Thank you for the answer. I found that replacing <sp: RequireEmbeddedTokenReference/> by <sp:RequireKeyIdentifierReference/> did the trick and now it works. I have read the specs but feel a bit short to fully understand every parameter with only this document http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html. Any pointer to something that could help me in my ws security learning path ?
For your remark about includeToken type I'm not sure I have to set it to always as certificate is correctly set in the binary token for both reciption and initiator with my configuration. Maybe this is because I have a RecipientSignatureToken and an InitiatorSignatureToken ? Is it possible that the "Recipient" as 2 meaning depending of the SignatureToken type ieg that for the first token Recipient mean the client and the server for the second token ? Hope this is clear enough though I'm not sure of this. :p Best Regards, Claude 2016-09-23 18:15 GMT+02:00 Colm O hEigeartaigh <[email protected]>: > Hi Claude, > > The answer I gave on the WSS4J JIRA was when you are configuring security > manually. When using WS-SecurityPolicy you don't need to do it. If you use > the following policy for the RecipientSignatureToken it should work, I > verified it with the CXF systests: > > <sp:RecipientSignatureToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientSignatureToken> > > "AlwaysToRecipient" as per the policy you had above is not valid, as it > would not then send the token to the initiator... > > Colm. > > On Fri, Sep 23, 2016 at 9:30 AM, Claude Libois <[email protected]> > wrote: > > > Hello, > > I would like to enforce my endpoint to return a reference to the embedded > > binarySecurityToken instead of the serial+issuer name such as: > > <wsse:SecurityTokenReference xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-secext-1.0.xsd > > " > > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > wssecurity-utility-1.0.xsd > > " > > wsu:Id="STR-a65f2369-4c86- > 4e01-9663-0ec7b90b5ac9"> > > <ds:X509Data> > > <ds:X509IssuerSerial> > > <ds:X509IssuerName> > > IssuerName > > </ds:X509IssuerName> > > <ds:X509SerialNumber>124284142324952637825</ds:X509SerialNumber> > > </ds:X509IssuerSerial> > > </ds:X509Data> > > </wsse:SecurityTokenReference> > > I was told by Colm O hEigeartaigh(thank you btw) that I could use the > > signatureKeyIdentifier > > property with "Directreference" value. TBH as I'm on a servicemix which > > cxf+wss4J, it's quite complicate to know where to set this property value > > but that's not the point here. I'm using a policy to define my > ws-security > > and found it was possible to definie something > > like <sp:RequireEmbeddedTokenReference/> in the X509 tag. However, I'm > > still receiving the X509IssuerSerial.... > > Does anybody knows how to define this correctly in a policy. Here is my > > policy only applied on the server response: > > *<wsp:Policy wsu:Id="signAndTsPolicy">* > > > > * <wsp:ExactlyOne>* > > * <wsp:All>* > > * <sp:AsymmetricBinding>* > > * <wsp:Policy>* > > * <sp:IncludeTimestamp/>* > > * <sp:InitiatorSignatureToken>>* > > * <wsp:Policy>* > > * <sp:X509Token* > > * > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > > IncludeToken/AlwaysToRecipient > > <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > > IncludeToken/AlwaysToRecipient>">* > > * <wsp:Policy>* > > * <sp:WssX509PkiPathV1Token10/>* > > * </wsp:Policy>* > > * </sp:X509Token>* > > * </wsp:Policy>* > > * </sp:InitiatorSignatureToken>* > > * >* > > * <sp:RecipientSignatureToken>* > > * <wsp:Policy>* > > * <sp:X509Token* > > * > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > > IncludeToken/AlwaysToRecipient > > <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > > IncludeToken/AlwaysToRecipient>"> > > <!-- Never? -->* > > * <wsp:Policy>* > > * <sp:WssX509PkiPathV1Token10/>* > > * > > <sp:RequireEmbeddedTokenReference/>* > > * </wsp:Policy>* > > * </sp:X509Token>* > > * </wsp:Policy>* > > * </sp:RecipientSignatureToken>* > > * <sp:AlgorithmSuite>* > > * <wsp:Policy>* > > * <sp:Basic256Sha256/>* > > > > * </wsp:Policy>* > > * </sp:AlgorithmSuite>* > > * <sp:Layout> * > > * <wsp:Policy>* > > * <sp:Lax/>* > > * </wsp:Policy>* > > * </sp:Layout>* > > * <sp:ProtectTokens/>* > > * <sp:OnlySignEntireHeadersAndBody/>* > > * </wsp:Policy>* > > * </sp:AsymmetricBinding>* > > * <sp:SignedParts> * > > * <sp:Header Name="MessageID" > > Namespace="http://www.w3.org/2005/08/addressing > > <http://www.w3.org/2005/08/addressing>"/>* > > * <sp:Header Name="RelatesTo" > > Namespace="http://www.w3.org/2005/08/addressing > > <http://www.w3.org/2005/08/addressing>"/>* > > * <sp:Body/>* > > > > * </sp:SignedParts>* > > * <sp:Wss10>* > > * <sp:Policy>* > > * <sp:MustSupportRefKeyIdentifier/>* > > * </sp:Policy>* > > * </sp:Wss10>* > > * </wsp:All>* > > * </wsp:ExactlyOne>* > > * </wsp:Policy>* > > > > To be honnest, I'm rather new in the ws-security with policy on > cxf+wss4j. > > I must say that it was quite complicate to find complete information to > > achieve my goal. > > That's why I'm asking some help now. > > Best Regards, > > Claude > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
