Thanks for clarification guys. I thought that this fact should be part of a spec like WS-I. I've checked the following one: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#XMLEncryption
But I haven't found anything which says that. Have I overlooked that? But I have found the recommendation about the soap actor: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#SOAPActorAttribute One follow on question: Let's assume a complexType called WageData is defined. We have a client which calls an intermediary which then calls the target wage data service. Some data must be encrypted with the public key of the intermediary but the WageData type must be encrypted with the public key of the target wage data service. Let's assume that a soap request with two security headers (different actors for intermediary and target service) is received in the intermediary. The interesting part now is how the language binding (JAX-WS) looks like for the WageData type. The intermediary can't decrypt it but the JAX-WS service implementation must access this element to pass it on to the target service. Is this usecase covered in JAX-WS? Thanks Oliver "Dittmann, Werner (NSN - An: "ext Oliver Wulff" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> DE/Muenich)" Kopie: <[email protected]> <werner.dittmann@ Thema: AW: Antwort: RE: Decryption with several EncryptedKey elements nsn.com> 23.07.2008 11:10 Oliver, that's not a workaround - actor was defined to provide sperarate processing of different Security header bydifferent actors (rules). If the actor is set then it (shall) only process the security header that has the same actor attribute value. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: ext Oliver Wulff [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 23. Juli 2008 07:39 > An: [EMAIL PROTECTED] > Cc: [email protected] > Betreff: Antwort: RE: Decryption with several EncryptedKey elements > > Hi Colm > > Thanks for your feedback. At least the API allows you to pass > the actor > when processing the soap headers. I do have control of the > creation of the > soap request. > > One question for you: when I split the two encrypted keys > into different > soap headers is that best practise or a workaround? > > Thanks > Oliver > > > > > > > "O hEigeartaigh, > > > Colm" An: > "Oliver Wulff" <[EMAIL PROTECTED]>, > <[email protected]> > <Colm.OhEigeartaig Kopie: > > > [EMAIL PROTECTED]> Thema: RE: > Decryption with several EncryptedKey elements > > > > > 22.07.2008 19:09 > > > > > > > > > > Hi Oliver, > > Do you have control over the creation of the SOAP request? If so, one > possibility is to create a different security header for both > encrypted > keys using a specific "actor" attribute for both. On the > processing side, > WSS4J can be configured to only process a security header with the > specified actor name (at least I think it can, I haven't tried it). > > If not, then I suspect the only option is to write your own > processor or > submit an enhancement request. > > Colm. > > -----Original Message----- > From: Oliver Wulff [mailto:[EMAIL PROTECTED] > Sent: 22 July 2008 17:28 > To: [email protected] > Subject: Decryption with several EncryptedKey elements > > > Hi all > > I've got a soap request (see below) with two EncryptedKey elements > (different public keys). > > My application is in the possession of only one private key > which means > that it can only process some of the encrypted elements. If I > process the > security header the following exception is thrown: > > Caused by: org.apache.ws.security.WSSecurityException: Cannot > encrypt/decrypt data; nested exception is: > java.lang.Exception: alias is null > at > org.apache.ws.security.processor.EncryptedKeyProcessor.handleE > ncryptedKey > (EncryptedKeyProcessor.java:287) > > > How can I tell WSS4J to ignore the EncryptedKey elements which are not > intended to be decrypted? > > This is the code to decrypt the soap message: > > String message = ... ; > String cert = .... ; > > try { > InputStream inStream = new > ByteArrayInputStream(message.getBytes()); > SOAPMessage soapmsg = > MessageFactory.newInstance().createMessage()); > null, inStream); > Document doc = (Document) soapmsg.getSOAPPart(); > > Crypto crypto = CryptoFactory.getInstance(cert); > > secEngine.processSecurityHeader(doc, null, new > MyCallbackHandler(),; > crypto); > > TransformerFactory tFactory = TransformerFactory.newInstance(); > Transformer transformer = tFactory.newTransformer(); > DOMSource source = new DOMSource(doc); > StringWriter sw = new StringWriter();; > StreamResult result = new StreamResult(sw); > transformer.transform(source, result); > return sw.toString(); > > } catch (Exception ex) { > ex.printStackTrace(); > throw new RuntimeException(ex); > } > > > Here is the input soap request:; > <?xml version="1.0" encoding="UTF-8"?> > <>SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > xmlns:m2="http://ecm.zurich.com/svc/ws/types"; > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";; > xmlns:m1="http://ecm.zurich.com/svc/ws/document_v1_0";> > <SOAP-ENV:Header> > <m3:Security > xmlns:m3= > " > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu rity-secext-1.0.xsd > " > SOAP-ENV:mustUnderstand.="1"> > <xenc:EncryptedKey > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > Id="EncKeyId-712593"> > <xenc:EncryptionMethod > Algorithm= > ":http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> > <ds:KeyInfo > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#:"; > > > <wsse:SecurityTokenReference > xmlns:wsse= > " > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu rity-secext-1.0.xsd > " > > > <ds:X509Data > xmlns:ds= > "http://www.w3.org/2000/09/xmldsig#";> > <ds:X509IssuerSerial > xmlns:ds= > "http://www.w3.org/2000/09/xmldsig#";> > <ds:X509IssuerName > xmlns:ds= > "http://www.w3.org/2000/09/xmldsig#";> > > [EMAIL PROTECTED],CN=SDC > Internal > CA,OU=ING,O=Swiss Data > Center,L=Zurich > > Insurance,ST=Zurich,C=CH > </ds:X509IssuerName> > > <ds:X509SerialNumber > xmlns:ds= > ".http://www.w3.org/2000/09/xmldsig#";> > 446 > </ds:X509SerialNumber> > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > > gL4WtugirLpupgr7i9I6VVHyDu2H6sS1phCX8zY9+65dTf8LtsDSjVFNLaBHmI rfMLXgC1gREA > +WnUGoObNV5Ek1VePLrCzYp4TGzVR0wxbhF6m1Zzc81wKArtLHflcXKsn5v7rU > vArC3bh4o7QqBs6o1W13EmI244r9ZA30gqY= > > </xenc:CipherValue> > </xenc:CipherData> > <xenc:ReferenceList> > <xenc:DataReference > xmlns:xenc= > ":http://www.w3.org/2001/04/xmlenc#"; > URI="#EncDataId-31188783" /> > </xenc:ReferenceList> > </xenc:EncryptedKey> > <xenc:EncryptedKey > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > Id="EncKeyId-30675222"> > <xenc:EncryptionMethod > Algorithm= > "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> > <ds:KeyInfo > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#:"; > > > <wsse:SecurityTokenReference > xmlns:wsse= > " > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecu rity-secext-1.0.xsd > " > > > <ds:X509Data > xmlns:ds= > "http://www.w3.org/2000/09/xmldsig#";> > <ds:X509IssuerSerial > xmlns:ds= > "http://www.w3.org/2000/09/xmldsig#";> > <ds:X509IssuerName > xmlns:ds= > "http://www.w3.org/2000/09/xmldsig#";> > > [EMAIL PROTECTED],CN=SDC > Internal > CA,OU=ING,O=Swiss Data > Center,L=Zurich > > Insurance,ST=Zurich,C=CH > </ds:X509IssuerName> > > <ds:X509SerialNumber > xmlns:ds= > "http://www.w3.org/2000/09/xmldsig#";> > 447 > </ds:X509SerialNumber> > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > > RVKDb7RnEPf1/566a4kSEy0Q8Rq2cglbyEcoxHy7YtFQfQdEs > +Dx3iC29r2LhYzQidp51ZuLNptJGvFz5eQrFivgqlTfdgxPBC > +LVXN1zMu9N5f0PVRk8BGsoxK9Jwum05TvEnXu+IbwWpM70roh9H6KlQU5azZf > YnTUMossrYo= > </xenc:CipherValue> > </xenc:CipherData> > <xenc:ReferenceList> > <xenc:DataReference > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > URI="#EncDataId-28179427" /> > <xenc:DataReference > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > URI="#EncDataId-24390742" /> > </xenc:ReferenceList> > </xenc:EncryptedKey> > <m3:UsernameToken xsi:type="m3:UsernameTokenType"> > <m3:Username>YSV101676</m3:Username> > <m3:Password > Type= > " > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-userna me-token-profile-1.0#PasswordText > " > xsi:type="m3:PasswordString"> > r8328hFs > </m3:Password> > </m3:UsernameToken> > </:m3:Security> > </:SOAP-ENV:Header> > <SOAP-ENV:Body> > <m1:updateMetadata> > <m1:docIDs> > <xenc:EncryptedData > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > Type= > "http://www.w3.org/2001/04/xmlenc#Content>" > Id="EncDataId-31188783"> > <xenc:EncryptionMethod > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > Algorithm= > "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> > <xenc:CipherData > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > <xenc:CipherValue > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > lfVNeqOdi8BjOqdWZ > +Vniu3oXf9h8sjP2FG7wLHVlrxd/w3Gaj8tpW3r83HhSQk87Ta1CFGPN1VG > IWBZW6VQOg== > </xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </m1:docIDs> > <m1:metadata> > <xenc:EncryptedData > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > Type= > "http://www.w3.org/2001/04/xmlenc#Content>" > Id="EncDataId-28179427"> > <xenc:EncryptionMethod > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > Algorithm= > "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> > <xenc:CipherData > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > <xenc:CipherValue > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > > YxeTDZRvhDlAAYmTvMoyp2l3u1fywZJ8uMgI3M > +hmEEqOoAQwmrWTeG8JEyDFymlycnEoT7siMR9 > > dOkauixPm7OIb6uW/2WlpK106/3RqRe/Rwj98zne2WiG6otfM5gWICpc7i2bf9 > 7opS2MFcM85v13 > > 6bCXXbEybWw > +erNexIEUcVg56L50dup4d2PqVNHUSZurdKYwKmR944QjydN25zTO9XjvhoppHCDT > > nuoUz1UuIHiDXtDgFpSknHoGzMA8tWebb4PNy6fBViqfoT39EGNMF7C2N+aVyg > R2xl3OY63Lbix > + > xbxq3g > +3BHlDbsDaCtVaC4BIM637xr75xQGUp/sHVEx/mY6KUoxcLHQgQbe0vrXKFdWIQ7zHRjQq > o04PRIJTOWW9hruD+2HS3UEo0v8t > +G2jHsirqmv17vr1uPcq0NZzRJVSpVAxS1KOIaSBtJeBbxui > > EvB1ZAb9hxOXQ8NYT0xrzp3SFrvkcLLT0h1Skvg50A4r6yBDWFeHUDCX > </xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </m1:metadata> > <m1:context> > <xenc:EncryptedData > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > Type= > "http://www.w3.org/2001/04/xmlenc#Content>" > Id="EncDataId-24390742"> > <xenc:EncryptionMethod > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#"; > Algorithm= > "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> > <xenc:CipherData > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > <xenc:CipherValue > xmlns:xenc= > "http://www.w3.org/2001/04/xmlenc#";> > > M960LIC0KgOVcGTbB0CvRaV7ONx2wjjFRhMVrBYW9G61v > +esYY2mP6p4k9gJWrDyfqthgYDfLyPp > > eRjSpgSAlXNGMwrMW8/9QUlDmKloKQvTLGTSJG5ySpSkrY5NLyTDp1LSnjvWvR > oaPYuHEBKHdw== > > </xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </m1:context> > </:m1:updateMetadata> > </:SOAP-ENV:Body> > </SOAP-ENV:Envelope> > > > > > > > ******************* BITTE BEACHTEN ******************* > Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet > möglicherweise vertrauliche oder gesetzlich geschützte Daten oder > Informationen. Zum Empfang derselben ist (sind) ausschliesslich die > genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht > irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter > Ausschluss jeder Reproduktion zu zerstören und die absendende Person > umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ---------------------------- > IONA Technologies PLC (registered in Ireland) > Registered Number: 171387 > Registered Address: The IONA Building, Shelbourne Road, > Dublin 4, Ireland > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > ******************* BITTE BEACHTEN ******************* > Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet > möglicherweise vertrauliche oder gesetzlich geschützte Daten oder > Informationen. Zum Empfang derselben ist (sind) ausschliesslich die > genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht > irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter > Ausschluss jeder Reproduktion zu zerstören und die absendende Person > umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ******************* BITTE BEACHTEN ******************* Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet möglicherweise vertrauliche oder gesetzlich geschützte Daten oder Informationen. Zum Empfang derselben ist (sind) ausschliesslich die genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter Ausschluss jeder Reproduktion zu zerstören und die absendende Person umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
