This blog on blogspot.com is now closed. I've moved all my posts over to my new domain:
http://blog.ypmania.net
See you there!
Thursday, April 22, 2010
Friday, January 8, 2010
WS-Security by WS-Obscurity (cont.)
In a previous post, I described a step to achieve a particular variant of WS-Security, which is the .NET way of signing a SOAP message with a Username token.
As it turns out, that's not always the full story. Although the signing is correctly done this way, the default implementation of WSS4J (which Apache CXF uses) sends timestamps with a millisecond accuracy. Although this is fully in line with the "RECOMMENDED" part of the WS-Security 1.0 specification, it is apparently something that Microsoft did not consider when writing WSE 1.0. As you can read, WSE 1.0 rejects the message if it has a millisecond time stamp.
I did find it quite surprising to find no other reference of this on the internet, except a page on MSDN which describes the "Microsoft.com Web Service".
Luckily, there's a quick way to switch off milliseconds for time stamps in CXF: just add a parameter
As it turns out, that's not always the full story. Although the signing is correctly done this way, the default implementation of WSS4J (which Apache CXF uses) sends timestamps with a millisecond accuracy. Although this is fully in line with the "RECOMMENDED" part of the WS-Security 1.0 specification, it is apparently something that Microsoft did not consider when writing WSE 1.0. As you can read, WSE 1.0 rejects the message if it has a millisecond time stamp.
I did find it quite surprising to find no other reference of this on the internet, except a page on MSDN which describes the "Microsoft.com Web Service".
Luckily, there's a quick way to switch off milliseconds for time stamps in CXF: just add a parameter
"precisionInMilliseconds" with the value "false" to the parameter map of your WSS4JOutInterceptor.
Subscribe to:
Posts (Atom)