Re: How to avoid default X509IssuerSerial as SecurityTokenReference with a Policy

Fri, 23 Sep 2016 09:16:15 -0700 

Hi Claude,

The answer I gave on the WSS4J JIRA was when you are configuring security
manually. When using WS-SecurityPolicy you don't need to do it. If you use
the following policy for the RecipientSignatureToken it should work, I
verified it with the CXF systests:

<sp:RecipientSignatureToken>
                            <wsp:Policy>
                                <sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10/>
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:RecipientSignatureToken>

"AlwaysToRecipient" as per the policy you had above is not valid, as it
would not then send the token to the initiator...

Colm.

On Fri, Sep 23, 2016 at 9:30 AM, Claude Libois <[email protected]>
wrote:

> Hello,
> I would like to enforce my endpoint to return a reference to the embedded
> binarySecurityToken instead of the serial+issuer name such as:
> <wsse:SecurityTokenReference     xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> wssecurity-secext-1.0.xsd
> "
>                         xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> wssecurity-utility-1.0.xsd
> "
>                         wsu:Id="STR-a65f2369-4c86-4e01-9663-0ec7b90b5ac9">
>                     <ds:X509Data>
>                         <ds:X509IssuerSerial>
>                             <ds:X509IssuerName>
> IssuerName
>                             </ds:X509IssuerName>
>  <ds:X509SerialNumber>124284142324952637825</ds:X509SerialNumber>
>                         </ds:X509IssuerSerial>
>                     </ds:X509Data>
>                 </wsse:SecurityTokenReference>
> I was told by Colm O hEigeartaigh(thank you btw)  that I could use the
> signatureKeyIdentifier
> property with "Directreference" value. TBH as I'm on a servicemix which
> cxf+wss4J, it's quite complicate to know where to set this property value
> but that's not the point here. I'm using a policy to define my ws-security
> and found it was possible to definie something
> like <sp:RequireEmbeddedTokenReference/> in the X509 tag. However, I'm
> still receiving the X509IssuerSerial....
> Does anybody knows how to define this correctly in a policy. Here is my
> policy only applied on the server response:
> *<wsp:Policy wsu:Id="signAndTsPolicy">*
>
> *        <wsp:ExactlyOne>*
> *            <wsp:All>*
> *                <sp:AsymmetricBinding>*
> *                    <wsp:Policy>*
> *                        <sp:IncludeTimestamp/>*
> *                        <sp:InitiatorSignatureToken>>*
> *                            <wsp:Policy>*
> *                                <sp:X509Token*
> *
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient>">*
> *                                    <wsp:Policy>*
> *                                        <sp:WssX509PkiPathV1Token10/>*
> *                                    </wsp:Policy>*
> *                                </sp:X509Token>*
> *                            </wsp:Policy>*
> *                        </sp:InitiatorSignatureToken>*
> *                        >*
> *                        <sp:RecipientSignatureToken>*
> *                            <wsp:Policy>*
> *                                <sp:X509Token*
> *
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient>">
> <!-- Never? -->*
> *                                    <wsp:Policy>*
> *                                        <sp:WssX509PkiPathV1Token10/>*
> *
> <sp:RequireEmbeddedTokenReference/>*
> *                                    </wsp:Policy>*
> *                                </sp:X509Token>*
> *                            </wsp:Policy>*
> *                        </sp:RecipientSignatureToken>*
> *                        <sp:AlgorithmSuite>*
> *                            <wsp:Policy>*
> *                                <sp:Basic256Sha256/>*
>
> *                            </wsp:Policy>*
> *                        </sp:AlgorithmSuite>*
> *                        <sp:Layout> *
> *                            <wsp:Policy>*
> *                                <sp:Lax/>*
> *                            </wsp:Policy>*
> *                        </sp:Layout>*
> *                        <sp:ProtectTokens/>*
> *                        <sp:OnlySignEntireHeadersAndBody/>*
> *                                </wsp:Policy>*
> *                </sp:AsymmetricBinding>*
> *                <sp:SignedParts>         *
> *                    <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing
> <http://www.w3.org/2005/08/addressing>"/>*
> *                    <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing
> <http://www.w3.org/2005/08/addressing>"/>*
> *                    <sp:Body/>*
>
> *                </sp:SignedParts>*
> *                <sp:Wss10>*
> *                    <sp:Policy>*
> *                        <sp:MustSupportRefKeyIdentifier/>*
> *                    </sp:Policy>*
> *                </sp:Wss10>*
> *            </wsp:All>*
> *        </wsp:ExactlyOne>*
> *    </wsp:Policy>*
>
> To be honnest, I'm rather new in the ws-security with policy on cxf+wss4j.
> I must say that it was quite complicate to find complete information to
> achieve my goal.
> That's why I'm asking some help now.
> Best Regards,
> Claude
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to