axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaushalye Kapuruge <kausha...@wso2.com>
Subject Re: [Rampart/C] Signing the body
Date Thu, 26 Jul 2007 12:16:46 GMT
Hi Jamie,
I tried your scenario "with an empty body" and it worked fine for me. 
You should be able to see an id is added to your body element as follows.
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
    .....
<soapenv:Body u:Id="SigID-09d3faf2-3b71-1dc1" 
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"></soapenv:Body>
</soapenv:Envelope>
May be you can get the latest check-out from the svn[1] and give a try.
Cheers,
Kaushalye
[1]http://svn.apache.org/repos/asf/webservices/rampart/trunk/c

Kaushalye Kapuruge wrote:
> Hi Jamie,
> Seems your policy configurations are correct. Could you please send us 
> the log file, and a trace of signed message? We haven't tested signing 
> an empty body, which is an interesting scenario :).
> Cheers,
> Kaushalye
> [1]http://svn.apache.org/repos/asf/webservices/rampart/trunk/c
>
> Jamie Lyon wrote:
>>
>> Hi,
>>
>> I am using Axis2/C to try and send secure messages to a pre-existing 
>> service.
>>
>> One of the requirements of this service is that there are a certain 
>> amount of security headers, and that the body is always signed.
>>
>> I have a policy.xml file, which I have attached to this e-mail, the 
>> problem is that although a security header is added, including 
>> timestamp, the certificate etc… it doesn’t actually sign the body. An 
>> example of the message that will be sent by Axis2/C is included at 
>> the bottom of the e-mail. If I uncomment the line in the policy.xml 
>> “<!--sp:Header Namespace="http://www.w3.org/2005/08/addressing"/-->” 
>> it successfully signs the ws-addressing headers, but it still does 
>> not sign the body. I’ve tried adding a dummy element into body 
>> (although I don’t in reality want anything there, I want the empty 
>> body to be signed in this particular case), to see if that makes a 
>> difference, but it doesn’t, there’s still nothing being signed.
>>
>> Is there anything special that you have to do apart from add sp:Body 
>> to the SignedParts to get the body to be signed compared to other 
>> elements?
>>
>> (I’m using the Rampart/Axis builds included in WSO2 WSF/C under 
>> Windows with Visual Studio 2005 Pro)
>>
>> Thanks,
>>
>> Jamie
>>
>> POST /gria-basic-app-services/services/DataService HTTP/1.1
>>
>> User-Agent: Axis2/C
>>
>> SOAPAction: 
>> "http://www.it-innovation.soton.ac.uk/2004/grid/data/getResources"
>>
>> Content-Length: 3994
>>
>> Content-Type: text/xml;charset=UTF-8
>>
>> Host: fiuza.it-innovation.soton.ac.uk:9090
>>
>> <soapenv:Envelope 
>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
>>
>> <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
>>
>> <wsa:To>http://fiuza.it-innovation.soton.ac.uk:9090/gria-basic-app-services/services/DataService</wsa:To>

>>
>>
>> <wsa:Action>http://www.it-innovation.soton.ac.uk/2004/grid/data/getResources</wsa:Action>

>>
>>
>> <wsa:MessageID>378ebcfb-4091-4942-9fb2-9ab3548392cc</wsa:MessageID>
>>
>> <wsse:Security soapenv:mustUnderstand="1" 
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

>>
>>
>> <wsse:BinarySecurityToken 
>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

>> wsu:Id="CertID-e918e2c3-10f2-4fb0" 
>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"

