|
Replies:
20
-
Last Post:
Dec 27, 2008 12:44 AM
by: jdg6688
|
|
|
|
|
|
|
WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 6:48 AM
|
|
|
I have a requirement for a webservice client to do soap message body signing (using RSA-SHA) but no header encryption. And can't figure out how to write the appropriate WS-Policy for that. Signing the body is easy with the combination of an AsymmetricBinding and a signedPart/Body declaration. However, the generated messages seem to always have their headers encrypted (same when using SymmetricBinding). How can tell Metro to leave the headers unencrypted? I.e. the final message should look roughly like this:
<soapenv:Envelope ...>
<soapenv:Header>
<wsse:Security ...>
<wsse:UsernameToken...>
...
</wsse:UsernameToken>
<wsse:BinarySecurityToken...>XXXXXXXXXXXX</wsse:BinarySecurityToken>
<ds:Signature ...>
....
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body ...>
...
</soapenv:Body>
</soapenv:Envelope>
I have read through some of the specs and I can't figure out how to configure this. On the other hand the service I need to talk to has this requirement and the provider claims that it is WS-Security compliant.
Thanks
Manuel
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 6:52 AM
in response to: malm
|
|
|
You'll have to set the protectionlevel of the endpoint contract to
ProtectionLevel.Sign
so client.Endpoint.Contract.ProtectionLevel = ProtectionLevel.Sign
On 23 Dec 2008, at 15:48, metro@javadesktop.org wrote:
> I have a requirement for a webservice client to do soap message body
> signing (using RSA-SHA) but no header encryption. And can't figure
> out how to write the appropriate WS-Policy for that. Signing the
> body is easy with the combination of an AsymmetricBinding and a
> signedPart/Body declaration. However, the generated messages seem to
> always have their headers encrypted (same when using
> SymmetricBinding). How can tell Metro to leave the headers
> unencrypted? I.e. the final message should look roughly like this:
>
> <soapenv:Envelope ...>
> <soapenv:Header>
> <wsse:Security ...>
> <wsse:UsernameToken...>
> ...
> </wsse:UsernameToken>
> <wsse:BinarySecurityToken...>XXXXXXXXXXXX wsse:BinarySecurityToken>
> <ds:Signature ...>
> ....
> </ds:Signature>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body ...>
> ...
> </soapenv:Body>
> </soapenv:Envelope>
>
> I have read through some of the specs and I can't figure out how to
> configure this. On the other hand the service I need to talk to has
> this requirement and the provider claims that it is WS-Security
> compliant.
>
> Thanks
>
> Manuel
> [Message sent by forum member 'malm' (malm)]
>
> http://forums.java.net/jive/thread.jspa?messageID=323101
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 7:29 AM
in response to: Wim Vandenhaute
|
|
|
> You'll have to set the protectionlevel of the
> endpoint contract to
> ProtectionLevel.Sign
>
> so client.Endpoint.Contract.ProtectionLevel =
> ProtectionLevel.Sign
>
Thanks for the suggestion but I am confused now - how do I do that in a WS-Policy? I searched the WS-Policy specification for the word ProtectionLevel and I couldn't find it. Further digging seems to indicate that "Contract.ProtectionLevel" is a WCF concept. How do I translate this into the Java world? My apologies if I missed something obvious here.
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 7:32 AM
in response to: malm
|
|
|
Hmm my apologies, I seem to have mistaken this for another mailing list.
The suggestion I gave is indeed specifically for WCF clients.
Not sure on how to accomplish this using metro tho.
Apologies for causing confusion 
On 23 Dec 2008, at 16:29, metro@javadesktop.org wrote:
>> You'll have to set the protectionlevel of the
>> endpoint contract to
>> ProtectionLevel.Sign
>>
>> so client.Endpoint.Contract.ProtectionLevel =
>> ProtectionLevel.Sign
>>
> Thanks for the suggestion but I am confused now - how do I do that
> in a WS-Policy? I searched the WS-Policy specification for the word
> ProtectionLevel and I couldn't find it. Further digging seems to
> indicate that "Contract.ProtectionLevel" is a WCF concept. How do I
> translate this into the Java world? My apologies if I missed
> something obvious here.
