WS Security with attachment encryption

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

WS Security with attachment encryption

Kai Rommel
Hello Colm,

I configured a WS-Consumer with WS-Security.
Works fine for body encryption, when message is send to WS-Provider. The soap envelope contains beside soap header also soap body:

...</wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-f2366587-d90a-44c5-9b03-22dccc6a177d"><xenc:EncryptedData .....


Now I enhanced my scenario by encrypting attachments, too.
My WSS4J Interceptor looks like this:
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
 id="Sign_Request">
 <constructor-arg>
     <map>
         <entry key="action" value="Timestamp Signature Encrypt" />
         <entry key="user" value="wss" />
         <entry key="signatureUser" value="wss" />
         <entry key="signaturePropFile" value="jks/client.properties" />
         <entry key="signatureKeyIdentifier" value="DirectReference" />
         <entry key="passwordCallbackClass" value="demo.ws_rm.client.CallBack" />
         <!-- with attachments -->
         <entry key="signatureParts"
             value="{}cid:Attachments;
             {Element}{<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;
             {Element}{<a href="http://schemas.xmlsoap.org/soap/envelope/}Body">http://schemas.xmlsoap.org/soap/envelope/}Body"/>
         <entry key="encryptionUser" value="wss" />
         <entry key="encryptionPropFile" value="jks/client.properties" />
         <entry key="encryptionParts"
          value="{Element}{<a href="http://schemas.xmlsoap.org/soap/envelope/}Body">http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />
     </map>
 </constructor-arg>
</bean>

Now the soap:body is missing in the soap:envelope. Header element is closed, but body not opened
...</wsse:Security></soap:Header><xenc:EncryptedData xmlns:....

Attachments are encrypted fine. But message can not be decrypted on WS-Provider side, because of missing body element.

I am using cxf 3.2.0-SNAPSHOT and wss4j 2.2.0-SNAPSHOT.

Are you able to reproduce the error, or is my WSS4J interceptor configuration wrong?

Thanks for your help.

Best regards
Kai
Reply | Threaded
Open this post in threaded view
|

Re: WS Security with attachment encryption

Colm O hEigeartaigh-2
I can't reproduce...I added a similar test to CXF and it works fine:

https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=0eafb7f8

Colm.

On Mon, Jun 27, 2016 at 10:02 AM, Kai Rommel <[hidden email]> wrote:
Hello Colm,

I configured a WS-Consumer with WS-Security.
Works fine for body encryption, when message is send to WS-Provider. The soap envelope contains beside soap header also soap body:

...</wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-f2366587-d90a-44c5-9b03-22dccc6a177d"><xenc:EncryptedData .....


Now I enhanced my scenario by encrypting attachments, too.
My WSS4J Interceptor looks like this:
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
 id="Sign_Request">
 <constructor-arg>
     <map>
         <entry key="action" value="Timestamp Signature Encrypt" />
         <entry key="user" value="wss" />
         <entry key="signatureUser" value="wss" />
         <entry key="signaturePropFile" value="jks/client.properties" />
         <entry key="signatureKeyIdentifier" value="DirectReference" />
         <entry key="passwordCallbackClass" value="demo.ws_rm.client.CallBack" />
         <!-- with attachments -->
         <entry key="signatureParts"
             value="{}cid:Attachments;
             {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
         <entry key="encryptionUser" value="wss" />
         <entry key="encryptionPropFile" value="jks/client.properties" />
         <entry key="encryptionParts"
          value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />
     </map>
 </constructor-arg>
</bean>

Now the soap:body is missing in the soap:envelope. Header element is closed, but body not opened
...</wsse:Security></soap:Header><xenc:EncryptedData xmlns:....

Attachments are encrypted fine. But message can not be decrypted on WS-Provider side, because of missing body element.

I am using cxf 3.2.0-SNAPSHOT and wss4j 2.2.0-SNAPSHOT.

Are you able to reproduce the error, or is my WSS4J interceptor configuration wrong?

Thanks for your help.

Best regards
Kai



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: WS Security with attachment encryption

Kai Rommel
Hello Colm,

thanks. My configuration was wrong. I configured:

<entry key="encryptionParts" value="{Element}{<a href="http://schemas.xmlsoap.org/soap/envelope/}Body">http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />


Now I am using (like in your test):

 <entry key="encryptionParts" value="{}{<a href="http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}cid:Attachments">http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}cid:Attachments;">

and it works fine.

The documentation states {}cid:Attachments. Maybe it can be updated to {Element}cid:Attachments.


Is there an special reason, why I have to use in signatureParts {Element}{<a href="http://schemas.xmlsoap.org/soap/envelope/}Body">http://schemas.xmlsoap.org/soap/envelope/}Body and in encryptionParts {}{<a href="http://schemas.xmlsoap.org/soap/envelope/}Body">http://schemas.xmlsoap.org/soap/envelope/}Body?

Thanks.