>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIID5DCCAsygAwIBAAIERoO4jzANBgkqhkiG9w0BAQUFADCBszErMCkGCSqGSIb3DQEJARYcamxAaXQtaW5ub3ZhdGlvbi5zb3Rvbi5hYy51azELMAkGA1UEBhMCVUsxEjAQBgNVBAgTCUhhbXBzaGlyZTEUMBIGA1UEBxMLU291dGhhbXB0b24xHTAbBgNVBAoTFElUIElubm92YXRpb24gQ2VudHJlMRIwEAYDVQQLEwlUZWNoU3VpdGUxGjAYBgNVBAMTEWdTT0FQIFRlc3QgQ2xpZW50MB4XDTA3MDYyODEzMzMwM1oXDTA4MDYyNzEzMzMwM1owgbMxKzApBgkqhkiG9w0BCQEWHGpsQGl0LWlubm92YXRpb24uc290b24uYWMudWsxCzAJBgNVBAYTAlVLMRIwEAYDVQQIEwlIYW1wc2hpcmUxFDASBgNVBAcTC1NvdXRoYW1wdG9uMR0wGwYDVQQKExRJVCBJbm5vdmF0aW9uIENlbnRyZTESMBAGA1UECxMJVGVjaFN1aXRlMRowGAYDVQQDExFnU09BUCBUZXN0IENsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0rdU+bp6plPTHQmyAgWcUXXkB2ECW0C9IbCze0WeezQYRYByFxMvBK1kvPSxrCVxUhCu6bz4EV3OoIk2RJhLQAJqJ9/JxQBLczp05Z7m6itodMLUZoDbixcF+bBNk5JiWbTJyv3Bcmuqn57iwX0y+7Wb8IHLxnXcmmEzMS2K4f6vDPY7G+qwTzupFoC8+cKdbFOyk9I2JR0TWbq12NHgW9JZr79kzHEoV3p/4s53B5kagMukFkwmcj/GDRMSMfXqnkUc4WlwaRvYrxFI5RjEFjTtwYApBWJcYZ0kYnPkuBQ65XD9cDddrlPYF+w1Ks8WFc671S+xYrKnyftfxKvicCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAMezs42UH3LJhzIkTt2VqCKnU39P8DpPqHSqiFwKB7gPcadGjBHp3d0Akm/1F+bea/25PMfwJR5vSrcny1qFBN41EwlDgyFCecCaLDeg/HxwTcu/sxGq3m9SkaHv/ETk7xRmT4Uz0VIK2uZbNOzPzo6nzLwbsturbr2dD/qxkdplH5dp3h0xGMiY5H1/QWs/bKLwXpNngYvpIu17I2EEZdcPmVZFgcWzV9QXjzAjzC98qxK4gMH35vrhoZvatd2rbCR2Wm+j44wR2W4zof65oVfiyO+p5iamPY7Ncd3M9o1LRrRN0HWg0pNg87tr9l1HzLhZqRGwP9BIp9+2EvWWvEg==</wsse:BinarySecurityToken>

>>
>>
>> <wsu:Timestamp wsu:Id="SigID-79fe769b-02cd-4dca" 
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

>>
>>
>> <wsu:Created>2007-07-26T11:28:43.366Z</wsu:Created>
>>
>> <wsu:Expires>2007-07-26T11:34:43.366Z</wsu:Expires>
>>
>> </wsu:Timestamp>
>>
>> <ds:Signature Id="SigID-847a76bc-a745-4cdf" 
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>
>> <ds:SignedInfo>
>>
>> <ds:CanonicalizationMethod 
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> </ds:CanonicalizationMethod>
>>
>> <ds:SignatureMethod 
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
>>
>> </ds:SignatureMethod>
>>
>> <ds:Reference URI="#SigID-79fe769b-02cd-4dca">
>>
>> <ds:Transforms>
>>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>
>> </ds:Transform>
>>
>> </ds:Transforms>
>>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
>>
>> </ds:DigestMethod>
>>
>> <ds:DigestValue>D/w5TtiyibRvsbid6gVZF8jGZ7w=</ds:DigestValue>
>>
>> </ds:Reference>
>>
>> </ds:SignedInfo>
>>
>> <ds:SignatureValue>SiY7Z9bgiOpDQEksOqjTWpki0KvUCMHgz9YswcQzOZF0K874uvPfAU4VtvaV/FUfK+Grq4UV7rJ/QFGX6iSAxXm0DoFPULVN9ge6Jc+N9yuGddk51MBcxun5rv9spy9w/OGwFpAlIdQQW0+paexMYncgJJkV1awuvCmoeE1zfKDHcyr2CjBnb8GGH733GWihLbf3Nu4V4CgdhMglEYOJ8yNVF6Kr/Y/LzTaY/cazqYarGrro9bJq11vGcW27QeHlKSkRa8wuIjgHrwXdmdUctVVcWQKoJIpO5nMNGp4wvdZxSmOeI6p+oU0tyfEXF6XQZ/zpqRL33NmjV1h4bvQxwQ==</ds:SignatureValue>

