AW: Doest WSS4J verify that all required parts are signed ?

Mon, 21 May 2007 07:09:27 -0700 

I'll try to answer this: 
signatureParts is usually used at the client only and defines which
parts of the
message shall be signed. If nothing is specified WSS4J signes the Body
only.
 
The server (the receiver) does not look at signatureParts parameter
(effectively it
ignores it) but scans the whole message and verfies every signed part.
To be
true: this is the behaviour of the WSS4J Axis handler that uses the
WSS4J core
classes.
 
Regards,
Werner
 


________________________________

        Von: ext Denis Koelewijn [mailto:[EMAIL PROTECTED] 
        Gesendet: Montag, 21. Mai 2007 14:16
        An: [email protected]
        Betreff: Doest WSS4J verify that all required parts are signed ?
        
        
        Hi,
        
        I've run into the problem that WSS4J doesn't seem to verify that
all required fields are signed. I wonder if I'm doing something wrong,
or is this the intended behaviour of WSS4J ?
        
        The webservice wsdd-file is configured with the following
parameters: 
        <parameter name="action" value="Timestamp Signature"/>
         <parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body ;
{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut
ility-1.0.xsd}Timestamp" />
        
        The webservices accepts messages from a client configured in
either of the following ways:
        1) Sign both body and timestamp. This is what is expected to be
correct.
        <parameter name="action" value="Timestamp Signature"/> 
         <parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;
{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut
ility-1.0.xsd}Timestamp" />
        
        2) Sign only the body. I think this is wrong and the message
should be rejected.
        <parameter name="action" value="Timestamp Signature"/>
         <parameter name="signatureParts"
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"; />
        
        In the logfiles I can confirm that indeed the signed parts are
verified successfully, e.g:
        1) When body the body and timestamp are signed:
        2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference  - Verification successful
for URI "#id-8347989"
        2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference   - Verification successful
for URI "#id-27316497"
        
        2) When only the body is signed:
        2007-05-21 13:45:15,668 [http-8080-Processor24] INFO
org.apache.xml.security.signature.Reference  - Verification successful
for URI "#id-28218725" 
        
        Is this intentionaly and am I to verify myself whether all
required elements are signed ? Or is there some API call that allows me
to have WSS4J check this ?
        
        Regards, Denis

Reply via email to