> Not following here. I removed <sp:OnlySignEntireHeadersAndBody /> > section under TLS security binding, retained > <DoubleItBinding_DoubleIt_Input_Policy> body part singing in my policy; but > did not sign the body part (only signs timestamp). I expect server to > complain since I did not sign body using clients X.509, and it does not.
So you have a SignedParts policy as a child of the EndorsingSupportingTokens policy? The validation code does not currently enforce SignedParts or EncryptedParts for EndorsingSupportingTokens (feel free to raise a JIRA if you want). In other words, it will check to see if the required part has been signed, but not specifically by that EndorsingSupportingToken. In this case, the “message signature” is provided by the underlying transport protocol. Colm. On Mon, Feb 13, 2012 at 2:31 PM, sram <[email protected]> wrote: > "If you want to sign the SOAP Body, you'll have to add it to the > SignatureParts list..." > > Agreed. But even without signing it works though server policy indicates > signing is required. I was thinking body part signing will be expected from > server using X.509 under <EndorsedSupportingToken> section. > > "you are using TLS and this fulfills the message signing requirements.." > > Not following here. I removed <sp:OnlySignEntireHeadersAndBody /> > section under TLS security binding, retained > <DoubleItBinding_DoubleIt_Input_Policy> body part singing in my policy; but > did not sign the body part (only signs timestamp). I expect server to > complain since I did not sign body using clients X.509, and it does not. > > > >>>>>>>>>> > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > <soap:Header> > <wsse:Security soap:mustUnderstand="1" > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> > <wsse:BinarySecurityToken > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > wsu:Id="X509-D94D656F6D5F405EE113291420330101">MIICCTCCAXKgAwIBAgIETzJ+rTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHSGFydmFyZDEoMCYGA1UEAxMfTDE1MUFUUzAzMzA0MC5hbXMuYm55bWVsbG9uLm5ldDAeFw0xMjAyMDgxMzU0NTNaFw0xMzAyMDcxMzU0NTNaMEkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdIYXJ2YXJkMSgwJgYDVQQDEx9MMTUxQVRTMDMzMDQwLmFtcy5ibnltZWxsb24ubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr0lLoMJDRGrrXT/wU2JrzS3tmsHNw16dN0c8pGNBDgBzUZGsNYU4F/9MOhw4G7t/XEtsYo8FkHT3i4Z3sDYJLtBeLF4NS9oKRX308EshLFCG5QyIB5ChZsbjWMbhuOAvkTZqAs1W5Oo/6Knewdd5lJgBVLQjDtvqgWqNbUwzZ6QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACdXxjE+fUW35Pt/0pqtlptY3yUek+EaFrY7m8DAaU2Q5BqRfOj8Zv7appyM4NW4QGjWKS/4hfkuvDDNtN1tr0mGpieznaXu3G3PW3yn6oYBSYnTeZ7yrnKxrFzKeJUTnyChSo/OrLRIDk+nDKh5cBnImGlTzP8WMGAGeGzWIVfb</wsse:BinarySecurityToken> > <ds:Signature Id="SIG-3" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#TS-1"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="wsse soap" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>SZ8HTfYh3Yk313LSnRWLJtNid9A=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>Vt47N03YwHW5MNJUmNc42kbsePRr9+WTL3Y9awMQhxofa/TTy6LK8GZ5vHxl+Jlm+i9MA67/tQPwfgGMLQifDRRwTk/OqCsNVkPrYHSHeNPKrgIdgxWY4hW6rNx+IXMXDsrNta2orKp4Vqnc/TozIpYRNwfT4LG/UmYmmuNnhiw=</ds:SignatureValue> > <ds:KeyInfo Id="KI-D94D656F6D5F405EE113291420330102"> > <wsse:SecurityTokenReference > wsu:Id="STR-D94D656F6D5F405EE113291420330263"> > <wsse:Reference > URI="#X509-D94D656F6D5F405EE113291420330101" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > <wsse:UsernameToken wsu:Id="UsernameToken-2"> > <wsse:Username>stanforduser</wsse:Username> > <wsse:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>password</wsse:Password> > </wsse:UsernameToken> > <wsu:Timestamp wsu:Id="TS-1"> > <wsu:Created>2012-02-13T14:07:12.932Z</wsu:Created> > <wsu:Expires>2012-02-13T14:12:12.932Z</wsu:Expires> > </wsu:Timestamp> > </wsse:Security> > </soap:Header> > <soap:Body> > <ns2:ping xmlns="http://services.mycomp.com/ping/types/"; > xmlns:ns2="http://services.mycomp.com/ping";> > <str>System.getProperty user.name</str> > </ns2:ping> > </soap:Body> > </soap:Envelope> > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Signing-Message-parts-tp5475654p5479413.html > Sent from the cxf-user mailing list archive at Nabble.com. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
