[jira] Commented: (CXF-3041) AsymmetricBinding used only for response causes error

Wed, 06 Oct 2010 15:48:56 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918720#action_12918720
 ] 

Dennis Sosnoski commented on CXF-3041:
--------------------------------------

I think Thilina's blog is based on his understanding of this feature for the 
Rampart implementation, so I can't see it as a very definitive reference. As 
far as the standard goes, I don't see anything in the AsymmetricBinding 
description which defines it as a purely two-way street. What in particular are 
you looking at with this?

WSSP does say that AsymmetricBinding can be used at either the endpoint or the 
operation level, and that the actual SignedParts or EncryptedParts can be used 
at the message level, so this does give a way of creating policies that apply 
signing or encryption to only certain messages. This would be difficult to make 
work in the fully general case - for instance, if you only wanted to encrypt 
the response from the server using the client's certificate, without that 
certificate being used in the request - but this case only requires that each 
side have access to it's own private key and the certificate of the other side.

Unfortunately, WSSP defines a structure for expressing what you want done 
without ever saying exactly what is or is not supposed to work. Personally, I 
think any standard of this type should be required to provide a fairly 
comprehensive set of examples to help resolve just this type of issue. FWIW, 
Metro is able to handle this case.

> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
>                 Key: CXF-3041
>                 URL: https://issues.apache.org/jira/browse/CXF-3041
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>         Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it 
> for the response message, the request message is sent with a signature and 
> the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
>       at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
>       at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
>       at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using 
> message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
>     xmlns:wns="http://ws.sosnoski.com/library/wsdl";
>     xmlns:tns="http://ws.sosnoski.com/library/types";
>     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
>     xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
>   
>   <!-- Policy for asymmetric binding with the certificate included in the 
> message from
>    client to server but only a thumbprint on messages from the server to the 
> client. -->
>   <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
>       
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>       xmlns:wsp="http://www.w3.org/ns/ws-policy";
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>     <sp:AsymmetricBinding>
>       <wsp:Policy>
>         <sp:InitiatorToken>
>           <wsp:Policy>
>             <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:InitiatorToken>
>         <sp:RecipientToken>
>           <wsp:Policy>
>             <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:RecipientToken>
>         <sp:AlgorithmSuite>
>           <wsp:Policy>
>             <sp:Basic128Rsa15/>
>           </wsp:Policy>
>         </sp:AlgorithmSuite>
>       </wsp:Policy>
>     </sp:AsymmetricBinding>
>   </wsp:Policy>
>   
>   <!-- Policy for signing the message body. -->
>   <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
>       
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>       xmlns:wsp="http://www.w3.org/ns/ws-policy";
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>     <sp:SignedParts>
>       <sp:Body/>
>     </sp:SignedParts>
>   </wsp:Policy>
>   
>   ...
>   <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
>     <wsdlsoap:binding style="document" 
> transport="http://schemas.xmlsoap.org/soap/http"/>
>     <wsdl:operation name="getBook">
>   
>       <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#AsymmBinding"/>
>     
>       <wsdlsoap:operation soapAction="urn:getBook"/>
>       
>       <wsdl:input name="getBookRequest">
>         <wsdlsoap:body use="literal"/>
>       </wsdl:input>
>       
>       <wsdl:output name="getBookResponse">
>         <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#SignBody"/>
>         <wsdlsoap:body use="literal"/>
>       </wsdl:output>
>       
>     </wsdl:operation>
>     ...
>   </wsdl:binding>
>   ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>    <soap:Header>
>       <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  soap:mustUnderstand="1">
>          <wsse:BinarySecurityToken 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>  
> wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoDCCAgkCBEnhw2IwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAk5aMRMwEQYDVQQIEwpXZWxsaW5ndG9uMRowGAYDVQQHExFQYXJhcGFyYXVtdSBCZWFjaDEqMCgGA1UEChMhU29zbm9za2kgU29mdHdhcmUgQXNzb2NpYXRlcyBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRgwFgYDVQQDEw9EZW5uaXMgU29zbm9za2kwHhcNMDkwNDEyMTAzMzA2WhcNMzYwODI3MTAzMzA2WjCBljELMAkGA1UEBhMCTloxEzARBgNVBAgTCldlbGxpbmd0b24xGjAYBgNVBAcTEVBhcmFwYXJhdW11IEJlYWNoMSowKAYDVQQKEyFTb3Nub3NraSBTb2Z0d2FyZSBBc3NvY2lhdGVzIEx0ZC4xEDAOBgNVBAsTB1Vua25vd24xGDAWBgNVBAMTD0Rlbm5pcyBTb3Nub3NraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhOVyNK8xyxtb4DnKtU6mF9KoiFqCk7eKoLE26+9h410CtTkxzWAfgnR+8i+LPbdsPY+yXAo6NYpCCKolXfDLe+AG2GwnMZGrIl6+BLF3hqTmIXBFTLGUmC7A7uBTivaWgdH1w3hb33rASoVU67BVtQ3QQi99juZX4vU9o9pScocCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBMNPo1KAGbz8Jl6HGbtAcetieSJ3bEAXmv1tcjysBS67AXzdu1Ac+onHh2EpzBM7kuGbw+trU+AhulooPpewIQRApXP1F0KHRDcbqWjwvknS6HnomN9572giLGKn2601bHiRUj35hiA8aLmMUBppIRPFFAoQ0QUBCPx+m8/0n33w==</wsse:BinarySecurityToken>
>          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
> Id="Signature-1">
>             <ds:SignedInfo>
>                <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>             </ds:SignedInfo>
>             
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
>             <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
>                <wsse:SecurityTokenReference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
>                   <wsse:Reference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  URI="#CertId-797FFC48A8BEF2669712863570548321" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>                </wsse:SecurityTokenReference>
>             </ds:KeyInfo>
>          </ds:Signature>
>       </wsse:Security>
>    </soap:Header>
>    <soap:Body>
>       <getBook xmlns="http://ws.sosnoski.com/library/wsdl"; 
> xmlns:ns2="http://ws.sosnoski.com/library/types";>
>          <isbn>0061020052</isbn>
>       </getBook>
>    </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set 
> the home directory for you CXF installation, and build with Ant (default 
> target). This generates the .war, and you can then run the client with the 
> Ant target "run".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to