Re: Signing Message parts

Mon, 13 Feb 2012 06:37:22 -0800 

"If you want to sign the SOAP Body, you'll have to add it to the
SignatureParts list..."

   Agreed. But even without signing it works though server policy indicates
signing is required. I was thinking body part signing will be expected from
server using X.509 under <EndorsedSupportingToken> section.

"you are using TLS and this fulfills the message signing requirements.."

    Not following here. I removed <sp:OnlySignEntireHeadersAndBody />   
section under TLS security binding, retained
<DoubleItBinding_DoubleIt_Input_Policy> body part singing in my policy; but
did not sign the body part (only signs timestamp). I expect server to
complain since I did not sign body using clients X.509, and it does not.

   

>>>>>>>>>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
   <soap:Header>
      <wsse:Security soap:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
         <wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-D94D656F6D5F405EE113291420330101">MIICCTCCAXKgAwIBAgIETzJ+rTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHSGFydmFyZDEoMCYGA1UEAxMfTDE1MUFUUzAzMzA0MC5hbXMuYm55bWVsbG9uLm5ldDAeFw0xMjAyMDgxMzU0NTNaFw0xMzAyMDcxMzU0NTNaMEkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdIYXJ2YXJkMSgwJgYDVQQDEx9MMTUxQVRTMDMzMDQwLmFtcy5ibnltZWxsb24ubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr0lLoMJDRGrrXT/wU2JrzS3tmsHNw16dN0c8pGNBDgBzUZGsNYU4F/9MOhw4G7t/XEtsYo8FkHT3i4Z3sDYJLtBeLF4NS9oKRX308EshLFCG5QyIB5ChZsbjWMbhuOAvkTZqAs1W5Oo/6Knewdd5lJgBVLQjDtvqgWqNbUwzZ6QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACdXxjE+fUW35Pt/0pqtlptY3yUek+EaFrY7m8DAaU2Q5BqRfOj8Zv7appyM4NW4QGjWKS/4hfkuvDDNtN1tr0mGpieznaXu3G3PW3yn6oYBSYnTeZ7yrnKxrFzKeJUTnyChSo/OrLRIDk+nDKh5cBnImGlTzP8WMGAGeGzWIVfb</wsse:BinarySecurityToken>
         <ds:Signature Id="SIG-3"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            <ds:SignedInfo>
               <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                  <ec:InclusiveNamespaces PrefixList="soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <ds:Reference URI="#TS-1">
                  <ds:Transforms>
                     <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                        <ec:InclusiveNamespaces PrefixList="wsse soap"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                 
<ds:DigestValue>SZ8HTfYh3Yk313LSnRWLJtNid9A=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
           
<ds:SignatureValue>Vt47N03YwHW5MNJUmNc42kbsePRr9+WTL3Y9awMQhxofa/TTy6LK8GZ5vHxl+Jlm+i9MA67/tQPwfgGMLQifDRRwTk/OqCsNVkPrYHSHeNPKrgIdgxWY4hW6rNx+IXMXDsrNta2orKp4Vqnc/TozIpYRNwfT4LG/UmYmmuNnhiw=</ds:SignatureValue>
            <ds:KeyInfo Id="KI-D94D656F6D5F405EE113291420330102">
               <wsse:SecurityTokenReference
wsu:Id="STR-D94D656F6D5F405EE113291420330263">
                  <wsse:Reference
URI="#X509-D94D656F6D5F405EE113291420330101"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
         <wsse:UsernameToken wsu:Id="UsernameToken-2">
            <wsse:Username>stanforduser</wsse:Username>
            <wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>password</wsse:Password>
         </wsse:UsernameToken>
         <wsu:Timestamp wsu:Id="TS-1">
            <wsu:Created>2012-02-13T14:07:12.932Z</wsu:Created>
            <wsu:Expires>2012-02-13T14:12:12.932Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soap:Header>
   <soap:Body>
      <ns2:ping xmlns="http://services.mycomp.com/ping/types/";
xmlns:ns2="http://services.mycomp.com/ping";>
         <str>System.getProperty user.name</str>
      </ns2:ping>
   </soap:Body>
</soap:Envelope>

--
View this message in context: 
http://cxf.547215.n5.nabble.com/Signing-Message-parts-tp5475654p5479413.html
Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to