Hi all, CXF 3.0.0 will have the ability to sign and encrypt message attachments via the SOAP with Attachments profile of WS-Security:
http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html There have been a few inquiries about securing MTOM attachments and so I thought I'd write up an email with what I intend to do, in case anyone has any better ideas. In CXF 2.6/2.7 MTOM Attachments are automatically inlined when using WS-Security as there is no way to sign/encrypt attachments. Therefore the whole point of using MTOM is lost. There appears to be a near total lack of examples and documentation about how MTOM and WS-Security should work together. However, it seems that it should work by BASE-64 encoding the attachment + inlining it in the message body temporarily, to calculate a Signature Digest. This BASE-64 encoding is required on both the client + server side. This is obviously less efficient that using the SOAP with Attachments approach which can just sign + encrypt attachments "as is". I propose the following for CXF 3.0.0: a) Leave the current behaviour in place to inline attachments when using MTOM. However, make this functionaltiy more sophisticated..e.g. no need to do this when using the TransportBinding. b) If you want to sign/encrypt MOTM attachments without inlining you can simply configure the boolean switch on the WS-Security interceptors not to inline + set the same "signature/encryptionParts" as for the SwA spec. This will sign/encrypt the attachments, but e.g. only the xop:Include part will be signed/encrypted in the SOAP Body. If someone with expertise in using signed MTOM with Metro or WCF is will to contribute a test-case then I can look into the interoperable inlining approach for the next release. Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
