Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 88911200B62 for ; Fri, 12 Aug 2016 23:31:24 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 8737B160A85; Fri, 12 Aug 2016 21:31:24 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D0F1A160AB0 for ; Fri, 12 Aug 2016 23:31:21 +0200 (CEST) Received: (qmail 21628 invoked by uid 500); 12 Aug 2016 21:31:20 -0000 Mailing-List: contact java-dev-help@axis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-dev@axis.apache.org Delivered-To: mailing list java-dev@axis.apache.org Received: (qmail 21611 invoked by uid 99); 12 Aug 2016 21:31:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Aug 2016 21:31:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 71BEE2C02A1 for ; Fri, 12 Aug 2016 21:31:20 +0000 (UTC) Date: Fri, 12 Aug 2016 21:31:20 +0000 (UTC) From: "Marjorie Lindsey (JIRA)" To: java-dev@axis.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (RAMPART-437) SHA256 not supported for DigestAlgorithm for TransportBinding when specified correctly in policy.xml MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 12 Aug 2016 21:31:24 -0000 [ https://issues.apache.org/jira/browse/RAMPART-437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marjorie Lindsey updated RAMPART-437: ------------------------------------- Description: TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1. To correct this, add this line in 3 locations in this class: sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); and add this line in 1 location in this class: dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest()); Listed below is the entire class with the lines inserted for reference. Thank you. /* * ============================================================================= * * Copyright (c) 2003-2013 Hewitt Associates, LLC. * 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A. * All rights reserved. * * This program contains proprietary and confidential information and trade * secrets of Hewitt Associates LLC. This program may not be duplicated, * disclosed or provided to any third parties without the prior written consent * of Hewitt Associates LLC. Disassembly or decompilation of the software and * reverse engineering of the object code are prohibited. * * ============================================================================= */ package org.apache.rampart.builder; import org.apache.axiom.om.OMElement; import org.apache.axiom.soap.SOAPEnvelope; import org.apache.axis2.context.MessageContext; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.rahas.RahasConstants; import org.apache.rahas.TrustException; import org.apache.rampart.RampartConstants; import org.apache.rampart.RampartException; import org.apache.rampart.RampartMessageData; import org.apache.rampart.policy.RampartPolicyData; import org.apache.rampart.util.RampartUtil; import org.apache.ws.secpolicy.SPConstants; import org.apache.ws.secpolicy.model.AlgorithmSuite; import org.apache.ws.secpolicy.model.Header; import org.apache.ws.secpolicy.model.IssuedToken; import org.apache.ws.secpolicy.model.SecureConversationToken; import org.apache.ws.secpolicy.model.SignedEncryptedParts; import org.apache.ws.secpolicy.model.SupportingToken; import org.apache.ws.secpolicy.model.Token; import org.apache.ws.secpolicy.model.UsernameToken; import org.apache.ws.secpolicy.model.X509Token; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSEncryptionPart; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.conversation.ConversationException; import org.apache.ws.security.handler.WSHandlerConstants; import org.apache.ws.security.message.