Hi Jan, Hi! > I read that CXF 3.1 (I use 3.1.6) supports SHA256 by default [1]. Still > org.apache.cxf.systest.sts.template.TemplateTest seems to use SHA1.
The reference you link to is that the STS now signs SAML tokens by default using SHA-256 from CXF 3.1.x. This is the case, if you look at the logging output from the TemplateTest, you will see that the SAML Assertion issued by the STS is signed with "rsa-sha256". > So I > chose testSendSAML2PublicKey to use SHA256 by changing "TripleDes" to > "Basic256Sha256" in DoubleIt.wsdl. > This will not change the algorithm the STS signs the token with. It will change the digest algorithm that the client uses to sign requests to the STS and to the service however. Note that this *only* changes the digest algorithm and not the signature method, which the WS-SecurityPolicyn specs hard-code as RSA-SHA1. To use RSA-SHA256 you will need to configure security.asymmetric.signature.algorithm as a property on both the client + service. > Now the STS seems to expect a SHA256 signed token, which is correct. But > the client still signs the RST using SHA1 which is why I get: > > javax.xml.ws.soap.SOAPFaultException: Error reading XMLStreamReader: > org.apache.wss4j.common.ext.WSSecurityException: Digest algorithm > http://www.w3.org/2000/09/xmldsig#sha1 does not meet policy > The error you get is actually on the service side, where it is complaining that the Signature digest algorithm is not SHA-256. This is a bug in CXF that I've just fixed (only affects the TransportBinding) - see https://issues.apache.org/jira/browse/CXF-7021. Colm. > > I also tried to specify in cxf-client.xml: > <jaxws:properties> > <entry key="security.asymmetric.signature.algorithm" > value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; /> > ... > </jaxws:properties> > > And tried to specify in DoubleIt.wsdl: > > <sp:RequestSecurityTokenTemplate> > > <t:SignatureAlgorithm>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > </t:SignatureAlgorithm> > ... > </sp:RequestSecurityTokenTemplate> > > None of these solved the issue. Any help how to get SHA256 working with > testSendSAML2PublicKey would be much appreciated. Thanks in advance. > > Best regards, > Jan > > [1] http://cxf.apache.org/docs/31-migration-guide.html > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
