[ 
https://issues.apache.org/jira/browse/CXF-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918945#action_12918945
 ] 

Glen Mazza commented on CXF-3041:
---------------------------------

I think I can get a little bit more authoritative:

>From here: 
>http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512

If you just specify /sp:SignedParts, with no child elements, body and certain 
headers *must* be signed. Quote: This assertion specifies the parts of the 
message that need integrity protection. If no child elements are specified, all 
message headers targeted at the UltimateReceiver role [SOAP12] or actor 
[SOAP11] and the body of the message MUST be integrity protected.

>From here: 
>http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826515

If you just specify /sp:EncryptedParts, body alone must be encrypted: This 
assertion specifies the parts of the message that need confidentiality 
protection. The single child element of this assertion specifies the set of 
message parts using an extensible dialect. If no child elements are specified, 
the body of the message MUST be confidentiality protected.

In other words, the spec folk have already defined the most idiot-proof 
defaults if you just use this:

<wsp:Policy>
<sp:SignedParts/>
<sp:EncryptedParts/>
</wsp:Policy>

I would submit that those should be the same defaults if you fail to attach a 
Policy at all to the message. However, I concede there's nothing in the spec to 
suggest that (or the contrary for that matter). As WS-SecPol 1.3 is still in 
development, perhaps you can make suggestions to them on providing an ability 
to clearly and unambiguously shutting off of encryption and/or signing from 
either the request or response. At the very least, to have them clearly specify 
what the default message level encryption/signature policy is if you don't 
attach a message policy reference to the message.

Your quote: For example, it makes sense to sign responses from a government 
server providing official information, so that the response can be saved and 
provided if proof of the response is needed later (the equivalent of a 
certified document).

Actually, that's not the point, I need to know why it is so important *not* to 
sign the request or encrypt in both directions, I understand you don't care 
about it being signed, but why MUST it not be signed? Performance is certainly 
an argument, but not enough in my view to trump idiot-proofing.

Incidentally, you can probably do what you want in CXF by *not* using Policy 
statements but just the traditional interceptors instead:
http://www.jroller.com/gmazza/entry/cxf_x509_profile

> AsymmetricBinding used only for response causes error
> -----------------------------------------------------
>
>                 Key: CXF-3041
>                 URL: https://issues.apache.org/jira/browse/CXF-3041
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>         Attachments: effective3.tgz
>
>
> When specifying AsymmetricBinding at the operation level but only using it 
> for the response message, the request message is sent with a signature and 
> the server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
> org.w3c.dom.DOMException: Cannot find Reference in Manifest
>       at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
>       at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
>       at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
>       at 
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> Here's an edited version of the WSDL (intended to demonstrate using 
> message-level encryption only in one direction):
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
>     xmlns:wns="http://ws.sosnoski.com/library/wsdl";
>     xmlns:tns="http://ws.sosnoski.com/library/types";
>     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
>     xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
>   
>   <!-- Policy for asymmetric binding with the certificate included in the 
> message from
>    client to server but only a thumbprint on messages from the server to the 
> client. -->
>   <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
>       
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>       xmlns:wsp="http://www.w3.org/ns/ws-policy";
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>     <sp:AsymmetricBinding>
>       <wsp:Policy>
>         <sp:InitiatorToken>
>           <wsp:Policy>
>             <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:InitiatorToken>
>         <sp:RecipientToken>
>           <wsp:Policy>
>             <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>               <wsp:Policy>
>                 <sp:RequireThumbprintReference/>
>               </wsp:Policy>
>             </sp:X509Token>
>           </wsp:Policy>
>         </sp:RecipientToken>
>         <sp:AlgorithmSuite>
>           <wsp:Policy>
>             <sp:Basic128Rsa15/>
>           </wsp:Policy>
>         </sp:AlgorithmSuite>
>       </wsp:Policy>
>     </sp:AsymmetricBinding>
>   </wsp:Policy>
>   
>   <!-- Policy for signing the message body. -->
>   <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
>       
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>       xmlns:wsp="http://www.w3.org/ns/ws-policy";
>       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>     <sp:SignedParts>
>       <sp:Body/>
>     </sp:SignedParts>
>   </wsp:Policy>
>   
>   ...
>   <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
>     <wsdlsoap:binding style="document" 
> transport="http://schemas.xmlsoap.org/soap/http"/>
>     <wsdl:operation name="getBook">
>   
>       <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#AsymmBinding"/>
>     
>       <wsdlsoap:operation soapAction="urn:getBook"/>
>       
>       <wsdl:input name="getBookRequest">
>         <wsdlsoap:body use="literal"/>
>       </wsdl:input>
>       
>       <wsdl:output name="getBookResponse">
>         <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#SignBody"/>
>         <wsdlsoap:body use="literal"/>
>       </wsdl:output>
>       
>     </wsdl:operation>
>     ...
>   </wsdl:binding>
>   ...
> </wsdl:definitions>
> Here's the actual request message:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>    <soap:Header>
>       <wsse:Security 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  soap:mustUnderstand="1">
>          <wsse:BinarySecurityToken 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>  
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>  
> wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoD....n33w==</wsse:BinarySecurityToken>
>          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
> Id="Signature-1">
>             <ds:SignedInfo>
>                <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>             </ds:SignedInfo>
>             
> <ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
>             <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
>                <wsse:SecurityTokenReference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
>                   <wsse:Reference 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  URI="#CertId-797FFC48A8BEF2669712863570548321" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>                </wsse:SecurityTokenReference>
>             </ds:KeyInfo>
>          </ds:Signature>
>       </wsse:Security>
>    </soap:Header>
>    <soap:Body>
>       <getBook xmlns="http://ws.sosnoski.com/library/wsdl"; 
> xmlns:ns2="http://ws.sosnoski.com/library/types";>
>          <isbn>0061020052</isbn>
>       </getBook>
>    </soap:Body></soap:Envelope>
> To use the attached .tgz, edit the build.properties cxf-home property to set 
> the home directory for you CXF installation, and build with Ant (default 
> target). This generates the .war, and you can then run the client with the 
> Ant target "run".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to