Actually, sounds like a good safety mechanism. I'm not sure if CXF
should allow itself to be configured in a way that you can send out
unencrypted username tokens.
Glen
On 09/28/2011 10:45 AM, Daniel Kulp wrote:
On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote:
Hi Colm,
Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but
I was wondering why when I use "SignedSupportingTokens", the message is
automatically encrypted too instead of only signed.
Compatibility with MS and Weblogic and a few others. Despite it being only
"SignedSupportingTokens", they will refuse to accept Username tokens if the
data is not encrypted. It can either be via encrypting the element or by
using some sort of secure transport (like HTTPs).
Dan
Regards,
Vinay
-----Original Message-----
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, September 28, 2011 4:24 AM
To: users@cxf.apache.org
Subject: Re: Signature only in policy for Username Token
You can set the following jax-ws property
"ws-security.username-token.always.encrypted" to "false". See the
"ALWAYS_ENCRYPT_UT" variable here:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac
he/cxf/ws/security/SecurityConstants.java?view=markup
Why would you want to send an unencrypted UsernameToken across the
wire? An eavesdropper could just harvest the username/password.
Colm.
On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay
<vinay.penma...@sap.com> wrote:
Hi,
With the following policy definition, the header is sent encrypted. How
can I get the client to only sign and not encrypt?
------
<wsp:Policy wsu:Id="UsernameToken"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
ecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
0702/IncludeToken/Never"> <wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax
/>
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 /> <!-- To use the export grade encryption that comes
bundled in the JDK, comment out the above Basic256 algorithm and
uncomment the below Basic128. --> <!--<sp:Basic128 /> -->
</wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20
0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
<sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
---
Regards,
Vinay
--
Glen Mazza
Talend - http://www.talend.com/products/tsf
Blog - http://www.jroller.com/gmazza
Twitter - glenmazza
