SHA256 support for signing the STS token in CXF 2.7.15?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SHA256 support for signing the STS token in CXF 2.7.15?

Yang, Gang CTR USARMY (US)

Hi,

 

I'm using CXF 2.7.15. I understand that earlier CXF does not support SHA256, but because of the https://issues.apache.org/jira/i#browse/CXF-5013, which was fixed in 2.7.6, can I assume 2.7.15 has the fix? Can someone provide a pointer on how can I configure the STS client and/or STS server to sign the SAML token with RSA-SHA256?

 

Thanks,

Gang

Reply | Threaded
Open this post in threaded view
|

RE: SHA256 support for signing the STS token in CXF 2.7.15?

Stephen.CTR.Chappell

Hi –

 

I have this configured through a property on my endpoint, like this:

 

<jaxws:endpoint … >

        <jaxws:properties>

            <entry key="ws-security.asymmetric.signature.algorithm"

                   value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

        </jaxws:properties>

</jaxws:endpoint>

 

Thanx,

 

Stephen W. Chappell

 

From: Yang, Gang CTR USARMY (US) [mailto:[hidden email]]
Sent: Tuesday, June 23, 2015 11:47 AM
To: [hidden email]
Subject: SHA256 support for signing the STS token in CXF 2.7.15?

 

Hi,

 

I'm using CXF 2.7.15. I understand that earlier CXF does not support SHA256, but because of the https://issues.apache.org/jira/i#browse/CXF-5013, which was fixed in 2.7.6, can I assume 2.7.15 has the fix? Can someone provide a pointer on how can I configure the STS client and/or STS server to sign the SAML token with RSA-SHA256?

 

Thanks,

Gang

Reply | Threaded
Open this post in threaded view
|

RE: SHA256 support for signing the STS token in CXF 2.7.15?

Yang, Gang CTR USARMY (US)

Stephen,

 

Thanks for the reply. It did help to change the STR and STRC messages to use rsa-sha256. I had to change on both client and server sides. However, it did not affect the returned SAML token, which is still signed using rsa-sha1.

 

Gang


From: [hidden email] [[hidden email]]
Sent: Tuesday, June 23, 2015 12:46 PM
To: [hidden email]
Subject: RE: SHA256 support for signing the STS token in CXF 2.7.15?

Hi –

 

I have this configured through a property on my endpoint, like this:

 

<jaxws:endpoint … >

        <jaxws:properties>

            <entry key="ws-security.asymmetric.signature.algorithm"

                   value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

        </jaxws:properties>

</jaxws:endpoint>

 

Thanx,

 

Stephen W. Chappell

 

From: Yang, Gang CTR USARMY (US) [mailto:[hidden email]]
Sent: Tuesday, June 23, 2015 11:47 AM
To: [hidden email]
Subject: SHA256 support for signing the STS token in CXF 2.7.15?

 

Hi,

 

I'm using CXF 2.7.15. I understand that earlier CXF does not support SHA256, but because of the https://issues.apache.org/jira/i#browse/CXF-5013, which was fixed in 2.7.6, can I assume 2.7.15 has the fix? Can someone provide a pointer on how can I configure the STS client and/or STS server to sign the SAML token with RSA-SHA256?

 

Thanks,

Gang

Reply | Threaded
Open this post in threaded view
|

RE: SHA256 support for signing the STS token in CXF 2.7.15?

Stephen.CTR.Chappell

Sorry about that, I missed a bit of configuration. In my global STS properties there’s a setting for that as well:

 

    <bean id="globalSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties">

        <property name="signatureProperties" ref="bstSignatureProperties"/>

        …

    </bean>

 

    <bean id="bstSignatureProperties" class="org.apache.cxf.sts.SignatureProperties">

        <property name="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

        <property name="digestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256" />

    </bean> 

 

Stephen W. Chappell

 

From: Yang, Gang CTR USARMY (US) [mailto:[hidden email]]
Sent: Tuesday, June 23, 2015 2:53 PM
To: [hidden email]
Subject: RE: SHA256 support for signing the STS token in CXF 2.7.15?