*; import org.w3c.dom.Document; import org.w3c.dom.Element; import java.util.ArrayList; import java.util.Iterator; import java.util.List; import javax.xml.crypto.dsig.Reference; /** * DOCUMENT ME! * * @hahistory 8/11/16 $author$ Initial creation. * @since 1.0 */ public class TransportBindingBuilder extends BindingBuilder { /** * DOCUMENT ME! * * @since 1.0 */ private static Log log = LogFactory.getLog(TransportBindingBuilder.class); /** * DOCUMENT ME! * * @since 1.0 */ private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG); /** * DOCUMENT ME! * * @since 1.0 * * @param rmd DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ public void build(RampartMessageData rmd) throws RampartException { log.debug("TransportBindingBuilder build invoked"); long t0 = 0, t1 = 0; if (tlog.isDebugEnabled()) { t1 = System.currentTimeMillis(); } RampartPolicyData rpd = rmd.getPolicyData(); if (rpd.isIncludeTimestamp()) { addTimestamp(rmd); } /* * Process Supporting tokens */ if (rmd.isInitiator()) { List signatureValues = new ArrayList(); SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens(); if ( (sgndSuppTokens != null) && (sgndSuppTokens.getTokens() != null) && (sgndSuppTokens.getTokens() .size() > 0) ) { log.debug("Processing signed supporting tokens"); ArrayList tokens = sgndSuppTokens.getTokens(); for (Object signedSupportingToken : tokens) { Token token = (Token)signedSupportingToken; if (token instanceof UsernameToken) { WSSecUsernameToken utBuilder = addUsernameToken(rmd, (UsernameToken)token); utBuilder.prepare(rmd.getDocument()); //Add the UT utBuilder.appendToHeader(rmd.getSecHeader()); } else { throw new RampartException( "unsupportedSignedSupportingToken", new String[] { "{" + token.getName() .getNamespaceURI() + "}" + token.getName() .getLocalPart() } ); } } } SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens(); if ( (sgndEndSuppTokens != null) && (sgndEndSuppTokens.getTokens() != null) && (sgndEndSuppTokens.getTokens() .size() > 0) ) { log.debug("Processing endorsing signed supporting tokens"); ArrayList tokens = sgndEndSuppTokens.getTokens(); SignedEncryptedParts signdParts = sgndEndSuppTokens.getSignedParts(); for (Object objectToken : tokens) { Token token = (Token)objectToken; if (token instanceof IssuedToken && rmd.isInitiator()) { signatureValues.add( doIssuedTokenSignature(rmd, token, signdParts) ); } else if (token instanceof X509Token) { signatureValues.add( doX509TokenSignature(rmd, token, signdParts) ); } } } SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens(); if ( (endSupptokens != null) && (endSupptokens.getTokens() != null) && (endSupptokens.getTokens() .size() > 0) ) { log.debug("Processing endorsing supporting tokens"); ArrayList tokens = endSupptokens.getTokens(); SignedEncryptedParts signdParts = endSupptokens.getSignedParts(); for (Object objectToken : tokens) { Token token = (Token)objectToken; if (token instanceof IssuedToken && rmd.isInitiator()) { signatureValues.add( doIssuedTokenSignature(rmd, token, signdParts) ); } else if (token instanceof X509Token) { signatureValues.add( doX509TokenSignature(rmd, token, signdParts) ); } else if (token instanceof SecureConversationToken) { handleSecureConversationTokens( rmd, (SecureConversationToken)token ); signatureValues.add( doSecureConversationSignature( rmd, token, signdParts ) ); } } } List supportingToks = rpd.getSupportingTokensList(); for (SupportingToken supportingTok : supportingToks) { this.handleSupportingTokens(rmd, supportingTok); } //Store the signature values list rmd.getMsgContext() .setProperty(WSHandlerConstants.SEND_SIGV, signatureValues); } else { addSignatureConfirmation(rmd, null); } if (tlog.isDebugEnabled()) { t1 = System.currentTimeMillis(); tlog.debug("Transport binding build took " + (t1 - t0)); } } /** * DOCUMENT ME! * * @since 1.0 * * @param secHeader DOCUMENT ME! * @param appendingChild DOCUMENT ME! */ private void appendToHeader(WSSecHeader secHeader, Element appendingChild) { // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())" // but WSS4J has remove append methods. Need to find why ? Element secHeaderElement = secHeader.getSecurityHeader(); secHeaderElement.appendChild(appendingChild); } /** * IssuedToken signature * * @param rmd * @param token * @param signdParts * * @return DOCUMENT ME! * * @throws RampartException */ private byte[] doIssuedTokenSignature( RampartMessageData rmd, Token token, SignedEncryptedParts signdParts ) throws RampartException { RampartPolicyData rpd = rmd.getPolicyData(); Document doc = rmd.getDocument(); //Get the issued token String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token); int inclusion = token.getInclusion(); org.apache.rahas.Token tok = null; try { tok = rmd.getTokenStorage() .getToken(id); } catch (TrustException e) { throw new