> [Message sent by forum member 'malm' (malm)]
>
> http://forums.java.net/jive/thread.jspa?messageID=323110
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 10:57 AM
in response to: malm
|
|
|
Manuel, like I said I have not done this before, but the client-side
configuration is actually *summed* (combined) between the client-side config
files *and* the local WSDL file hardcoded into the *Service.java jax-ws
generated class (in my blog entry[1], DoubleItService.java). It would be
good for you to open that *Service.java generated file to see the hardcoded
WSDL reference, so you'll know what I'm referring to.
Further, if you look at the bottom two of the three ws:policy sections in
the service-side WSDL[1] (which, again, is also read by the client via that
*Service.java class), you'll see that there are operation-level policies
(not the binding-level policy which is the *first* of the three--look in the
wsdl:binding section of the service-side WSDL to see how the three are
referenced at different locations) Those latter two specify what needs to
be encrypted and/or signed both on input and output.
What does this mean? If you remove the encrypted element from the output
policy from your *local* WSDL, the client will probably just sign things
without encrypting them. (Alternatively, you can remove all policies from
your local WSDL and instead add them to your client-side config files. Just
be careful--one of the weaknesses of my tutorial is that the client-side and
service-side are using the same *Service.java class, and as a result share
the same WSDL by default.) Also, you will probably need to modify the input
policy, to take into account that the client possibly may not be receiving
encrypted and/or signed data from the web service provider. If you do not
modify it, the client will complain if what it gets back from the web
service provider is not encrypted and/or signed in adherence to the input
policy.
HTH,
Glen
[1]
http://www.jroller.com/gmazza/entry/implementing_ws_security_with_pki#MetroPKI3
metro-3 wrote:
>
> I have a requirement for a webservice client to do soap message body
> signing (using RSA-SHA) but no header encryption. And can't figure out how
> to write the appropriate WS-Policy for that. Signing the body is easy with
> the combination of an AsymmetricBinding and a signedPart/Body declaration.
> However, the generated messages seem to always have their headers
> encrypted (same when using SymmetricBinding). How can tell Metro to leave
> the headers unencrypted? I.e. the final message should look roughly like
> this:
>
> <soapenv:Envelope ...>
> <soapenv:Header>
> <wsse:Security ...>
> <wsse:UsernameToken...>
> ...
> </wsse:UsernameToken>
> <wsse:BinarySecurityToken...>XXXXXXXXXXXX</wsse:BinarySecurityToken>
> <ds:Signature ...>
> ....
> </ds:Signature>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body ...>
> ...
> </soapenv:Body>
> </soapenv:Envelope>
>
> I have read through some of the specs and I can't figure out how to
> configure this. On the other hand the service I need to talk to has this
> requirement and the provider claims that it is WS-Security compliant.
>
> Thanks
>
> Manuel
> [Message sent by forum member 'malm' (malm)]
>
--
View this message in context: http://www.nabble.com/WSIT---How-to-sign-without-encryption--tp21145687p21149533.html
Sent from the Metro - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 4:37 PM
in response to: Glen Mazza
|
|
|
Glenn,
thanks for your repsonse and explanations. That is all fine and I had been modifying the 'original' WSDL. i.e. the WSDL referenced by the Service.java class all along.
The problem still is that I cannot figure out how to tell the Metro stack to not encrypt the UsernameToken in the header. I can control encryption and signature of the body. If you look at the SignedParts/SignedElements/EncryptedParts/EncryptedElements assertion in WS-Policy it allows to specify what should be signed/encrypted but not what should NOT be signed/encrypted.
Then again, I couldn't find in the specifications where it says that when you have a AsymmetricBinding or SymmetricBinding that header tokens are always encrypted which Metro seems to do.
So I am still floundering here. I think I have a reasonable grasp on how it hangs together but this particular aspect is still baffling me.
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 7:50 PM
in response to: malm
|
|
|
metro-3 wrote:
>
> Glenn,
>
> thanks for your repsonse and explanations. That is all fine and I had been
> modifying the 'original' WSDL. i.e. the WSDL referenced by the
> Service.java class all along.
