In WSS4J 2.0, there is/will be a "Optional" signatureParts configuration that won't throw an exception if it doesn't encounter the Element to sign.
Colm. On Wed, Nov 6, 2013 at 3:13 PM, Kai Rommel <[email protected]>wrote: > Hi Colm, > thanks for the information. I used WS-SecurityPolicy and I do not get the > exception. I am wondering whether there will be a fix for WSS4J to align > the behaviour, or is it recommended not to use WSS4JOutInterceptor but to > use WS-SecurityPolicy in the future. > Thanks. > Best regards > Kai > > > 2013/10/25 Colm O hEigeartaigh <[email protected]> > >> Hi Kai, >> >> Rather than using CXF's WSS4JOutInterceptor, you need to use >> WS-SecurityPolicy instead. When WSS4J is configured in this way, any >> SignedParts Element will only be signed if they exist in the message. >> >> Colm. >> >> >> On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel >> <[email protected]>wrote: >> >>> Hi, >>> I am trying to consume a WebService which requires WSRM and that the >>> SOAP headers are signed. >>> >>> So I listed in the configuration of the interceptor >>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint >>> the elemenst to sign: >>> <entry key="signatureParts" >>> value="{Element}{ >>> http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo; >>> .... >>> >>> Doing so leads to a successful CreateSequence message send to the >>> WS-Provider, which answers with a CreateSequenceResponse. >>> But now the cxf WS-Consumer endpoint tries to sign the One-Way message. >>> This message does not have the header "ReplyTo", and an exception is thrown >>> in the class org.apache.ws.security.message.WSSecSignatureBase >>> >>> It is in line 159, where the elementsToSign are checked. >>> >>> In the specification >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512 >>> following >>> is stated: "Note that this assertion does not require that a given part >>> appear in a message, just that if such a part appears, it requires >>> integrity protection." >>> >>> Is there a possibility to change the wss4j implementation so that only >>> these elements of the SignedParts configuration are signed, which are >>> available in the message (and not to throw an exception for the elements, >>> which are not available)? Or I am wrong with my interpretation? >>> If there is another possibitiy to configure it, please let me know. >>> >>> Best regards >>> Kai >>> >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