RampartException( "errorExtractingToken", new String[] {id}, e ); } boolean tokenIncluded = false; if ( (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) || ( ( ( inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE) ) && rmd.isInitiator() ) ) { //Add the token rmd.getSecHeader() .getSecurityHeader() .appendChild(doc.importNode((Element)tok.getToken(), true)); tokenIncluded = true; } List sigParts = new ArrayList(); if (this.timestampElement != null) { sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); } if (rpd.isTokenProtection() && tokenIncluded) { sigParts.add(new WSEncryptionPart(id)); } if (signdParts != null) { if (signdParts.isBody()) { SOAPEnvelope env = rmd.getMsgContext() .getEnvelope(); sigParts.add( new WSEncryptionPart( RampartUtil.addWsuIdToElement(env.getBody()) ) ); } ArrayList headers = signdParts.getHeaders(); for (Object signedHeader : headers) { Header header = (Header)signedHeader; WSEncryptionPart wep = new WSEncryptionPart( header.getName(), header.getNamespace(), "Content" ); sigParts.add(wep); } } //check for derived keys AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite(); if (token.isDerivedKeys()) { //Create a derived key and add try { //Do Signature with derived keys WSSecDKSign dkSign = new WSSecDKSign(); // Setting the AttachedReference or the UnattachedReference according to the flag OMElement ref; if (tokenIncluded) { ref = tok.getAttachedReference(); } else { ref = tok.getUnattachedReference(); } if (ref != null) { dkSign.setExternalKey( tok.getSecret(), (Element)doc.importNode((Element)ref, true) ); } else { dkSign.setExternalKey(tok.getSecret(), tok.getId()); } //Set the algo info dkSign.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); dkSign.setDerivedKeyLength( algorithmSuite.getSignatureDerivedKeyLength() ); dkSign.prepare(doc); /** * Add .. to security * header. We need to add this just after Encrypted Key and just before .. * elements. (As a convention) */ dkSign.appendDKElementToHeader(rmd.getSecHeader()); dkSign.setParts(sigParts); List referenceList = dkSign.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature dkSign.computeSignature(referenceList, false, null); // TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader()) // this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement()); return dkSign.getSignatureValue(); } catch (ConversationException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } catch (WSSecurityException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } } else { try { WSSecSignature sig = new WSSecSignature(); sig.setWsConfig(rmd.getConfig()); String tokId = tok.getId(); if (tokId.charAt(0) == '#') { tokId = tokId.substring(1); } sig.setCustomTokenId(tokId); sig.setCustomTokenValueType( RampartUtil.getSAML10AssertionNamespace() ); sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm( algorithmSuite.getAsymmetricSignature() ); sig.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); sig.prepare( rmd.getDocument(), RampartUtil.getSignatureCrypto( rpd.getRampartConfig(), rmd.getCustomClassLoader() ), rmd.getSecHeader() ); sig.setParts(sigParts); //Added by MRL sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); List referenceList = sig.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature sig.computeSignature(referenceList); //Add elements to header this.setInsertionLocation( RampartUtil.insertSiblingAfter( rmd, this.getInsertionLocation(), sig.getSignatureElement() ) ); return sig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException( "errorInSignatureWithACustomToken", e ); } } } /** * DOCUMENT ME! * * @since 1.0 * * @param rmd DOCUMENT ME! * @param token DOCUMENT ME! * @param signdParts DOCUMENT ME! * * @return DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ private byte[] doSecureConversationSignature( RampartMessageData rmd, Token token, SignedEncryptedParts signdParts ) throws RampartException { RampartPolicyData rpd = rmd.getPolicyData(); Document doc = rmd.getDocument(); //Get the issued token String id = rmd.getSecConvTokenId(); int inclusion = token.getInclusion(); org.apache.rahas.Token tok = null; try { tok = rmd.getTokenStorage() .getToken(id); } catch (TrustException e) { throw new