[
https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918837#action_12918837
]
Glen Mazza commented on CXF-3041:
---------------------------------
Dennis, you keep using phrases like "I can see nothing .... that suggests
that...." to imply that there is something that states the opposite, i.e., what
you want. Look at your statements:
However, I can see nothing in the WS-SP standard that backs up this assumption
[that AB is a two-way street].
==> But there is equally nothing in the WS-SP standard that suggests it can be
a one-way street.
If the intent of the WS-SP writers was to make these values default to
"everything", I would have expected them to make some statement to that effect.
==> The statement above is just as valid with the word "nothing", i.e., what
you want. I.e., the above sentence is meaningless if you are trying to make an
argument in favor of what you want.
Even though the AsymmetricBinding is set at the operation level, nothing is
specified for signing or encrypting in the request message.
==> Nothing is specified for *not* signing or encrypting the request message
either.
These are for web services that can hold people's sensitive data, such as
credit card information, so it would appear to me that the most secure option
(sign & encrypt everything if nothing specified) should be the default to make
things idiot-proof, i.e., for newbie or novice or lazy developers just setting
up security without much attention to detail, everything will be handled
perfectly securely. Those like you who know what they are doing can go in and
reduce the amount of security, but it's dangerous to rely on newbies to
properly *add* in security.
When hotel room doors shut, they lock by default. They don't stay unlocked and
require the person staying there or leaving the room to manually lock the door.
It's the same principle.
"As for explicitly shutting off signing at the message level, AFAIK WS-SP does
not provide any way of doing this."
Maybe there's a reason for that--namely, that Assymmetric Binding is meant to
provide both encryption and integrity/non-repudiation, and signatures are a
vital part of the latter. Maybe the WS-SP writers wanted to make things
idiot-proof by disallowing it. I don't know. Maybe if I could get a fuller
use case of what you're trying to do I could understand the need for this
better.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it
> for the response message, the request message is sent with a signature and
> the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using
> message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
> xmlns:wns="http://ws.sosnoski.com/library/wsdl";
> xmlns:tns="http://ws.sosnoski.com/library/types";
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
>
> <!-- Policy for asymmetric binding with the certificate included in the
> message from
> client to server but only a thumbprint on messages from the server to the
> client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document"
> transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1">
> <wsse:BinarySecurityToken
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> URI="#CertId-797FFC48A8BEF2669712863570548321"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl";
> xmlns:ns2="http://ws.sosnoski.com/library/types";>
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set
> the home directory for you CXF installation, and build with Ant (default
> target). This generates the .war, and you can then run the client with the
> Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