>
> The problem still is that I cannot figure out how to tell the Metro stack
> to not encrypt the UsernameToken in the header. I can control encryption
> and signature of the body. If you look at the
> SignedParts/SignedElements/EncryptedParts/EncryptedElements assertion in
> WS-Policy it allows to specify what should be signed/encrypted but not
> what should NOT be signed/encrypted.
>
> Then again, I couldn't find in the specifications where it says that when
> you have a AsymmetricBinding or SymmetricBinding that header tokens are
> always encrypted which Metro seems to do.
>
> So I am still floundering here. I think I have a reasonable grasp on how
> it hangs together but this particular aspect is still baffling me.
> [Message sent by forum member 'malm' (malm)]
>
First of all, I'm assuming of course that you're using SSL if you don't want
the username/password token encrypted--furthermore, your web service
provider will *not* accept non-SSL requests if it indeed wants the
username/password to be unencrypted. Otherwise, there's something wrong
with your web service provider and you probably shouldn't be interacting
with it until that problem is resolved.
The client of my username token example[1], in Step #6, is *not* encrypting
the username token--you can see "alice" and "clarinet" in the soap:header.
So this at least can be done--I think the problem occurs when you either (a)
specify Asymmetric or symmetric binding and/or (b) add in the two
operation-level Policy statements used in X.509 but not the username token
profile. I would forget about the signatures for a moment and try to
isolate what--either (a) or (b)--causes the username token to become
encrypted--the more precise you can get about what causes encryption to
occur, that might help a bit in troubleshooting.
Note there's a chance Asymmetric and Symmetric-binding *always* encrypts the
SOAP headers because that is Message-Level security (instead of the "normal"
transport-level security provided by SSL.) Message-level security is
designed to allow you to remove the need for using SSL, hence there is a
good chance that username tokens would always be encrypted as a safety
measure. (Even if not mandated by the spec, Metro may very well have such
safety guards to protect against less skilled developers accidentally
sending username/passwords out unencrypted, because message-level security
implies that you may not be using SSL.)
Besides asymmetric and symmetric, there is a third option,
TransportBinding[2] I believe that just requires SSL, that might not encrypt
your username tokens as a result. But can you still do signatures with that
third option? Perhaps, but I don't know the syntax.
If you're really about-to-join-the-circus desperate, you can try CXF, it is
more primitive in its configuration but can be more flexible when you're
trying to do weirdo stuff like here. It may not be that much work because
thankfully you're just doing a SOAP client and not a web service provider.
In Step #5, Substep #1 of here[3] you'll have an action of "UsernameToken
Signature" and you'll want to keep the encryptionParts field blank (username
configuration info is here[4]). Will it work? I have no idea. Caution
though--if you get spurned by a second web service stack you might start
bouncing off the walls, so try to protect your sanity if you go this route.
Glen
[1]
http://www.jroller.com/gmazza/entry/implementing_ws_security_using_usernametokens
[2]
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826558
[3] http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the
[4] http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
--
View this message in context: http://www.nabble.com/WSIT---How-to-sign-without-encryption--tp21145687p21155015.html
Sent from the Metro - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 23, 2008 8:43 PM
in response to: Glen Mazza
|
|
|
Yes, its all over SSL. And I have no idea what the original designers of the service had in mind by using this particular setup. Using (A)symmetricBinding I get always an encrypted UsernameToken in the header. Using TransportBinding I get the clear UsernameToken in the header but no signature on the body. Tried various permutations without luck.
I guess its time to take a Christmas break here. Changing the web services stack is not a pleasant thought especially as we already have a plethora of web services clients in the same system all based on JAX-WS.
Wonder if any of the relevant Sun developers are reading these forums and could chime in with a quick 'Yes -can be done and here is how' or 'No - this is not a Metro 1.4 supported scenario'.
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 26, 2008 11:53 PM
in response to: malm
|
|
|
Can you try the following policy with TransportBinding:
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
metro@javadesktop.org wrote:
> Yes, its all over SSL. And I have no idea what the original designers of the service had in mind by using this particular setup. Using (A)symmetricBinding I get always an encrypted UsernameToken in the header. Using TransportBinding I get the clear UsernameToken in the header but no signature on the body. Tried various permutations without luck.
