axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruchith Fernando <ruchith.ferna...@gmail.com>
Subject Re: Rampart: UsernameToken and X.509 certificates
Date Fri, 22 Mar 2013 00:05:47 GMT
Hi Nathan,

Sounds good.

I don't think we need a JIRA for this. I will check in this change.

Thanks,
Ruchith

On Thu, Mar 21, 2013 at 6:13 PM, Nathan Clement
<nathan.a.clement@hotmail.com> wrote:
> Hi Ruchith,
>
> Thanks for the patch.  I applied it and it solved my problem - I no longer
> get an exception in this case.  Is there a JIRA for this?
>
> Thanks,
>
> Nathan
>
> Date: Tue, 19 Mar 2013 18:43:19 -0400
> Subject: Re: Rampart: UsernameToken and X.509 certificates
> From: ruchith.fernando@gmail.com
> To: java-dev@axis.apache.org
>
> Hi Nathan,
>
> Can you please try the attached patch with the rampart trunk and see
> if you still have the same issue.
>
> Thanks,
> Ruchith
>
> On Mon, Mar 18, 2013 at 1:12 AM, Nathan Clement
> <nathan.a.clement@hotmail.com> wrote:
>> Hi,
>>
>> I'm trying to use a UsernameToken with a hashed password and an X.509
>> token
>> for signatures.  My policy file is below - it contains both
>> sp:UsernameToken
>> and sp:X509Token.  No encryption should be performed in this scenario and
>> we
>> are using HTTPS for transport.
>>
>> I get the following exception when using this policy file:
>>
>> Caused by: org.apache.rampart.RampartException: Encryption user not
>> specified (The context is created by the initiating party)
>>     at
>>
>> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1308)
>>     at
>>
>> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1296)
>>     at
>>
>> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:538)
>>     at
>>
>> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:90)
>>     at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
>>     at
>> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
>>
>> With the help of SVN blame, I found that a change was made in
>> https://issues.apache.org/jira/browse/RAMPART-106 that forces the
>> UsernameToken to be encrypted (BindingBuilder:428 in the current trunk).
>>
>> I found the following in the WS-Security UsernameToken profile:
>>
>> /wsse:UsernameToken/wsse:Password
>> This optional element provides password information (or equivalent such as
>> a
>> hash). It is RECOMMENDED that this element only be passed when a secure
>> transport (e.g. HTTP/S) is being used or if the token itself is being
>> encrypted.
>>
>>
>> We are using HTTPS for transport, so encryption of the token doesn't seem
>> to
>> be necessary.  Is there something I'm missing, or should the logic from
>> RAMPART-106 only apply in certain situations?
>>
>> Thanks,
>>
>> Nathan
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <wsp:Policy wsu:Id="UTOverTransport"
>>
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>             xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>   <wsp:ExactlyOne>
>>     <wsp:All>
>>       <sp:SignedSupportingTokens
>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>         <wsp:Policy>
>>           <sp:UsernameToken
>>
>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>>             <wsp:Policy>
>>               <sp:HashPassword/>
>>             </wsp:Policy>
>>           </sp:UsernameToken>
>>         </wsp:Policy>
>>       </sp:SignedSupportingTokens>
>>
>>       <sp:AsymmetricBinding
>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>         <wsp:Policy>
>>           <sp:InitiatorToken>
>>             <wsp:Policy>
>>               <sp:X509Token
>>
>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>>                 <wsp:Policy>
>>                   <sp:RequireThumbprintReference/>
>>                   <sp:WssX509V3Token10/>
>>                 </wsp:Policy>
>>               </sp:X509Token>
>>             </wsp:Policy>
>>           </sp:InitiatorToken>
>>
>>           <sp:RecipientToken>
>>             <wsp:Policy>
>>               <sp:X509Token
>>
>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>>                 <wsp:Policy>
>>                   <sp:RequireThumbprintReference/>
>>                   <sp:WssX509V3Token10/>
>>                 </wsp:Policy>
>>               </sp:X509Token>
>>             </wsp:Policy>
>>           </sp:RecipientToken>
>>
>>           <sp:AlgorithmSuite>
>>             <wsp:Policy>
>>               <sp:Basic256Sha256/>
>>             </wsp:Policy>
>>           </sp:AlgorithmSuite>
>>
>>           <sp:Layout>
>>             <wsp:Policy>
>>               <sp:Strict/>
>>             </wsp:Policy>
>>           </sp:Layout>
>>
>>           <sp:IncludeTimestamp/>
>>           <sp:OnlySignEntireHeadersAndBody/>
>>         </wsp:Policy>
>>       </sp:AsymmetricBinding>
>>
>>       <sp:Wss11
>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>         <wsp:Policy>
>>           <sp:MustSupportRefKeyIdentifier/>
>>           <sp:MustSupportRefIssuerSerial/>
>>         </wsp:Policy>
>>       </sp:Wss11>
>>
>>       <sp:SignedParts
>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>         <sp:Body/>
>>         <sp:Header Name="Messaging"
>> Namespace="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"
>> />
>>         <sp:Attachments />
>>       </sp:SignedParts>
>>     </wsp:All>
>>   </wsp:ExactlyOne>
>> </wsp:Policy>
>>
>>
>
>
>
> --
> http://ruchith.org
>
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org For additional
> commands, e-mail: java-dev-help@axis.apache.org



-- 
http://ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message