Skip to main content

METRO not compliant with Basic Security Profile 1.1 (WS-I) ??

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
2 replies [Last post]
brunov
Offline
Joined: 2005-09-20

It seems that METRO 2.1 is not compliant with Basic Security Profile 1.1

We detected the problem when trying to test interoperability with CXF: issues.apache.org/jira/browse/CXF-3592

CXF 2.4.0 enforces Basic Security Profile 1.1 compliance. (Meaning that it rejects non compliant inputs). In our case, it is objecting to a SecurityTokenReference not having a TokenType attribute:

Body 
  EncryptedData
  EncryptionMethod
    KeyInfo
      SecurityTokenReference <b>NO TokenType in METRO: Breaks rule R3069 !</b>
             KeyIdentifier  (referencing an ENCRYPTED_KEY_TOKEN)

The Rule R3069 states that: "Any SECURITY_TOKEN_REFERENCE to a ENCRYPTED_KEY_TOKEN MUST contain a wsse11:TokenType attribute with a value of "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"." http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html#STR2EncryptedKey

Note: Metro claims compliance with Basic Security Profile 1.1: http://blogs.oracle.com/gfsecurity/entry/what_s_new_in_metro

Should I fill a bug ? or a RFE ? Where ? Is METRO committed to WS-I ??

Thanks

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
ritzmann
Offline
Joined: 2003-06-19

brunov wrote:
Should I fill a bug ? or a RFE ? Where ?

If you could file a bug that would be appreciated: http://java.net/jira/browse/WSIT

Please set "security" as the component.

brunov
Offline
Joined: 2005-09-20