Skip to main content

assertion supported by WSIT?

3 replies [Last post]
prashi123
Offline
Joined: 2006-02-05
Points: 0

Hi All
I have an Oracle Web service ( using Endorsing Certificate scenario )that advertises the assertion in the security policy. I read some where that WSIT does not support it (neither does WCF). However I went ahead and created the client proxy for the Web Service.
So when the client sends the request in where
a) is advertised in WSDL: I see that as expected the BST is signed by the EndorsingSupportingToken. Additionally, the Primary Signatures's STR pointing to the encryptedKey is also signed.

b) is not advertised in WSDL: I see that the BST is not signed by the Endorsing supporting token.

Can someone please throw some light on this? Is assertion supported at all? Attached is the advertised WSDL

Thanks
-Prasanth

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

The support for ProtectTokens is not complete. That means it will not work in all scenarios. This particular one that you tried is one such working case.

I am curious whether Oracle Server Supports ProtectTokens assertion in all combinations of Tokens and Binding ?.

Thanks.

prashi123
Offline
Joined: 2006-02-05
Points: 0

Thanks Kumar.

Assuming it is working in this case could you please explain the following:

a) Why is the SecurityTokenReference (pointing to the EncryptedKey) of the Primary Signature signed? The Endorsing Signature already covers the Primary Signature

b) There is no element specified under the element for the reference to the SecurityTokenReference (unlike other references that specify the ):

* *

2jmj7l5rSw0yVb/vlWAYkK/YBwk=

In this case what c14n algorithm was used?

TIA. Attached is the request message sent out by WSIT

-Prasanth

ashutoshshahi
Offline
Joined: 2006-01-27
Points: 0

As Kumar said, the feature is not supported, and not fully tested one. The message generated by us is not the correct one. The correct behaviour should be:
- No need to sign the STR in the primary signature
- The Endorsing Signature's STR should be signed (as it refers to a BinarySecurityToken), but we are ending up signing the BST itself in the endorsing signature.

We will look to fix these once we decide to support ProtectTokens. This has not taken a priority as WCF doesn't support it either. Please file an issue so that we can keep track of this.