Hi Colm, Sounds reasonable for me. Only the concern is what we can do in case if OnlySignEntireHeadersAndBody policy assertion is true and MTOM attachments should be signed? Accordingly spec only entire SOAP Body, a SOAP Header, and/or a direct child of security header can be signed, nothing else.
Does it make sense in this case to go way what you described: temporally inline attachments to calculate digest value and send data as multipart MTOM afterwards? In this case not only xop:Include part can be signed, but whole message body including attachments as well. That can be useful for same use cases where ensuring consistency between message body and attachments is important. Regards, Andrei. > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Freitag, 21. März 2014 17:47 > To: [email protected] > Subject: Signed/encrypted MTOM > > Hi all, > > CXF 3.0.0 will have the ability to sign and encrypt message attachments via > the > SOAP with Attachments profile of WS-Security: > > http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html > > There have been a few inquiries about securing MTOM attachments and so I > thought I'd write up an email with what I intend to do, in case anyone has any > better ideas. > > In CXF 2.6/2.7 MTOM Attachments are automatically inlined when using WS- > Security as there is no way to sign/encrypt attachments. Therefore the whole > point of using MTOM is lost. > > There appears to be a near total lack of examples and documentation about > how MTOM and WS-Security should work together. However, it seems that it > should work by BASE-64 encoding the attachment + inlining it in the message > body temporarily, to calculate a Signature Digest. This BASE-64 encoding is > required on both the client + server side. This is obviously less efficient > that > using the SOAP with Attachments approach which can just sign + encrypt > attachments "as is". > > I propose the following for CXF 3.0.0: > > a) Leave the current behaviour in place to inline attachments when using > MTOM. However, make this functionaltiy more sophisticated..e.g. no need to > do this when using the TransportBinding. > > b) If you want to sign/encrypt MOTM attachments without inlining you can > simply configure the boolean switch on the WS-Security interceptors not to > inline + set the same "signature/encryptionParts" as for the SwA spec. This > will > sign/encrypt the attachments, but e.g. only the xop:Include part will be > signed/encrypted in the SOAP Body. > > If someone with expertise in using signed MTOM with Metro or WCF is will to > contribute a test-case then I can look into the interoperable inlining > approach > for the next release. > > Colm. > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
