Hi Colm, Thanks a lot for your answer:
Here is the header I received : <soap:Header> <wsse:Security soap:mustUnderstand="1"> <wsu:Timestamp wsu:Id="Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c"> <wsu:Created>2011-07-22T14:26:05Z</wsu:Created> <wsu:Expires>2011-07-22T14:31:05Z</wsu:Expires> </wsu:Timestamp> <wsse:UsernameToken wsu:Id="SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e"> <wsse:Username>xxx</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>xxx</wsse:Password> <wsse:Nonce>8PfBYBg1vo84GAlUVshpSA==</wsse:Nonce> <wsu:Created>2011-07-22T14:26:05Z</wsu:Created> </wsse:UsernameToken> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <Reference URI="#Id-68a23867-f268-4e07-8df5-e5de2511ab11"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>8ldWcRrq+AinkfWayJEieHUTZ7E=</DigestValue> </Reference> <Reference URI="#Id-5b7ed34a-b987-4984-a231-82c19ce1f132"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>BPUCRJEi6qoe/3lS0qTG81VsYFc=</DigestValue> </Reference> <Reference URI="#Id-4e37fd76-bd14-4035-acdb-e38b98630761"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>RNJRrCK+5ewoyAN5onKm05siJ9o=</DigestValue> </Reference> <Reference URI="#Id-c248e36a-4e62-4ec2-971a-069b5eeb26a8"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>FMUsGZGuIKQDpi+WTngvhQml4qI=</DigestValue> </Reference> <Reference URI="#Timestamp-f390d953-b8c6-4163-b5b4-a98e30aab56c"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>PstX8mJwKMKhjyNojsHghW3myk4=</DigestValue> </Reference> <Reference URI="#Id-ebb3ef9a-9057-4ad8-b7ac-f790d2587b56"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>1ySbGzd5DD8gu340swQji66xGuc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>PuY5HJCIC8ZoX+KtnJwqXdJIFMA=</SignatureValue> <KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#SecurityToken-9d28ee61-d01c-48c7-8e6e-8cd42bc8376e" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"/> </wsse:SecurityTokenReference> </KeyInfo> </Signature> </wsse:Security> </soap:Header> And wss4j is trying to validate the Signature element. But I would like to only take care of the UsernameToken element and skip the Timestamp and Signature elements. What I also don't understand is why wss4j take care of the Signature element which is not in the wsse:Security element. The actor attribute should be added by the client ? What is the goal of this attribute. Again, thanks a lot for your answer :) Colm O hEigeartaigh-2 wrote: > > Hi Nicolas, > > What are the invalid security header elements that you want to avoid > processing? If the service only cares about the UsernameToken, the > correct thing to do is to add an "actor" attribute to a security > header that is only meant to be processed by the service provider, and > only put the UsernameToken in this security header. > > You can disable processors by the QName of the element they are meant > to process via WSSConfig: > > https://svn.apache.org/repos/asf/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSConfig.java > > Colm. > > On Fri, Jul 22, 2011 at 10:25 PM, Nicolas B <[email protected]> wrote: >> >> Dear all, >> >> I'm trying to understand the default map processors initialize in the >> WSSConfig class of wss4j. >> >> As explained in this ticket >> http://forum.springsource.org/showthread.php?112450-WSSecurityException-while-validating-WS-Security-headers >> I'm trying to validate my incoming SOAP messages based on the >> UernameToken. >> >> So I want to only take care of this header element ;) When one of my >> client >> attacks my web service he is sending the right UsernameToken but also >> other >> elements, and the WSSecurityEngine is trying to validate ALL the >> elements. >> >> How can I configure wss4j to only validate my UsernameToken and ignore >> others. Is this the good way ? Is it to my client to respect what the >> server >> is waiting ? >> >> Thanks a lot in advance, and thanks for wss4j ;) >> >> Best Regards, >> -- >> View this message in context: >> http://old.nabble.com/WSSConfig-processors-tp32118532p32118532.html >> Sent from the WSS4J mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > > > > -- > Colm O hEigeartaigh > > http://coheigea.blogspot.com/ > Talend - http://www.talend.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > -- View this message in context: http://old.nabble.com/WSSConfig-processors-tp32118532p32132801.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
