[
https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918881#action_12918881
]
Dennis Sosnoski commented on CXF-3041:
--------------------------------------
Glen, you're the one who's making all kind of bold statements about how this
all works, without any justification in the standard (instead drawing on blogs,
Wikipedia general articles on encryption, and... hotel room door analogies?).
If one-way encryption or signing is *not* intended to be supported by the
standard, why does the standard not make signing or encrypting the default
(which it does not, no matter how much you think it *should* do so)? And why
does the standard explicitly allow the SignedParts/EncryptedParts assertions to
be attached at the message level? This would make no sense if the intent was to
always apply signing and encryption in both directions.
As to the use case, there are many situations where only one direction of
information flow needs to be signed. For example, it makes sense to sign
responses from a government server providing official information, so that the
response can be saved and provided if proof of the response is needed later
(the equivalent of a certified document). It's a little more difficult to come
up with examples where encryption is only needed in one direction, but I'm sure
there are real situations of that type, too.
> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
> Key: CXF-3041
> URL: https://issues.apache.org/jira/browse/CXF-3041
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it
> for the response message, the request message is sent with a signature and
> the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
> at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using
> message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
> xmlns:wns="http://ws.sosnoski.com/library/wsdl";
> xmlns:tns="http://ws.sosnoski.com/library/types";
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
>
> <!-- Policy for asymmetric binding with the certificate included in the
> message from
> client to server but only a thumbprint on messages from the server to the
> client. -->
> <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:Policy>
>
> <!-- Policy for signing the message body. -->
> <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:Policy>
>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsdlsoap:binding style="document"
> transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="getBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#AsymmBinding"/>
>
> <wsdlsoap:operation soapAction="urn:getBook"/>
>
> <wsdl:input name="getBookRequest">
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
>
> <wsdl:output name="getBookResponse">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#SignBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
>
> </wsdl:operation>
> ...
> </wsdl:binding>
> ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1">
> <wsse:BinarySecurityToken
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="Signature-1">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </ds:SignedInfo>
>
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
> <wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> URI="#CertId-797FFC48A8BEF2669712863570548321"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <getBook xmlns="http://ws.sosnoski.com/library/wsdl";
> xmlns:ns2="http://ws.sosnoski.com/library/types";>
> <isbn>0061020052</isbn>
> </getBook>
> </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set
> the home directory for you CXF installation, and build with Ant (default
> target). This generates the .war, and you can then run the client with the
> Ant target "run".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
