There is some inconsistency in how CXF handles token referencing between the initiator + recipient sides for X.509 tokens, which I've since fixed.
Colm. On Fri, May 16, 2014 at 1:07 PM, Kai Rommel <[email protected]>wrote: > Hi Colm, > I set up a scenario and was wondering about the KeyInfo elements. > > > Policy P1 for WS-Consumer and WS-Provider > > CXF ---sends requestA ----> CXF > <--- sends responseB--- > > Policy is > <p:policies enabled="true" xmlns:p="http://cxf.apache.org/policy";> > <wsp:Policy wsu:Id="AsymmetricII" > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsp="http://www.w3.org/ns/ws-policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:OnlySignEntireHeadersAndBody /> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:TripleDesRsa15 /> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10 > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > </wsp:Policy> > </sp:Wss10> > <sp:SignedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body /> > <sp:Header Name="Timestamp" > Namespace=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > /> > </sp:SignedParts> > <sp:EncryptedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body /> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > </p:policies> > > When I have a closer look to the messages, these look like this: > > > A: > Enc-Element: KeyInfo/SecurityTokenReference/KeyIdentifier > Sig-Element: KeyInfo/SecurityTokenReference/Reference > > B: > Enc-Element: KeyInfo/SecurityTokenReference/X509Data > Sig-Element: KeyInfo/SecurityTokenReference/KeyIdentifier > > > Is there any reason, that the request message contains in the encryption > part the KeyIdentifier and the response message the X509Data element? > > I am using CXF version 2.7.10 > > Best regards > Kai > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
