Re: TemplateTest with SHA256

Wed, 24 Aug 2016 09:33:11 -0700 

Thank you Colm! That solved the problem. :-)

Regards,
Jan

Am 24.08.2016 13:23, schrieb Colm O hEigeartaigh:

Hi Jan,

Hi!
I read that CXF 3.1 (I use 3.1.6) supports SHA256 by default [1]. Still 
org.apache.cxf.systest.sts.template.TemplateTest seems to use SHA1.
The reference you link to is that the STS now signs SAML tokens by default using SHA-256 from CXF 3.1.x. This is the case, if you look at the logging output from the TemplateTest, you will see that the SAML Assertion issued 
by the STS is signed with "rsa-sha256".




So I
chose testSendSAML2PublicKey to use SHA256 by changing "TripleDes" to
"Basic256Sha256" in DoubleIt.wsdl.
This will not change the algorithm the STS signs the token with. It will change the digest algorithm that the client uses to sign requests to the STS and to the service however. Note that this *only* changes the digest algorithm and not the signature method, which the WS-SecurityPolicyn specs 
hard-code as RSA-SHA1. To use RSA-SHA256 you will need to configure
security.asymmetric.signature.algorithm as a property on both the client + 
service.
Now the STS seems to expect a SHA256 signed token, which is correct. But 
the client still signs the RST using SHA1 which is why I get:

javax.xml.ws.soap.SOAPFaultException: Error reading XMLStreamReader:
org.apache.wss4j.common.ext.WSSecurityException: Digest algorithm
http://www.w3.org/2000/09/xmldsig#sha1 does not meet policy
The error you get is actually on the service side, where it is complaining that the Signature digest algorithm is not SHA-256. This is a bug in CXF 
that I've just fixed (only affects the TransportBinding) - see
https://issues.apache.org/jira/browse/CXF-7021.

Colm.




I also tried to specify in cxf-client.xml:
<jaxws:properties>
    <entry key="security.asymmetric.signature.algorithm"
value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; />
    ...
</jaxws:properties>

And tried to specify in DoubleIt.wsdl:

<sp:RequestSecurityTokenTemplate>

<t:SignatureAlgorithm>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
</t:SignatureAlgorithm>
    ...
</sp:RequestSecurityTokenTemplate>
None of these solved the issue. Any help how to get SHA256 working with 
testSendSAML2PublicKey would be much appreciated. Thanks in advance.

Best regards,
Jan

[1] http://cxf.apache.org/docs/31-migration-guide.html

Reply via email to