axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Clement <nathan.a.clem...@hotmail.com>
Subject RE: Rampart: UsernameToken and X.509 certificates
Date Thu, 21 Mar 2013 22:13:11 GMT
Hi Ruchith,

Thanks for the patch.  I applied it and it solved my problem - I no longer get an exception
in this case.  Is there a JIRA for this?

Thanks,

Nathan

Date: Tue, 19 Mar 2013 18:43:19 -0400
Subject: Re: Rampart: UsernameToken and X.509 certificates
From: ruchith.fernando@gmail.com
To: java-dev@axis.apache.org

Hi Nathan,
 
Can you please try the attached patch with the rampart trunk and see
if you still have the same issue.
 
Thanks,
Ruchith
 
On Mon, Mar 18, 2013 at 1:12 AM, Nathan Clement
<nathan.a.clement@hotmail.com> wrote:
> Hi,
>
> I'm trying to use a UsernameToken with a hashed password and an X.509 token
> for signatures.  My policy file is below - it contains both sp:UsernameToken
> and sp:X509Token.  No encryption should be performed in this scenario and we
> are using HTTPS for transport.
>
> I get the following exception when using this policy file:
>
> Caused by: org.apache.rampart.RampartException: Encryption user not
> specified (The context is created by the initiating party)
>     at
> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1308)
>     at
> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1296)
>     at
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:538)
>     at
> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:90)
>     at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
>     at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
>
> With the help of SVN blame, I found that a change was made in
> https://issues.apache.org/jira/browse/RAMPART-106 that forces the
> UsernameToken to be encrypted (BindingBuilder:428 in the current trunk).
>
> I found the following in the WS-Security UsernameToken profile:
>
> /wsse:UsernameToken/wsse:Password
> This optional element provides password information (or equivalent such as a
> hash). It is RECOMMENDED that this element only be passed when a secure
> transport (e.g. HTTP/S) is being used or if the token itself is being
> encrypted.
>
>
> We are using HTTPS for transport, so encryption of the token doesn't seem to
> be necessary.  Is there something I'm missing, or should the logic from
> RAMPART-106 only apply in certain situations?
>
> Thanks,
>
> Nathan
>
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:Policy wsu:Id="UTOverTransport"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>             xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>   <wsp:ExactlyOne>
>     <wsp:All>
>       <sp:SignedSupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>         <wsp:Policy>
>           <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>             <wsp:Policy>
>               <sp:HashPassword/>
>             </wsp:Policy>
>           </sp:UsernameToken>
>         </wsp:Policy>
>       </sp:SignedSupportingTokens>
>
>       <sp:AsymmetricBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>         <wsp:Policy>
>           <sp:InitiatorToken>
>             <wsp:Policy>
>               <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                 <wsp:Policy>
>                   <sp:RequireThumbprintReference/>
>                   <sp:WssX509V3Token10/>
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:InitiatorToken>
>
>           <sp:RecipientToken>
>             <wsp:Policy>
>               <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                 <wsp:Policy>
>                   <sp:RequireThumbprintReference/>
>                   <sp:WssX509V3Token10/>
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:RecipientToken>
>
>           <sp:AlgorithmSuite>
>             <wsp:Policy>
>               <sp:Basic256Sha256/>
>             </wsp:Policy>
>           </sp:AlgorithmSuite>
>
>           <sp:Layout>
>             <wsp:Policy>
>               <sp:Strict/>
>             </wsp:Policy>
>           </sp:Layout>
>
>           <sp:IncludeTimestamp/>
>           <sp:OnlySignEntireHeadersAndBody/>
>         </wsp:Policy>
>       </sp:AsymmetricBinding>
>
>       <sp:Wss11
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>         <wsp:Policy>
>           <sp:MustSupportRefKeyIdentifier/>
>           <sp:MustSupportRefIssuerSerial/>
>         </wsp:Policy>
>       </sp:Wss11>
>
>       <sp:SignedParts
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>         <sp:Body/>
>         <sp:Header Name="Messaging"
> Namespace="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
> />
>         <sp:Attachments />
>       </sp:SignedParts>
>     </wsp:All>
>   </wsp:ExactlyOne>
> </wsp:Policy>
>
>
 
 
 
-- 
http://ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org 		 	   		  
Mime
View raw message