See here: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl;h=dcf01b23c124795a04be170f5d8079102a516b35;hb=HEAD
On Wed, Mar 23, 2016 at 5:50 PM, Giriraj Bhojak <girira...@gmail.com> wrote: > Thank you Colm. > Would you have a policy example of using EncryptedElements instead of > using EncryptedParts? > I tried few combinations, but they didn't work out. > > Thanks, > Giriraj > On Mar 23, 2016 12:58 PM, "Colm O hEigeartaigh" <cohei...@apache.org> > wrote: > >> Answers inline. >> >> On Wed, Mar 23, 2016 at 4:49 PM, Giriraj Bhojak <girira...@gmail.com> >> wrote: >> >>> Do you mean to say the timestamp is not just signed but encrypted as >>> well if it is part of the AsymmetricBinding? >>> >> No, just signed. >> >>> In my policy I have also added username token as a supporting token, >>> outside of AsymmetricBinding. Would this token be signed and encrypted too? >>> >> >> No. However it would be if you specified a >> "SignedEncryptedSupportingToken" policy instead of "SupportingToken". >> >> Colm. >> >> >>> I have written a Java client that is able to successfully send and >>> receive a response using the policy. I have a requirement to test the >>> endpoint using SoapUI tool as well and that's where I am facing issues >>> since I couldn't just import the policy SoapUI. >>> >>> Thanks, >>> Giriraj >>> On Mar 23, 2016 7:04 AM, "Colm O hEigeartaigh" <cohei...@apache.org> >>> wrote: >>> >>>> If you are using the SymmetricBinding or AsymmetricBinding policies, >>>> the >>>> Timestamp is automatically signed if the "IncludeTimestamp" policy is in >>>> the Binding policy. >>>> >>>> The "sp:Header" policy in SignedParts/EncryptedParts is designed to be >>>> used >>>> for SOAP headers, not for internal headers in the security header (such >>>> as >>>> Timestamp). Instead, use an "EncryptedElements" policy, with an XPath >>>> expression pointing to the Timestamp. >>>> >>>> Colm. >>>> >>>> On Tue, Mar 22, 2016 at 3:17 AM, Giriraj Bhojak <girira...@gmail.com> >>>> wrote: >>>> >>>> > Hello, >>>> > >>>> > >>>> > I need to sign and encrypt the timestamp WS-Security header. >>>> > >>>> > My policy file has following assertions: >>>> > >>>> > >>>> > >>>> > <sp:SignedParts> >>>> > >>>> > <sp:Body /> >>>> > >>>> > <sp:Header Namespace=" >>>> > >>>> > >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>>> > " /> >>>> > >>>> > </sp:SignedParts> >>>> > >>>> > <sp:EncryptedParts> >>>> > >>>> > <sp:Body /> >>>> > >>>> > <sp:Header Namespace=" >>>> > >>>> > >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>>> > " /> >>>> > >>>> > </sp:EncryptedParts> >>>> > >>>> > Above namespace belongs to wsu element. >>>> > >>>> > I can still see following entry in the wsse:Security element: >>>> > >>>> > >>>> > >>>> > <wsu:Timestamp >>>> > wsu:Id="TS-A91AE37C42BC91148914586148175181"> >>>> > >>>> > >>>> > <wsu:Created>2016-03-22T02:46:57.516Z</wsu:Created> >>>> > >>>> > >>>> > <wsu:Expires>2016-03-22T02:51:57.516Z</wsu:Expires> >>>> > >>>> > </wsu:Timestamp> >>>> > >>>> > >>>> > >>>> > If I try to add the namespace of wsse into the signed and encrypted >>>> parts >>>> > above in order to encrypt and sign entire header as follows: >>>> > >>>> > <sp:SignedParts> >>>> > >>>> > <sp:Body /> >>>> > >>>> > <sp:Header Namespace=" >>>> > >>>> > >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >>>> > " /> >>>> > >>>> > </sp:SignedParts> >>>> > >>>> > <sp:EncryptedParts> >>>> > >>>> > <sp:Body /> >>>> > >>>> > <sp:Header Namespace=" >>>> > >>>> > >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >>>> > " /> >>>> > >>>> > </sp:EncryptedParts> >>>> > >>>> > >>>> > >>>> > Then on the CXF server I get: >>>> > >>>> > org.apache.cxf.interceptor.Fault- Exception Message: Found element { >>>> > http://www.w3.org/2001/04/xmlenc#}EncryptionMethod but could not find >>>> > matching RPC/Literal part >>>> > >>>> > I am using CXF v2.7.11. >>>> > >>>> > Am I doing something wrong? >>>> > >>>> > Thanks, >>>> > Giriraj >>>> > >>>> >>>> >>>> >>>> -- >>>> Colm O hEigeartaigh >>>> >>>> Talend Community Coder >>>> http://coders.talend.com >>>> >>> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
