Re: Need your help again ;-)

Fri, 20 Dec 2013 18:38:15 -0800 

Hi Francois,
You're going to have some things signed even without <SignedParts>, in particular the Timestamp and tokens (the latter because you're using ProtectTokens), . See http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html#_Toc325573671 

Regards,

  - Dennis

Dennis M. Sosnoski
Java Web Services Consulting <http://www.sosnoski.com/consult.html>

CXF and Web Services Security Training 
<http://www.sosnoski.com/training.html>

Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>

On 12/21/2013 12:03 AM, COURTAULT Francois wrote:

Hello Colm,

First, thanks for answering.
In fact we are using Weblogic predefined policy and the one we want to use 
contains only the policy assertions I  have listed. So what will be the 
behavior with such policy ?

So if I read between the lines you answer,  if we have only this assertions 
list, nothing should be done in term of encryption and signature: right ?
What about my spec questions: could you reply please ?

Regarding what we want to do, initially we want to sign the request and encrypt 
the response: what should we add ?

Probably:
<sp:EncryptedParts>
     <sp:Body/>
   </sp:EncryptedParts>
And
<sp:SignedParts>
     <sp:Body/>
</sp:SignedParts>
Right ?

Best Regards.

From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: vendredi 20 décembre 2013 11:36
To: COURTAULT Francois
Cc: [email protected]
Subject: Re: Need your help again ;-)


What do you actually want to sign/encrypt? Why not start from there + then 
figure out an appropriate policy? Typically you will add in SignedParts or 
EncryptedParts policies to cover what you want signed/encrypted.

Colm.

On Thu, Dec 19, 2013 at 5:36 PM, COURTAULT Francois 
<[email protected]<mailto:[email protected]>> wrote:
Hello everyone,

We are using only AsymmetricBinding assertion to a recipient with :

*         InitiatorSignatureToken (IncludeToken/AlwaysToRecipient)

*         RecipientEncryptionToken (IncludeToken/Never)

*         IncludeTimestamp

*         ProtectTokens

*         OnlySignEntireHeadersAndBody

*         Wss11

o   sp:MustSupportRefKeyIdentifier

o   sp:MustSupportRefIssuerSerial

o   sp:MustSupportRefThumbprint

o   sp:MustSupportRefEncryptedKey

o   sp:RequireSignatureConfirmation

Could we attached this AsymmetricBinding assertion to a WS endpoint as it is, 
meaning without providing any details regarding what we want to sign and 
encrypt ?

In the spec 
(http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826608)
 it is stated that:

-          "The specified token populates the [Initiator Signature Token] property 
and is used for the message signature from initiator to recipient.". So it means 
that a SOAP client has to provide a message signature in the SOAP request sent to the 
recipient: right ?

-          "The specified token populates the [Recipient Encryption Token] property 
and is used for the message encryption from recipient to Recipient.": is there any 
typo here ? from recipient to Recipient ? If this is not a typo what does that mean ? 
Because otherwise I will interpret it as initiator to Recipient: right ? In such case, 
the SOAP request sent to the recipient should contain some encryption: right ?


Best Regards.

________________________________
This message and any attachments are intended solely for the addressees and may 
contain confidential information. Any unauthorized use or disclosure, either 
whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the 
message if altered, changed or falsified. If you are not the intended recipient 
of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free 
from viruses, the sender will not be liable for damages caused by a transmitted 
virus



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

________________________________
This message and any attachments are intended solely for the addressees and may 
contain confidential information. Any unauthorized use or disclosure, either 
whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the 
message if altered, changed or falsified. If you are not the intended recipient 
of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free 
from viruses, the sender will not be liable for damages caused by a transmitted 
virus

























					Reply via email to