The "OnlySignEntireHeadersAndBody" policy won't actually sign your custom SOAP Header. You will need to add a policy to sign the header, e.g. <sp:SignedParts><sp:Header Name="X" Namespace="Y"/></sp:SignedParts> or else add a SignedElements policy with an XPath that points to the custom header.
Colm. On Fri, Oct 16, 2015 at 7:36 PM, Urciolo, Kevin J (IS) < [email protected]> wrote: > I am running the apache-cxf-3.1.3/samples/ws_security/sign_enc_policy > sample client/server code. I modified the policy to only do signature, no > encryption. > > I was curious to see how a custom SOAP header was handled with > <sp:OnlySignEntireHeadersAndBody/> > > So I added the second section of code below. > > System.out.println(wsdlURL); > SOAPService ss = new SOAPService(wsdlURL, SERVICE_NAME); > Greeter port = ss.getPort(PORT_NAME, Greeter.class); > > org.apache.cxf.endpoint.Client proxy = ClientProxy.getClient(port); > List<Header> headersList = new ArrayList<Header>(); > Header testHeader = new Header(new QName("http://com.test/SampleWS";, > "tcn"), "abc123", new JAXBDataBinding(String.class)); > headersList.add(testHeader); > proxy.getRequestContext().put(Header.HEADER_LIST, headersList); > > I can see my header in the request SOAP now. However, one digest is > pointing to the timestamp, and the other digest is pointing to the body > based on the "wsu:Id". Will my custom header not be included in the digest > that is signed using WS-Security? > > SOAP example below: > > <soap:Header> > <tcn xmlns="http://com.test/SampleWS";>abc123</tcn> > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > soap:mustUnderstand="1"> > <wsu:Timestamp wsu:Id="TS-e092f8db-397a-47c2-8415-9c7416d03356"> > <wsu:Created>2015-10-16T18:18:23.145Z</wsu:Created> > <wsu:Expires>2015-10-16T18:23:23.145Z</wsu:Expires> > </wsu:Timestamp> > <wsse:BinarySecurityToken EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > wsu:Id="X509-6a1a648f-2077-49b0-ad52-5dd39839bb2d">xyz > </wsse:BinarySecurityToken> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-68e6b7c4-63e5-4a6a-907d-4ca8e629230c"> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces xmlns:ec=" > http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#TS-e092f8db-397a-47c2-8415-9c7416d03356"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces xmlns:ec=" > http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse soap"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>+4djih/y2x4YOGLvfnBvf+LGQFqF6P4Rhh8V9/I5N6o=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#_913bf553-50ca-4bab-a758-168d44e01801"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces xmlns:ec=" > http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList=""/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>sH3LRyoMxCivKqBU8sFESi3BxaBryVXhrcczVJHK2pA=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>xyz</ds:SignatureValue> > <ds:KeyInfo Id="KI-35982ca6-8c19-4e92-b90c-33d18f6f6c9d"> > <wsse:SecurityTokenReference xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="STR-fa6ba6f7-c883-4726-99b4-b2c869488983"> > <wsse:Reference > URI="#X509-6a1a648f-2077-49b0-ad52-5dd39839bb2d" ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > "/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > </soap:Header> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