>>
>>
>> <ds:KeyInfo>
>>
>> <wsse:SecurityTokenReference 
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

>>
>>
>> <wsse:Reference URI="#CertID-e918e2c3-10f2-4fb0" 
>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">

>>
>>
>> </wsse:Reference>
>>
>> </wsse:SecurityTokenReference>
>>
>> </ds:KeyInfo>
>>
>> </ds:Signature>
>>
>> </wsse:Security>
>>
>> </soapenv:Header>
>>
>> <soapenv:Body>
>>
>> </soapenv:Body>
>>
>> </soapenv:Envelope>
>>
>> ------------------------------------------------------------------------
>>
>> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>     <wsp:ExactlyOne>
>>         <wsp:All>
>>             <sp:AsymmetricBinding 
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>                 <wsp:Policy>
>>                     <sp:InitiatorToken>
>>                         <wsp:Policy>
>>                             <sp:X509Token 
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">

>>
>>                                 <wsp:Policy>
>>                                     <sp:WssX509V3Token10/>
>>                                 </wsp:Policy>
>>                             </sp:X509Token>
>>                         </wsp:Policy>
>>                     </sp:InitiatorToken>
>>                     <sp:RecipientToken>
>>                         <wsp:Policy>
>>                             <sp:X509Token 
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">

>>
>>                                 <wsp:Policy>
>>                                     <sp:WssX509V3Token10/>
>>                                 </wsp:Policy>
>>                             </sp:X509Token>
>>                         </wsp:Policy>
>>                     </sp:RecipientToken>
>>                     <sp:AlgorithmSuite>
>>                         <wsp:Policy>
>>                             <sp:Basic256Rsa15/>
>>                         </wsp:Policy>
>>                     </sp:AlgorithmSuite>
>>                     <sp:Layout>
>>                         <wsp:Policy>
>>                             <sp:Strict/>
>>                         </wsp:Policy>
>>                     </sp:Layout>
>>                     <sp:IncludeTimestamp/>
>>                 </wsp:Policy>
>>             </sp:AsymmetricBinding>
>>             <sp:Wss10 
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>                 <wsp:Policy>
>>                     <sp:MustSupportRefKeyIdentifier/>
>>                     <sp:MustSupportRefEmbeddedToken/>
>>                     <sp:MustSupportRefIssuerSerial/>
>>                 </wsp:Policy>
>>             </sp:Wss10>
>>             <sp:SignedParts 
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>                 <sp:Body/>
>>                 <!--sp:Header 
>> Namespace="http://www.w3.org/2005/08/addressing"/-->
>>             </sp:SignedParts>
>>             <rampc:RampartConfig 
>> xmlns:rampc="http://ws.apache.org/rampart/c/policy">
>>                 <rampc:TimeToLive>360</rampc:TimeToLive>
>>                 
>> <rampc:ReceiverCertificate>C:\cacert.pem</rampc:ReceiverCertificate>
>>                 <rampc:Certificate>C:\mycert.pem</rampc:Certificate>
>>                 <rampc:PrivateKey>C:\mykey.pem</rampc:PrivateKey>
>>             </rampc:RampartConfig>
>>         </wsp:All>
>>     </wsp:ExactlyOne>
>> </wsp:Policy>
>>   
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-c-dev-help@ws.apache.org
>
>


-- 
http://kaushalye.blogspot.com/
http://wso2.org/



---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org


Mime
View raw message