Hi, > /<sp:OnlySignEntireHeadersAndBody />/ seems to be ignored by CXF (in > request and response)
Just put Colm's answer from thread http://mail-archives.apache.org/mod_mbox/cxf-users/201204.mbox/%3ccab8xdgasib+fc4bhefhfxgqj7fjtsw-4aftq5oakh7y8n0q...@mail.gmail.com%3E: "My reading of the spec is that a "OnlySignEntireHeadersAndBody" policy means that *if* message level signature is used in the request, then it must not be a child element of the SOAP Body, or a child element of a particular header, excepting the security header. It does not mandate that signature must be performed, only that if signature is performed it must conform to that policy. Therefore, a SignedParts or SignedElements policy is needed to specify what must actually be signed." So just specify "OnlySignEntireHeadersAndBody" assertion is not enough to sign body and header. It just controls that no child elements are signed. You need to add <sp:SignedParts>...</SignedParts> assertion with body and top level SOAP headers to be signed, for example: <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <sp:Header Name="MetadataBindingContainer" Namespace="urn:int:test:ia:metadatabinding:draft" /> <sp:Body /> </sp:SignedParts> AFAIK you need explicitly define headers to be signed. Cheers, Andrei. > -----Original Message----- > From: andreas_triebel [mailto:[email protected]] > Sent: Donnerstag, 22. November 2012 13:34 > To: [email protected] > Subject: Re: Signature Interop Issue: Weblogic -> Apache CXF > > The issue with the Weblogic CertPathSelector could be resolved on Weblogic. > > But now it seems that Weblogic insists on having signed everything in the > security header in the response saying "Error on verifying message against > security policy Error code:3701" > A look at the Weblogic source confirms that. > > CXF signs the Timestamp, SignatureConfirmation and Body in the response, > but not the STR. > How do I tell CXF to sign everything in the security header in the response? > > /<sp:OnlySignEntireHeadersAndBody />/ seems to be ignored by CXF (in > request and response) > > and > > /<sp:SignedParts>...</SignedParts>/ also does not force CXF to sign the STR > referencing the X509 certificate, at least I did not find the right > combination. > > CXF response with unsigned STR: > <soap:Envelope > xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > <soap:Header> > <wsse:Security..> > : > <ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-18"> > : > <ds:SignedInfo> > <ds:Reference URI="#TS- > 16">..</ds:Reference> > <ds:Reference URI="#SC- > 17">..</ds:Reference> > <ds:Reference URI="#Id- > 12354411">..</ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>IbuCvduZIepSG4G8OtdLIeV+MCheIv+eIGhY8FsfDyfKE3 > hk6V9vB2KQmP83diNA0oDw30P3ugn2B6M0Un7R9xmLE70OG0Dpj6my73ML > e5+48rNeAaVtrTX839VEFvRzvcBCif8mEQOS5JIPlhAXNEBu1+J3Qr3NPItamU0k > A3c= > </ds:SignatureValue> > <ds:KeyInfo Id="KI- > 120F582AC27EBFB0FE135358458436417"> > *<wsse:SecurityTokenReference > wsu:Id="STR- > 120F582AC27EBFB0FE135358458436418"> > <wsse:KeyIdentifier > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > soap-message-security-1.0#Base64Binary" > > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message- > security- > 1.1#ThumbprintSHA1">R0VTd2CEaTTD3qJ/lAomm31HARQ=</wsse:KeyIdent > ifier> > </wsse:SecurityTokenReference>* > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > </soap:Header> > <soap:Body wsu:Id="Id-12354411"> > : > </soap:Body> > </soap:Envelope> > > -Andreas > > > > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/Signature- > Interop-Issue-Weblogic-Apache-CXF-tp5718487p5718960.html > Sent from the cxf-user mailing list archive at Nabble.com.
