Hi,
I've run into the problem that WSS4J doesn't seem to verify that all
required fields are signed. I wonder if I'm doing something wrong, or is
this the intended behaviour of WSS4J ?
The webservice wsdd-file is configured with the following parameters:
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts" value="{}{
http://schemas.xmlsoap.org/soap/envelope/}Body; {}{
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp";
/>
The webservices accepts messages from a client configured in either of the
following ways:
1) Sign both body and timestamp. This is what is expected to be correct.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts" value="{}{
http://schemas.xmlsoap.org/soap/envelope/}Body; {}{
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp";
/>
2) Sign only the body. I think this is wrong and the message should be
rejected.
<parameter name="action" value="Timestamp Signature"/>
<parameter name="signatureParts" value="{}{
http://schemas.xmlsoap.org/soap/envelope/}Body;"; />
In the logfiles I can confirm that indeed the signed parts are verified
successfully, e.g:
1) When body the body and timestamp are signed:
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful for
URI "#id-8347989"
2007-05-21 13:44:03,443 [http-8080-Processor25] INFO
org.apache.xml.security.signature.Reference - Verification successful for
URI "#id-27316497"
2) When only the body is signed:
2007-05-21 13:45:15,668 [http-8080-Processor24] INFO
org.apache.xml.security.signature.Reference - Verification successful for
URI "#id-28218725"
Is this intentionaly and am I to verify myself whether all required elements
are signed ? Or is there some API call that allows me to have WSS4J check
this ?
Regards, Denis