 

Stephen,

 

Thanks for the reply. It did help to change the STR and STRC messages to use rsa-sha256. I had to change on both client and server sides. However, it did not affect the returned SAML token, which is still signed using rsa-sha1.

 

Gang


From: [hidden email] [[hidden email]]
Sent: Tuesday, June 23, 2015 12:46 PM
To: [hidden email]
Subject: RE: SHA256 support for signing the STS token in CXF 2.7.15?

Hi –

 

I have this configured through a property on my endpoint, like this:

 

<jaxws:endpoint … >

        <jaxws:properties>

            <entry key="ws-security.asymmetric.signature.algorithm"

                   value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

        </jaxws:properties>

</jaxws:endpoint>

 

Thanx,

 

Stephen W. Chappell

 

From: Yang, Gang CTR USARMY (US) [[hidden email]]
Sent: Tuesday, June 23, 2015 11:47 AM
To: [hidden email]
Subject: SHA256 support for signing the STS token in CXF 2.7.15?

 

Hi,

 

I'm using CXF 2.7.15. I understand that earlier CXF does not support SHA256, but because of the https://issues.apache.org/jira/i#browse/CXF-5013, which was fixed in 2.7.6, can I assume 2.7.15 has the fix? Can someone provide a pointer on how can I configure the STS client and/or STS server to sign the SAML token with RSA-SHA256?

 

Thanks,

Gang

Reply | Threaded
Open this post in threaded view
|

RE: SHA256 support for signing the STS token in CXF 2.7.15?

Yang, Gang CTR USARMY (US)

This worked! Thank you very much!

 

Gang


From: [hidden email] [[hidden email]]
Sent: Tuesday, June 23, 2015 3:00 PM
To: [hidden email]
Subject: RE: SHA256 support for signing the STS token in CXF 2.7.15?

Sorry about that, I missed a bit of configuration. In my global STS properties there’s a setting for that as well:

 

    <bean id="globalSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties">

        <property name="signatureProperties" ref="bstSignatureProperties"/>

        …

    </bean>

 

    <bean id="bstSignatureProperties" class="org.apache.cxf.sts.SignatureProperties">

        <property name="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

        <property name="digestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256" />

    </bean> 

 

Stephen W. Chappell

 

From: Yang, Gang CTR USARMY (US) [mailto:[hidden email]]
Sent: Tuesday, June 23, 2015 2:53 PM
To: [hidden email]
Subject: RE: SHA256 support for signing the STS token in CXF 2.7.15?

 

Stephen,

 

Thanks for the reply. It did help to change the STR and STRC messages to use rsa-sha256. I had to change on both client and server sides. However, it did not affect the returned SAML token, which is still signed using rsa-sha1.

 

Gang


From: [hidden email] [[hidden email]]
Sent: Tuesday, June 23, 2015 12:46 PM
To: [hidden email]
Subject: RE: SHA256 support for signing the STS token in CXF 2.7.15?

Hi –

 

I have this configured through a property on my endpoint, like this:

 

<jaxws:endpoint … >

        <jaxws:properties>

            <entry key="ws-security.asymmetric.signature.algorithm"

                   value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

        </jaxws:properties>

</jaxws:endpoint>

 

Thanx,

 

Stephen W. Chappell

 

From: Yang, Gang CTR USARMY (US) [[hidden email]]
Sent: Tuesday, June 23, 2015 11:47 AM
To: [hidden email]
Subject: SHA256 support for signing the STS token in CXF 2.7.15?

 

Hi,

 

I'm using CXF 2.7.15. I understand that earlier CXF does not support SHA256, but because of the https://issues.apache.org/jira/i#browse/CXF-5013, which was fixed in 2.7.6, can I assume 2.7.15 has the fix? Can someone provide a pointer on how can I configure the STS client and/or STS server to sign the SAML token with RSA-SHA256?

 

Thanks,

Gang