"
> />
> <soap:binding transport="http://schemas.xmlsoap.org/soap/http";
> style="document" />
> <operation name="ping">
> <soap:operation soapAction="" />
> <input>
> <soap:body use="literal" />
> <wsp:PolicyReference
> URI="#DoubleItBinding_DoubleIt_Input_Policy" />
> </input>
> <output>
> <soap:body use="literal" />
> ...
>
>
> I wanted client to sign message parts which can be authenticated on the
> server side using clients X.509 token, flowing in as part of TLS binding as
> an endorsing supporting token.
>
>>>>>>>>>> Logs
> [2/11/12 15:44:04:747 EST] 0000004e SignatureProc 1
> org.apache.ws.security.processor.SignatureProcessor handleToken Found
> signature element
> [2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1
> org.apache.ws.security.validate.SignatureTrustValidator verifyTrustInCert
> Transmitted certificate has subject
> CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US
> [2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1
> org.apache.ws.security.validate.SignatureTrustValidator verifyTrustInCert
> Transmitted certificate has issuer
> CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US (serial 1328709293)
> [2/11/12 15:44:04:747 EST] 0000004e SignatureTrus 1
> org.apache.ws.security.validate.SignatureTrustValidator
> isCertificateInKeyStore Direct trust for certificate with
> CN=L151ATS033040.ams.mycomp.net,O=Harvard,C=US
> [2/11/12 15:44:04:747 EST] 0000004e SignatureProc 1
> org.apache.ws.security.processor.SignatureProcessor verifyXMLSignature
> Verify XML Signature
> [2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1
> org.apache.ws.security.processor.UsernameTokenProcessor handleToken Found
> UsernameToken list element
> [2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1
> org.apache.ws.security.validate.UsernameTokenValidator validate
> UsernameToken user stanforduser
> [2/11/12 15:44:04:747 EST] 0000004e UsernameToken 1
> org.apache.ws.security.validate.UsernameTokenValidator validate
> UsernameToken password type
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> [2/11/12 15:44:04:747 EST] 0000004e SystemOut O stanforduser :
> workbench
> [2/11/12 15:44:04:747 EST] 0000004e TimestampProc 1
> org.apache.ws.security.processor.TimestampProcessor handleToken Found
> Timestamp list element
> [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1
> org.apache.ws.security.message.token.Timestamp <init> Current time:
> 2012-02-11T20:44:04.747Z
> [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1
> org.apache.ws.security.message.token.Timestamp <init> Timestamp created:
> 2012-02-11T20:44:04.310Z
> [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1
> org.apache.ws.security.message.token.Timestamp <init> Timestamp expires:
> 2012-02-11T20:49:04.310Z
> [2/11/12 15:44:04:747 EST] 0000004e Timestamp 1
> org.apache.ws.security.message.token.Timestamp verifyCreated Validation of
> Timestamp: Everything is ok
> [2/11/12 15:44:04:747 EST] 0000004e PingPortTypeI I Executing operation
> ping
> [2/11/12 15:44:04:747 EST] 0000004e SystemOut O System.getProperty
> user.name
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Signing-Message-parts-tp5475654p5475654.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