RampartException( "errorExtractingToken", new String[] {id}, e ); } boolean tokenIncluded = false; if ( (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) || ( ( ( inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE) ) && rmd.isInitiator() ) ) { //Add the token rmd.getSecHeader() .getSecurityHeader() .appendChild(doc.importNode((Element)tok.getToken(), true)); tokenIncluded = true; } List sigParts = new ArrayList(); if (this.timestampElement != null) { sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); } if (rpd.isTokenProtection() && tokenIncluded) { sigParts.add(new WSEncryptionPart(id)); } if (signdParts != null) { if (signdParts.isBody()) { SOAPEnvelope env = rmd.getMsgContext() .getEnvelope(); sigParts.add( new WSEncryptionPart( RampartUtil.addWsuIdToElement(env.getBody()) ) ); } ArrayList headers = signdParts.getHeaders(); for (Object objectHeader : headers) { Header header = (Header)objectHeader; WSEncryptionPart wep = new WSEncryptionPart( header.getName(), header.getNamespace(), "Content" ); sigParts.add(wep); } } //check for derived keys AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite(); if (token.isDerivedKeys()) { //Create a derived key and add try { //Do Signature with derived keys WSSecDKSign dkSign = new WSSecDKSign(); // Setting the AttachedReference or the UnattachedReference according to the flag OMElement ref; if (tokenIncluded) { ref = tok.getAttachedReference(); } else { ref = tok.getUnattachedReference(); } if (ref != null) { dkSign.setExternalKey( tok.getSecret(), (Element)doc.importNode((Element)ref, true) ); } else { dkSign.setExternalKey(tok.getSecret(), tok.getId()); } //Set the algo info dkSign.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); dkSign.setDerivedKeyLength( algorithmSuite.getSignatureDerivedKeyLength() ); dkSign.prepare(doc); /** * Add .. to security * header. We need to add this just after Encrypted Key and just before .. * elements. (As a convention) */ dkSign.appendDKElementToHeader(rmd.getSecHeader()); dkSign.setParts(sigParts); List referenceList = dkSign.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature dkSign.computeSignature(referenceList, false, null); //this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement()); return dkSign.getSignatureValue(); } catch (ConversationException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } catch (WSSecurityException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } } else { try { WSSecSignature sig = new WSSecSignature(); sig.setWsConfig(rmd.getConfig()); sig.setCustomTokenId(tok.getId().substring(1)); sig.setCustomTokenValueType( RampartUtil.getSAML10AssertionNamespace() ); sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm( algorithmSuite.getAsymmetricSignature() ); sig.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); sig.prepare( rmd.getDocument(), RampartUtil.getSignatureCrypto( rpd.getRampartConfig(), rmd.getCustomClassLoader() ), rmd.getSecHeader() ); sig.setParts(sigParts); //Added by MRL sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); List referenceList = sig.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature sig.computeSignature( referenceList, false, this.getInsertionLocation() ); //Add elements to header this.setInsertionLocation(sig.getSignatureElement()); return sig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException( "errorInSignatureWithACustomToken", e ); } } } /** * X.509 signature * * @param rmd * @param token * @param signdParts * * @return DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ private byte[] doX509TokenSignature( RampartMessageData rmd, Token token, SignedEncryptedParts signdParts ) throws RampartException { RampartPolicyData rpd = rmd.getPolicyData(); Document doc = rmd.getDocument(); List sigParts = new ArrayList(); if (this.timestampElement != null) { sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); } if (signdParts != null) { if (signdParts.isBody()) { SOAPEnvelope env = rmd.getMsgContext() .getEnvelope(); sigParts.add( new WSEncryptionPart( RampartUtil.addWsuIdToElement(env.getBody()) ) ); } ArrayList headers = signdParts.getHeaders(); for (Iterator iterator = headers.iterator(); iterator.hasNext();) { Header