Best regards

Kai







2016-06-27 12:10 GMT+02:00 Colm O hEigeartaigh <[hidden email]>:
I can't reproduce...I added a similar test to CXF and it works fine:

https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=0eafb7f8

Colm.

On Mon, Jun 27, 2016 at 10:02 AM, Kai Rommel <[hidden email]> wrote:
Hello Colm,

I configured a WS-Consumer with WS-Security.
Works fine for body encryption, when message is send to WS-Provider. The soap envelope contains beside soap header also soap body:

...</wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-f2366587-d90a-44c5-9b03-22dccc6a177d"><xenc:EncryptedData .....


Now I enhanced my scenario by encrypting attachments, too.
My WSS4J Interceptor looks like this:
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
 id="Sign_Request">
 <constructor-arg>
     <map>
         <entry key="action" value="Timestamp Signature Encrypt" />
         <entry key="user" value="wss" />
         <entry key="signatureUser" value="wss" />
         <entry key="signaturePropFile" value="jks/client.properties" />
         <entry key="signatureKeyIdentifier" value="DirectReference" />
         <entry key="passwordCallbackClass" value="demo.ws_rm.client.CallBack" />
         <!-- with attachments -->
         <entry key="signatureParts"
             value="{}cid:Attachments;
             {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
         <entry key="encryptionUser" value="wss" />
         <entry key="encryptionPropFile" value="jks/client.properties" />
         <entry key="encryptionParts"
          value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />
     </map>
 </constructor-arg>
</bean>

Now the soap:body is missing in the soap:envelope. Header element is closed, but body not opened
...</wsse:Security></soap:Header><xenc:EncryptedData xmlns:....

Attachments are encrypted fine. But message can not be decrypted on WS-Provider side, because of missing body element.

I am using cxf 3.2.0-SNAPSHOT and wss4j 2.2.0-SNAPSHOT.

Are you able to reproduce the error, or is my WSS4J interceptor configuration wrong?

Thanks for your help.

Best regards
Kai



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply | Threaded
Open this post in threaded view
|

Re: WS Security with attachment encryption

Colm O hEigeartaigh-2
"Element" refers to the entire Element, whereas "Content" refers to the content of the Element. So obviously, if you are encrypting the SOAP Body, you only want to encrypt the "Content" and not the "Element", as otherwise the "soap:Body" part gets encrypted and the result is not a valid SOAP message. With Signature, you might as well sign the entire Element, as the result is still a valid SOAP message.

Colm.

On Mon, Jun 27, 2016 at 11:32 AM, Kai Rommel <[hidden email]> wrote:
Hello Colm,

thanks. My configuration was wrong. I configured:

<entry key="encryptionParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />


Now I am using (like in your test):

 <entry key="encryptionParts" value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}cid:Attachments;">

and it works fine.

The documentation states {}cid:Attachments. Maybe it can be updated to {Element}cid:Attachments.


Is there an special reason, why I have to use in signatureParts {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body and in encryptionParts {}{http://schemas.xmlsoap.org/soap/envelope/}Body?

Thanks.

Best regards

Kai







2016-06-27 12:10 GMT+02:00 Colm O hEigeartaigh <[hidden email]>:
I can't reproduce...I added a similar test to CXF and it works fine:

https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=0eafb7f8

Colm.

On Mon, Jun 27, 2016 at 10:02 AM, Kai Rommel <[hidden email]> wrote:
Hello Colm,

I configured a WS-Consumer with WS-Security.
Works fine for body encryption, when message is send to WS-Provider. The soap envelope contains beside soap header also soap body:

...</wsse:Security></soap:Header><soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-f2366587-d90a-44c5-9b03-22dccc6a177d"><xenc:EncryptedData .....


Now I enhanced my scenario by encrypting attachments, too.
My WSS4J Interceptor looks like this:
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
 id="Sign_Request">
 <constructor-arg>
     <map>
         <entry key="action" value="Timestamp Signature Encrypt" />
         <entry key="user" value="wss" />
         <entry key="signatureUser" value="wss" />
         <entry key="signaturePropFile" value="jks/client.properties" />
         <entry key="signatureKeyIdentifier" value="DirectReference" />
         <entry key="passwordCallbackClass" value="demo.ws_rm.client.CallBack" />
         <!-- with attachments -->
         <entry key="signatureParts"
             value="{}cid:Attachments;
             {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
         <entry key="encryptionUser" value="wss" />
         <entry key="encryptionPropFile" value="jks/client.properties" />
         <entry key="encryptionParts"
          value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {}cid:Attachments" />
     </map>
 </constructor-arg>
</bean>

Now the soap:body is missing in the soap:envelope. Header element is closed, but body not opened
...</wsse:Security></soap:Header><xenc:EncryptedData xmlns:....

Attachments are encrypted fine. But message can not be decrypted on WS-Provider side, because of missing body element.

I am using cxf 3.2.0-SNAPSHOT and wss4j 2.2.0-SNAPSHOT.

Are you able to reproduce the error, or is my WSS4J interceptor configuration wrong?

Thanks for your help.

Best regards
Kai



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com