Re: Signature only in policy for Username Token
Actually, sounds like a good safety mechanism. I'm not sure if CXF should allow itself to be configured in a way that you can send out unencrypted username tokens. Glen On 09/28/2011 10:45 AM, Daniel Kulp wrote: On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote: Hi Colm, Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but I was wondering why when I use SignedSupportingTokens, the message is automatically encrypted too instead of only signed. Compatibility with MS and Weblogic and a few others.Despite it being only SignedSupportingTokens, they will refuse to accept Username tokens if the data is not encrypted. It can either be via encrypting the element or by using some sort of secure transport (like HTTPs). Dan Regards, Vinay -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, September 28, 2011 4:24 AM To: users@cxf.apache.org Subject: Re: Signature only in policy for Username Token You can set the following jax-ws property ws-security.username-token.always.encrypted to false. See the ALWAYS_ENCRYPT_UT variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac he/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay vinay.penma...@sap.com wrote: Hi, With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt? -- wsp:Policy wsu:Id=UsernameToken xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss ecurity-utility-1.0.xsd xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; xmlns:sp=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702; wsp:ExactlyOne wsp:All sp:AsymmetricBinding wsp:Policy sp:InitiatorToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/AlwaysToRecipient wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:InitiatorToken sp:RecipientToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/Never wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:RecipientToken sp:Layout wsp:Policy sp:Lax / /wsp:Policy /sp:Layout sp:AlgorithmSuite wsp:Policy sp:Basic128 / !-- To use the export grade encryption that comes bundled in the JDK, comment out the above Basic256 algorithm and uncomment the below Basic128. -- !--sp:Basic128 / -- /wsp:Policy /sp:AlgorithmSuite /wsp:Policy /sp:AsymmetricBinding sp:Wss10 xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier/ /wsp:Policy /sp:Wss10 sp:SignedSupportingTokens wsp:Policy sp:UsernameToken sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/AlwaysToRecipient wsp:Policy sp:WssUsernameToken10/ /wsp:Policy /sp:UsernameToken /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy --- Regards, Vinay -- Glen Mazza Talend - http://www.talend.com/products/tsf Blog - http://www.jroller.com/gmazza Twitter - glenmazza
Re: Signature only in policy for Username Token
You can set the following jax-ws property ws-security.username-token.always.encrypted to false. See the ALWAYS_ENCRYPT_UT variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay vinay.penma...@sap.com wrote: Hi, With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt? -- wsp:Policy wsu:Id=UsernameToken xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; xmlns:sp=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702; wsp:ExactlyOne wsp:All sp:AsymmetricBinding wsp:Policy sp:InitiatorToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:InitiatorToken sp:RecipientToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:RecipientToken sp:Layout wsp:Policy sp:Lax / /wsp:Policy /sp:Layout sp:AlgorithmSuite wsp:Policy sp:Basic128 / !-- To use the export grade encryption that comes bundled in the JDK, comment out the above Basic256 algorithm and uncomment the below Basic128. -- !-- sp:Basic128 / -- /wsp:Policy /sp:AlgorithmSuite /wsp:Policy /sp:AsymmetricBinding sp:Wss10 xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier/ /wsp:Policy /sp:Wss10 sp:SignedSupportingTokens wsp:Policy sp:UsernameToken sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssUsernameToken10/ /wsp:Policy /sp:UsernameToken /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy --- Regards, Vinay -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
RE: Signature only in policy for Username Token
Hi Colm, Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but I was wondering why when I use SignedSupportingTokens, the message is automatically encrypted too instead of only signed. Regards, Vinay -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, September 28, 2011 4:24 AM To: users@cxf.apache.org Subject: Re: Signature only in policy for Username Token You can set the following jax-ws property ws-security.username-token.always.encrypted to false. See the ALWAYS_ENCRYPT_UT variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay vinay.penma...@sap.com wrote: Hi, With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt? -- wsp:Policy wsu:Id=UsernameToken xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; xmlns:sp=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702; wsp:ExactlyOne wsp:All sp:AsymmetricBinding wsp:Policy sp:InitiatorToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:InitiatorToken sp:RecipientToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:RecipientToken sp:Layout wsp:Policy sp:Lax / /wsp:Policy /sp:Layout sp:AlgorithmSuite wsp:Policy sp:Basic128 / !-- To use the export grade encryption that comes bundled in the JDK, comment out the above Basic256 algorithm and uncomment the below Basic128. -- !-- sp:Basic128 / -- /wsp:Policy /sp:AlgorithmSuite /wsp:Policy /sp:AsymmetricBinding sp:Wss10 xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier/ /wsp:Policy /sp:Wss10 sp:SignedSupportingTokens wsp:Policy sp:UsernameToken sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssUsernameToken10/ /wsp:Policy
Re: Signature only in policy for Username Token
On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote: Hi Colm, Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but I was wondering why when I use SignedSupportingTokens, the message is automatically encrypted too instead of only signed. Compatibility with MS and Weblogic and a few others.Despite it being only SignedSupportingTokens, they will refuse to accept Username tokens if the data is not encrypted. It can either be via encrypting the element or by using some sort of secure transport (like HTTPs). Dan Regards, Vinay -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, September 28, 2011 4:24 AM To: users@cxf.apache.org Subject: Re: Signature only in policy for Username Token You can set the following jax-ws property ws-security.username-token.always.encrypted to false. See the ALWAYS_ENCRYPT_UT variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac he/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay vinay.penma...@sap.com wrote: Hi, With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt? -- wsp:Policy wsu:Id=UsernameToken xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss ecurity-utility-1.0.xsd xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; xmlns:sp=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702; wsp:ExactlyOne wsp:All sp:AsymmetricBinding wsp:Policy sp:InitiatorToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/AlwaysToRecipient wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:InitiatorToken sp:RecipientToken wsp:Policy sp:X509Token sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/Never wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:RecipientToken sp:Layout wsp:Policy sp:Lax / /wsp:Policy /sp:Layout sp:AlgorithmSuite wsp:Policy sp:Basic128 / !-- To use the export grade encryption that comes bundled in the JDK, comment out the above Basic256 algorithm and uncomment the below Basic128. -- !-- sp:Basic128 / -- /wsp:Policy /sp:AlgorithmSuite /wsp:Policy /sp:AsymmetricBinding sp:Wss10 xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier/ /wsp:Policy /sp:Wss10 sp:SignedSupportingTokens wsp:Policy sp:UsernameToken sp:IncludeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/AlwaysToRecipient wsp:Policy sp:WssUsernameToken10/ /wsp:Policy /sp:UsernameToken /wsp:Policy /sp:SignedSupportingTokens /wsp:All /wsp:ExactlyOne /wsp:Policy --- Regards, Vinay -- Daniel Kulp dk...@apache.org http://dankulp.com