Yes, you could try overriding the default AlgorithmSuite. See this blog post for more information:
http://coheigea.blogspot.ie/2011/09/specifying-custom-algorithmsuite.html Colm. On Tue, Aug 13, 2013 at 2:48 PM, Ted Roeloffzen <[email protected]>wrote: > Thank you for creating the JIRA. > > In this case i'm screwed i think. > As far as I know, RSA-SHA256 is mandatory for this service to work. > Is there a to work around it? > > Is there a class that I can inherit from to make it work? > > Ted > > > > 2013/8/13 Colm O hEigeartaigh <[email protected]> > > > SHA-256 is only used for the digest algorithm for any of the standard > > WS-SecurityPolicy AlgorithmSuites. The Signature Algorithm is always > > RSA-SHA1 and cannot be configured. Ideally, we would have a new > > specification to cater for newer security algorithms, but this does not > > appear likely from my understanding. > > > > I've created a JIRA to find a way around this problem: > > > > https://issues.apache.org/jira/browse/CXF-5200 > > > > I think I will add a configuration option to override the default > RSA-SHA1 > > signature algorithm. > > > > Colm. > > > > > > On Tue, Aug 13, 2013 at 2:19 PM, Ted Roeloffzen < > [email protected] > > >wrote: > > > > > I was afraid of that. > > > > > > The policy that is used is as follows: > > > > > > <wsp:Policy wsu:Id="..."> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:AsymmetricBinding> > > > <wsp:Policy> > > > <sp:InitiatorToken> > > > <wsp:Policy> > > > <sp:X509Token sp:IncludeToken=" > > > > > > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > > > "> > > > <wsp:Policy> > > > <sp:RequireThumbprintReference/> > > > <sp:WssX509V3Token10/> > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:InitiatorToken> > > > <sp:RecipientToken> > > > <wsp:Policy> > > > <sp:X509Token sp:IncludeToken=" > > > > > > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator > > > "> > > > <wsp:Policy> > > > <sp:RequireThumbprintReference/> > > > <sp:WssX509V3Token10/> > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:RecipientToken> > > > <sp:AlgorithmSuite> > > > <wsp:Policy> > > > <sp:Basic256Sha256Rsa15/> > > > </wsp:Policy> > > > </sp:AlgorithmSuite> > > > <sp:Layout> > > > <wsp:Policy> > > > <sp:Lax/> > > > </wsp:Policy> > > > </sp:Layout> > > > <sp:IncludeTimestamp/> > > > <sp:OnlySignEntireHeadersAndBody/> > > > </wsp:Policy> > > > </sp:AsymmetricBinding> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > > > > > > > When I look at this policy, I'd think that SHA256 would be used i > thought > > > RSA-SHA256 would be used as the signature-algorithm, but when I look at > > the > > > XML that is output by CXF RSA-SHA1 is used. > > > > > > Where am I going wrong? > > > > > > Ted > > > > > > > > > > > > > > > 2013/8/13 Colm O hEigeartaigh <[email protected]> > > > > > > > You can't set the SignatureAlgorithm if you are using > > WS-SecurityPolicy, > > > > as it defaults to that of the spec. What requirements do you have? > What > > > > signature algorithm do you want to use? > > > > > > > > Colm. > > > > > > > > > > > > On Tue, Aug 13, 2013 at 1:36 PM, Ted Roeloffzen < > > > [email protected]>wrote: > > > > > > > >> Hi Colm, > > > >> > > > >> The WSS4JOutInterceptor is created and configured automatically by > > CXF, > > > >> right? > > > >> Can I somehow retrieve the WSS4JOutInterceptor during the process > and > > > set > > > >> the signatureAlgorithm tag, without having to configure the entire > > > >> interceptor? > > > >> > > > >> Ted > > > >> > > > >> > > > >> > > > >> > > > >> 2013/8/13 Colm O hEigeartaigh <[email protected]> > > > >> > > > >>> If you are using WS-SecurityPolicy, then the spec defines the > > signature > > > >>> method as "RSA-SHA1" for Asymmetric Signature, and "HMAC-SHA1" for > > > >>> Symmetric Signature. Otherwise, you can set it via the > > > >>> "signatureAlgorithm" > > > >>> configuration tag on the WSS4JOutInterceptor. > > > >>> > > > >>> Colm. > > > >>> > > > >>> > > > >>> On Tue, Aug 13, 2013 at 8:08 AM, Ted Roeloffzen < > > > >>> [email protected]>wrote: > > > >>> > > > >>> > Hi All, > > > >>> > > > > >>> > How does CXF determine which signature method to use? > > > >>> > Does it retrieve it from the security-policy in the WSDL or do > you > > > >>> have to > > > >>> > configure it? > > > >>> > > > > >>> > kind regards, > > > >>> > > > > >>> > Ted > > > >>> > > > > >>> > > > >>> > > > >>> > > > >>> -- > > > >>> Colm O hEigeartaigh > > > >>> > > > >>> Talend Community Coder > > > >>> http://coders.talend.com > > > >>> > > > >> > > > >> > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
