Disabling InclusivePrefixList in WSIT

XWSS 3.0 in WSIT by default generates InclusivePrefixList for Exclusive canonicalization algorithm under Signatures and not many implementations of WS Security support this element. So incase you face such a issue where WS Security implementation reject messages generated from WSIT for this reason. You can now disable use of InclusivePrefixList in outgoing messages generated by WSIT by adding “DisableInclusivePrefixList” policy assertion.

Server side policy assertion :
<sunsp:DisableInclusivePrefixListxmlns:sunsp="http://schemas.sun.com/2006/03/wss/server"></sunsp:DisableInclusivePrefixList>

Client side policy assertion :
<sunsp:DisableInclusivePrefixListxmlns:sunsp="http://schemas.sun.com/2006/03/wss/client"></sunsp:DisableInclusivePrefixList>

Sample Signature when DisableInclusivePrefixList is used.

<ds:Signature xmlns:ns10="http://schemas.xmlsoap.org/soap/envelope/" Id="1">
    <ds:SignedInfo> 
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />        
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />        
        <ds:Reference URI="#5002">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>            
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />            
            <ds:DigestValue>...........</ds:DigestValue>
        </ds:Reference>        
        <ds:Reference URI="#3">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>            
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />            
            <ds:DigestValue>...........</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>    
    <ds:SignatureValue>................</ds:SignatureValue>    
    <ds:KeyInfo>
        <wsse:SecurityTokenReference>
            <wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                            URI="#adf15bbb-2a98-4dd0-81f4-34072d05521a" />
        </wsse:SecurityTokenReference>
    </ds:KeyInfo>
</ds:Signature>




Technorati Tags: , , , , , , ,

powered by performancing firefox

Posted on: Mar 20, 2007

Posted by: venu

Category: How do I

Permanent link to this entry

Comments:

Can you show me an example configuration file that uses this? I'm currently using xwss-3.0 Here's my configuration file: <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:Timestamp timeout="60"/> <xwss:DisableInclusivePrefixList/> <xwss:Sign includeTimestamp="true"> <xwss:X509Token certificateAlias="wse2qsclient" /> <xwss:CanonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}Action"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}MessageID"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}ReplyTo"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}To"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="uri" value="mybodyid"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> </xwss:Sign> <!-- Note the order of the requirements below. The message sender should have first signed the body and then encrypted its contents. --> </xwss:SecurityConfiguration>

Posted by zdriveus on March 22, 2007 at 11:51 PM IST #

Can you show me an example configuration file that uses this? I'm currently using xwss-3.0 Here's my configuration file: <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:Timestamp timeout="60"/> <xwss:DisableInclusivePrefixList/> <xwss:Sign includeTimestamp="true"> <xwss:X509Token certificateAlias="wse2qsclient" /> <xwss:CanonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}Action"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}MessageID"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}ReplyTo"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/03/addressing}To"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <xwss:SignatureTarget type="uri" value="mybodyid"> <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> </xwss:Sign> <!-- Note the order of the requirements below. The message sender should have first signed the body and then encrypted its contents. --> </xwss:SecurityConfiguration>

Posted by zdriveus on March 22, 2007 at 11:52 PM IST #

Hi, The above feature in XWSS 3.0 is only available with WS SecurityPolicy i,e when you use WSIT. You are using XWSS specific configuration files. Can you let us know your requirements , just to see if SecurityPolicy can satisfy your requirements. Ashutosh my team mate is working on providing this option using XWSS Configuration files too. Will let you know in another day or so...

Posted by 210.18.183.68 on March 24, 2007 at 08:12 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by venu