Could you paste the entire SOAP header of the response? Colm.
On Fri, Oct 14, 2011 at 3:39 PM, Blue Diamond <gvnan...@gmail.com> wrote: > Hi Colm, > > I am pretty sure the header is added on the server side & is present on the > client side in encrypted format. > I have soap message with & without the security policy entry > <EncryptedElements> (NO OTHER CHANGES) and I have the response coming in > with added header. > > > And more over, when I add n'th header in <EncryptedElements> I can see the > n'th header on the client side as below: > > <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > Id="EncDataId-10" Type="http://www.w3.org/2001/04/xmlenc#Element";> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; /> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <wsse:Reference > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > URI="#EncKeyId-2C6F5CD6CE83923749131858956408810" /> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>Cw6GA+HKv8qpO0v1mDN5Odrx1PkxqcPns52g3kubMcdok4X0HU3ZSaqXEMPgCWLU9ESHKIdYlKau > PqinZrFVObIg3B/n4TaA0oEcN4SwstFYo42P75gBRJc/1qmVpWyFGWIRUHRbZOZvE/YwGeOV1lLL > gUUx6JgCbB9u4UdSshgEFMiWV3XL4XEsgE7dNqpwHSBxontib2PJaQuZsOosHmtf9L4uT/F4dybO > FqZt50GuWxGz1Tb177yXAgfX0nqgMiNldkHO1l/NppFQU31RvaPc/ZGDpw5Xv0kv/CTIr5tiJY6F > EaNXzcOUdXKr8Nv1/PwQQfoRQiWepjZHH8mBSqp3rTX7A4GSEQSvcYVHuMZrszqXA+HA/gfp5+KV > dHxGsw9Y2yiwQNXAGT+PHtlQYFJAtu9v3W8CxgOVrWF2m+eQdFXMg1onfsgZW2O/Pv7Z8zsbnvdW > KWSDIg73r+Du1k8yCFr4Jw1oH2p8e8WJYeeYxPhuZe/Jcj4N1gsk2EyxjApNhQpSfw4YtcgVAcHx > Bf0JgLNm9Vxa6VPcQKu/LUcoNiX0sN4EzX8hqe8ySztjlC71X4bDrok73Muhz7CCngl2jV7gX/JF > HQ0/KF+wzBZHAyPSMY6CadSqloE+Jm88s4yUB52v3qeDXP7psO2BjzOrd1jtaeLIYJB8AWeqP6JO > 4gsHm7Crk4Pg9dNzxv5YgAYRxOuj2V7yFysR7M0NhDiGEngM+BnwFot6BWOg8w/byAgn85kIejY+ > LRVxeiw9bLHpzHobQtnXhe293m/g3Hj8rJKAnIMZ5+w8QNFPyvWxl42IJToRvYf5kHZKfR2Nd7mr > IRB0cuuVgx2Aej6zqBWa5HgUgEmSo5XD519X9qaksYQg4QQn79d+S1zEznF4p/tR8pWuoY/N/NlG > 33URYJ8p8+D8uKe9hCGTJfgb5SNolI5ENQKRx9BFzIX6rIZq5IvxDd1mtf/nfy2i4BWznibLlp+Y > 3nRN848MbmkUCLktK+J/5QrFep7DxWlhmF+i6c4fC1SCVAScK8oTXsfSzpKaSuV2FgxwiO7FwO+c > ZYGuccSY1S2KRcETEPkFbtm0hiKaNJWXKr/3BODR1Zxajzl/qbh/X3Jd > </xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > > > So, that confirms that the WS-Security layer has not processed the header on > the client side based on the policy. > > Thanks & Regards, > Anil > > > On Fri, Oct 14, 2011 at 7:10 PM, Colm O hEigeartaigh > <cohei...@apache.org>wrote: > >> Hi Anil, >> >> Could you paste the SOAP response to the client? Maybe the returned >> encrypted token is not in the security header or something? >> >> Colm. >> >> On Fri, Oct 14, 2011 at 1:46 PM, Blue Diamond <gvnan...@gmail.com> wrote: >> > Hi, >> > >> > We are using CXF 2.3.x, and we have our WS-SecurityPolicy that has >> something >> > like: >> > >> > <sp:EncryptedParts> >> > <sp:Body /> >> > </sp:EncryptedParts> >> > <sp:EncryptedElements> >> > <sp:XPath>/wsse:Security/wsse:SecurityContextToken</sp:XPath> >> > </sp:EncryptedElements> >> > >> > >> > Requirement is that, we have our custom security token in header that >> needs >> > to be encrypted. >> > >> > What happens, is that the EncryptedElements section was taken care in >> SOAP >> > requests. i.e., client side encrypts & server side decrypts. All is well. >> > But in response, the element is encrypted on the server side but on the >> > client side, it is not decrypted. So client doesn't see the token in >> > response header but rather sees a <xenc:CipherData> header. >> > >> > This looks like a bug to me (could be in WSS4J). >> > >> > Is anyone aware of this issue? >> > Do we have a fix? >> > Is there some property (config) that can make the client side WS-Security >> > layer do the decryption part? Or is the only hope the later versions of >> CXF? >> > >> > Thanks & Regards, >> > Anil >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> http://coheigea.blogspot.com/ >> Talend - http://www.talend.com/apache >> > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com/apache
