Re: Signature only in policy for Username Token
Actually, sounds like a good safety mechanism. I'm not sure if CXF should allow itself to be configured in a way that you can send out unencrypted username tokens. Glen On 09/28/2011 10:45 AM, Daniel Kulp wrote: On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote: Hi Colm, Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but I was wondering why when I use "SignedSupportingTokens", the message is automatically encrypted too instead of only signed. Compatibility with MS and Weblogic and a few others.Despite it being only "SignedSupportingTokens", they will refuse to accept Username tokens if the data is not encrypted. It can either be via encrypting the element or by using some sort of secure transport (like HTTPs). Dan Regards, Vinay -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, September 28, 2011 4:24 AM To: users@cxf.apache.org Subject: Re: Signature only in policy for Username Token You can set the following jax-ws property "ws-security.username-token.always.encrypted" to "false". See the "ALWAYS_ENCRYPT_UT" variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac he/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay wrote: Hi, With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt? -- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss ecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/AlwaysToRecipient"> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/Never"> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 0702/IncludeToken/AlwaysToRecipient"> --- Regards, Vinay -- Glen Mazza Talend - http://www.talend.com/products/tsf Blog - http://www.jroller.com/gmazza Twitter - glenmazza
Re: Signature only in policy for Username Token
On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote: > Hi Colm, > Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but > I was wondering why when I use "SignedSupportingTokens", the message is > automatically encrypted too instead of only signed. Compatibility with MS and Weblogic and a few others.Despite it being only "SignedSupportingTokens", they will refuse to accept Username tokens if the data is not encrypted. It can either be via encrypting the element or by using some sort of secure transport (like HTTPs). Dan > > Regards, > Vinay > > > -Original Message- > From: Colm O hEigeartaigh [mailto:cohei...@apache.org] > Sent: Wednesday, September 28, 2011 4:24 AM > To: users@cxf.apache.org > Subject: Re: Signature only in policy for Username Token > > You can set the following jax-ws property > "ws-security.username-token.always.encrypted" to "false". See the > "ALWAYS_ENCRYPT_UT" variable here: > > http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac > he/cxf/ws/security/SecurityConstants.java?view=markup > > Why would you want to send an unencrypted UsernameToken across the > wire? An eavesdropper could just harvest the username/password. > > Colm. > > On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay > > wrote: > > Hi, > > With the following policy definition, the header is sent encrypted. How > > can I get the client to only sign and not encrypt? > > > > -- > > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss > > ecurity-utility-1.0.xsd" > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > > > > > > > > > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 > > 0702/IncludeToken/AlwaysToRecipient"> > > > > > > > > > > > > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 > > 0702/IncludeToken/Never"> > > > > > > > > > > > > > > > > > /> > > > > > > > > > > > > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > > > > > > > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 > > 0702/IncludeToken/AlwaysToRecipient"> > > > > > > > > > > > > > > --- > > > > > > Regards, > > Vinay -- Daniel Kulp dk...@apache.org http://dankulp.com/blog Talend - http://www.talend.com
RE: Signature only in policy for Username Token
Hi Colm, Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but I was wondering why when I use "SignedSupportingTokens", the message is automatically encrypted too instead of only signed. Regards, Vinay -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, September 28, 2011 4:24 AM To: users@cxf.apache.org Subject: Re: Signature only in policy for Username Token You can set the following jax-ws property "ws-security.username-token.always.encrypted" to "false". See the "ALWAYS_ENCRYPT_UT" variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay wrote: > > Hi, > With the following policy definition, the header is sent encrypted. How can I > get the client to only sign and not encrypt? > > -- > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> > > > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> > > > > > > > > > > > > > > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> > > > > > > > > > > > --- > > > Regards, > Vinay > > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
Re: Signature only in policy for Username Token
You can set the following jax-ws property "ws-security.username-token.always.encrypted" to "false". See the "ALWAYS_ENCRYPT_UT" variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay wrote: > > Hi, > With the following policy definition, the header is sent encrypted. How can I > get the client to only sign and not encrypt? > > -- > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> > > > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> > > > > > > > > > > > > > > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> > > > > > > > > > > > --- > > > Regards, > Vinay > > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
Signature only in policy for Username Token
Hi, With the following policy definition, the header is sent encrypted. How can I get the client to only sign and not encrypt? -- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> --- Regards, Vinay
