Hi Colm, thanks for the hint.
Best regards, Kai 2017-12-23 11:03 GMT+01:00 Colm O hEigeartaigh <cohei...@apache.org>: > If you have a security binding with an "IncludeTimestamp" policy then the > spec says: > > "This boolean property specifies whether a wsu:Timestamp element is present > in the wsse:Security > header. If the value is 'true', the timestamp element MUST be present and > MUST be integrity protected > either by transport or message level security. If the value is 'false', the > timestamp element MUST NOT be > present. The default value for this property is 'false'." > > So the Timestamp must be signed if it is present in the request. > > Colm. > > On Fri, Dec 22, 2017 at 7:51 PM, Kai Rommel <krommel2...@googlemail.com> > wrote: > > > Hi, > > > > I tested different policies and was wondering about the result. > > > > When I add > > <sp:SignedParts xmlns:sp=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:Body /> > > </sp:SignedParts> > > Integrity protection Information is added for the SOAP Header Timestamp > and > > the SOAP Body. > > > > This looks good. According to the spec > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ > > ws-securitypolicy-1.2-spec-os.html > > Timestamp is signed. > > "The SignedParts assertion is used to specify the parts of the message > > outside of security headers that require integrity protection." > > > > So my WS-Consumer expects the integrity protection Information in the > > response message. > > > > The issue is, that the WS-Provider accepts my request message, but > creates > > a response, where this information is missing. I am getting following > > error: > > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/ > > 200702}AsymmetricBinding: > > Received Timestamp does not match the requirements > > > > As security headers require integrity protection, error is fine, as > > response is not valid. > > > > So I checked the spec again and there is the possibility to use > > SignedElementsAssertion. > > "The SignedElements assertion is used to specify arbitrary elements in > the > > message that require integrity protection. " > > > > I changed my policies to: > > <sp:SignedElements xmlns:sp=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/so > ap/envelope/' > > and local-name()='Envelope']/*[namespace-uri()=' > > http://schemas.xmlsoap.org/soap/envelope/' and > > local-name()='Body']</sp:XPath> > > </sp:SignedElements> > > > > And still the integrity protection is added for the timestamp. Have I > > overlooked something? I would like to accept response message with > > timestamp but without integrity protection information for the timestamp. > > > > I wish a Merry Christmas :) > > > > Kai > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