>
> I guess its time to take a Christmas break here. Changing the web services stack is not a pleasant thought especially as we already have a plethora of web services clients in the same system all based on JAX-WS.
>
> Wonder if any of the relevant Sun developers are reading these forums and could chime in with a quick 'Yes -can be done and here is how' or 'No - this is not a Metro 1.4 supported scenario'.
> [Message sent by forum member 'malm' (malm)]
>
> http://forums.java.net/jive/thread.jspa?messageID=323170
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 26, 2008 11:56 PM
in response to: malm
|
|
|
Can you try the following policy with TransportBinding:
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 27, 2008 12:16 AM
in response to: jdg6688
|
|
|
Thanks for the suggestion. I tried it but it didn't work for me:
27/12/2008 5:12:57 PM com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor sign
SEVERE: WSS1701: Sign operation failed.
com.sun.xml.wss.XWSSecurityException: Unsupported Key Binding:X509CertificateBinding::::null::Thumbprint
at com.sun.xml.ws.security.opt.impl.keyinfo.DerivedKeyTokenBuilder.process(DerivedKeyTokenBuilder.java:171)
at com.sun.xml.ws.security.opt.impl.dsig.TokenProcessor.process(TokenProcessor.java:184)
at com.sun.xml.ws.security.opt.impl.dsig.SignatureProcessor.sign(SignatureProcessor.java:109)
at com.sun.xml.wss.impl.filter.SignatureFilter.sign(SignatureFilter.java:544)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:506)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:268)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:186)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:147)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:389)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:236)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:166)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.client.Stub.process(Stub.java:222)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy41.denPing(Unknown Source)
at au.com.arcus.qld.lto.TestClient.main(TestClient.java:37)
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 27, 2008 12:23 AM
in response to: malm
|
 |
Correct |
|
|
Ok. This is a technical issue. Remove the RequireDerivedToken for X509Token. So you have:
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 27, 2008 12:33 AM
in response to: jdg6688
|
|
|
Thank you very much - that seems to give exactly the desired result!
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 27, 2008 12:43 AM
in response to: malm
|
|
|
Can you always comment on the relevant issue you filed so that we have a track on this?
Thanks!
Jiandong
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign body without header encryption?
Posted:
Dec 27, 2008 12:44 AM
in response to: jdg6688
|
|
|
> Can you always
I mean "also".
>comment on the relevant issue you
> filed so that we have a track on this?
>
> Thanks!
>
> Jiandong
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 23, 2008 11:07 PM
in response to: malm
|
|
|
I guess too many posts have happened on this topic and it is very confusing. If you point me to your server WSDL i can modify your WSDL to achieve what you are looking for.
Please note the following recommendations in WS-SecurityPolicy Spec :
---------------------------
5.3.1 UsernameToken Assertion
This element represents a requirement to include a username token.
There are cases where encrypting the UsernameToken is reasonable. For example:
1. When transport security is not used.
2. When a plaintext password is used.
3. When a weak password hash is used.
4. When the username needs to be protected, e.g. for privacy reasons.
----------------------------
This is the reason why you are seeing the username in encrypted form.
However if you pick the latest builds (https://metro.dev.java.net/servlets/ProjectDocumentList?folderID=9700&expandFolder=9700&folderID=9003)
they would allow you to specify a UsernameToken as a SupportingToken which will not be encrypted, please see :
http://weblogs.java.net/blog/kumarjayanti/archive/2008/11/plain_text_user.html
And if you do not want the Message Payload to be encrypted make sure there are no EncryptedParts assertions in your WSDL. Any way attach your WSDL and i can make the changes for you.
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 24, 2008 12:19 AM
in response to: kumarjayanti
|
|
|
|
|
I had seen your blog before and had tried SupportingToken without success. Now tried it again with both the 1.4 nightly and 1.5 nightly but no luck. The UsernameToken in the header is still encrypted. Because the WSDL is pretty big I have attached just the WS Policy section. Hopefully you can spot were I got it wrong.
Thank you very much
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 26, 2008 2:15 AM
in response to: malm
|
 |
Helpful |
|
|
Your policy seems fine.
It appears that the Metro support for UnEncrypted Username-Password is only when the Binding Assertions are absent (The policy has to be like what i show in my blog post, with just a SupportingTokens assertion and No AsymmetricBinding assertion).
If you are not pressed for time file an issue and we will consider the alternative behaviour. But can you tell us what you are using at the Server ?. Is it a .Net Service ?. Because .Net 3.5 (the best i know) requires an encrypted username in this particular scenario.
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 26, 2008 3:31 AM
in response to: kumarjayanti
|
|
|
I can't tell you much about the server as this information is not provided. Between the lines I understand it is Weblogic. It is a state government provided web service (access to land titles information for authorised brokers) and has been around for some time. Obviously other brokers successfully connect to it but again between the lines I understood that this security setup has caused problems for others as well. Independent of what .Net does, even if it is an unusual setup, it does seem to be conformant to the WS-Security specification.
Regarding modelling this with WS-SecurityPolicy, wouldn't that be the distinction between a SupportedToken, SignedSupportedToken and EncryptedSupportedToken? What particular aspect of the WS-SecurityPolicy indicates that a simple SupportedToken should be encrypted when a certain binding is present?
Timing is not pressing if you are talking about a few weeks, but if we talk months it would be critical to us. I will file an issue nevertheless.
Regarding a workaround: I have absolutely no experience with XWSS but wonder if a programmed solution would be possible, e.g. writing a JAX-WS handler and then call the XWSS API to do the signing of the body?
On a related (but different) note: I noticed that when using your example (or Glenn's for that matter) to generate a UsernameToken that no "nonce" element is generated. How do I convince Metro to generate a "nonce" element within a UsernameToken?
|
|
|
|
|
|
|
|
|
Re: WSIT - How to sign without encryption?
Posted:
Dec 26, 2008 4:23 AM
in response to: malm
|
|
Helpful |
|
|
> Regarding modelling this with WS-SecurityPolicy,
> wouldn't that be the distinction between a
> SupportedToken, SignedSupportedToken and
> EncryptedSupportedToken? What particular aspect of
> the WS-SecurityPolicy indicates that a simple
> SupportedToken should be encrypted when a certain
> binding is present?
Please note the following recommendations in WS-SecurityPolicy Spec :
---------------------------
5.3.1 UsernameToken Assertion
This element represents a requirement to include a username token.
There are cases where encrypting the UsernameToken is reasonable. For example:
1. When transport security is not used.
2. When a plaintext password is used.
3. When a weak password hash is used.
4. When the username needs to be protected, e.g. for privacy reasons.
----------------------------
1, 2 and possibly 4 above apply to your usecase. Since an unencrypted password is being sent over the wire.
Actually version 1.2 of the spec clarified that one may use SingedEncryptedSupportingTokens to encrypt the UT. However since we support the earlier version of the spec as well and there it was reasonable and required to be able to interop with .NET 3.0
> Regarding a workaround: I have absolutely no
> experience with XWSS but wonder if a programmed
> solution would be possible, e.g. writing a JAX-WS
> handler and then call the XWSS API to do the signing
> of the body?
Yes, please pick up the XWSS policy files from : (Download Sample Here : SecureXWSS20JDK6.zip) https://xwss.dev.java.net/servlets/ProjectDocumentList?folderID=7894
This solution does not require a handler.
The handler approach with XWSS API's is also possible, see https://xwss.dev.java.net/Securing_JAVASE6_WebServices.html
Note : though this article talks of SE 6 style endpoints the XWSS code would be same for normal JAXWS endpoints as well.
Please note that XWSS 2.0 style approaches make use of DOM (Apache XML Sec) based implementation of WS-Security whereas the default Metro implementation with WS-SecurityPolicy makes use of a Streaming Implementation
>
> On a related (but different) note: I noticed that
> when using your example (or Glenn's for that matter)
> to generate a UsernameToken that no "nonce" element
> is generated. How do I convince Metro to generate a
> "nonce" element within a UsernameToken?
The Nonce is currently sent only when one enabled Password Digest Authentication (HashedPassword assertion) via policy.
If you need nonce with plain-text UT, please add an additional note to the issue you filed. We can make is configurable.
|
|
|
|
|
|
|
|
java.net RSS