header = (Header)iterator.next(); WSEncryptionPart wep = new WSEncryptionPart( header.getName(), header.getNamespace(), "Content" ); sigParts.add(wep); } } if (token.isDerivedKeys()) { //In this case we will have to encrypt the ephmeral key with the //other party's key and then use it as the parent key of the // derived keys try { WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token); Element bstElem = encrKey.getBinarySecurityTokenElement(); if (bstElem != null) { RampartUtil.appendChildToSecHeader(rmd, bstElem); } // Add .. // to security header. encrKey.appendToHeader(rmd.getSecHeader()); WSSecDKSign dkSig = new WSSecDKSign(); dkSig.setWsConfig(rmd.getConfig()); dkSig.setSigCanonicalization( rpd.getAlgorithmSuite().getInclusiveC14n() ); dkSig.setSignatureAlgorithm( rpd.getAlgorithmSuite().getSymmetricSignature() ); dkSig.setDerivedKeyLength( rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8 ); /** * Add a reference to encrypted key in the derived key */ dkSig.setExternalKey( encrKey.getEphemeralKey(), encrKey.getId() ); dkSig.prepare(doc, rmd.getSecHeader()); if (rpd.isTokenProtection()) { sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId())); } dkSig.setParts(sigParts); //Added by MRL dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest()); List referenceList = dkSig.addReferencesToSign(sigParts, rmd.getSecHeader()); /** * Add .. to security * header. We need to add this just after Encrypted Key and just before .. * elements. (As a convention) */ dkSig.appendDKElementToHeader(rmd.getSecHeader()); //Do signature and append to the security header dkSig.computeSignature(referenceList, false, null); // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())" // but WSS4J has remove append methods. Need to find why ? //this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement()); return dkSig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } catch (ConversationException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } } else { try { WSSecSignature sig = this.getSignatureBuilder(rmd, token); sig.appendBSTElementToHeader(rmd.getSecHeader()); if ( rpd.isTokenProtection() && !( SPConstants.INCLUDE_TOKEN_NEVER == token.getInclusion() ) ) { sigParts.add(new WSEncryptionPart(sig.getBSTTokenId())); } //Added by MRL sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); List referenceList = sig.addReferencesToSign(sigParts, rmd.getSecHeader()); // TODO changed the order - verify // Compute signature and append to the header sig.computeSignature(referenceList, false, null); return sig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException("errorInSignatureWithX509Token", e); } } } /** * DOCUMENT ME! * * @since 1.0 * * @param rmd DOCUMENT ME! * @param secConvTok DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ private void handleSecureConversationTokens( RampartMessageData rmd, SecureConversationToken secConvTok ) throws RampartException { MessageContext msgContext = rmd.getMsgContext(); String secConvTokenId = rmd.getSecConvTokenId(); //The RSTR has to be secured with the cancelled token String action = msgContext.getOptions() .getAction(); boolean cancelReqResp = action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT ) || action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT ) || action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT ) || action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT ); //In the case of the cancel req or resp we should mark the token as cancelled if ((secConvTokenId != null) && cancelReqResp) { try { rmd.getTokenStorage() .getToken(secConvTokenId) .setState(org.apache.rahas.Token.CANCELLED); msgContext.setProperty( RampartMessageData.SCT_ID, secConvTokenId ); //remove from the local map of contexts String contextIdentifierKey = RampartUtil.getContextIdentifierKey(msgContext); RampartUtil.getContextMap(msgContext) .remove(contextIdentifierKey); } catch (TrustException e) { throw new RampartException("errorExtractingToken", e); } } if ( (secConvTokenId == null) || ( (secConvTokenId != null) && ( !RampartUtil.isTokenValid(rmd, secConvTokenId) && !cancelReqResp ) ) ) { log.debug( "No SecureConversationToken found, requesting a new token" ); try { secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok); rmd.setSecConvTokenId(secConvTokenId); } catch (TrustException e) { throw new RampartException("errorInObtainingSct", e); } } /* org.apache.rahas.Token token; try { token = rmd.getTokenStorage().getToken(secConvTokenId); } catch (TrustException e) { throw new RampartException("errorExtractingToken", e); } //Add the token to the header Element siblingElem = RampartUtil .insertSiblingAfter(rmd, this.getInsertionLocation(), (Element) token.getToken()); this.setInsertionLocation(siblingElem);*/ } } This is the policy.xml being used: aliasName com.test.hro.benefits.fndt.security.ClientPasswordCallback JKS keys/KeyStore was: TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1. To correct this, add this line in 3 locations in this class: sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); and add this line in 1 location in this class: dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest()); Listed below is the entire class with the lines inserted for reference. Thank you. /* * ============================================================================= * * Copyright (c) 2003-2013 Hewitt Associates, LLC. * 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A. * All rights reserved. * * This program contains proprietary and confidential information and trade * secrets of Hewitt Associates LLC. This program may not be duplicated, * disclosed or provided to any third parties without the prior written consent * of Hewitt Associates LLC. Disassembly or decompilation of the software and * reverse engineering of the object code are prohibited. * * ============================================================================= */ package org.apache.rampart.builder; import org.apache.axiom.om.OMElement; import org.apache.axiom.soap.SOAPEnvelope; import org.apache.axis2.context.MessageContext; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.rahas.RahasConstants; import org.apache.rahas.TrustException; import org.apache.rampart.RampartConstants; import org.apache.rampart.RampartException; import org.apache.rampart.RampartMessageData; import org.apache.rampart.policy.RampartPolicyData; import org.apache.rampart.util.RampartUtil; import org.apache.ws.secpolicy.SPConstants; import org.apache.ws.secpolicy.model.AlgorithmSuite; import org.apache.ws.secpolicy.model.Header; import org.apache.ws.secpolicy.model.IssuedToken; import org.apache.ws.secpolicy.model.SecureConversationToken; import org.apache.ws.secpolicy.model.SignedEncryptedParts; import org.apache.ws.secpolicy.model.SupportingToken; import org.apache.ws.secpolicy.model.Token; import org.apache.ws.secpolicy.model.UsernameToken; import org.apache.ws.secpolicy.model.X509Token; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSEncryptionPart; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.conversation.ConversationException; import org.apache.ws.security.handler.WSHandlerConstants; import org.apache.ws.security.message.*; import org.w3c.dom.Document; import org.w3c.dom.Element; import java.util.ArrayList; import java.util.Iterator; import java.util.List; import javax.xml.crypto.dsig.Reference; /** * DOCUMENT ME! * * @hahistory 8/11/16 $author$ Initial creation. * @since 1.0 */ public class TransportBindingBuilder extends BindingBuilder { /** * DOCUMENT ME! * * @since 1.0 */ private static Log log = LogFactory.getLog(TransportBindingBuilder.class); /** * DOCUMENT ME! * * @since 1.0 */ private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG); /** * DOCUMENT ME! * * @since 1.0 * * @param rmd DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ public void build(RampartMessageData rmd) throws RampartException { log.debug("TransportBindingBuilder build invoked"); long t0 = 0, t1 = 0; if (tlog.isDebugEnabled()) { t1 = System.currentTimeMillis(); } RampartPolicyData rpd = rmd.getPolicyData(); if (rpd.isIncludeTimestamp()) { addTimestamp(rmd); } /* * Process Supporting tokens */ if (rmd.isInitiator()) { List signatureValues = new ArrayList(); SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens(); if ( (sgndSuppTokens != null) && (sgndSuppTokens.getTokens() != null) && (sgndSuppTokens.getTokens() .size() > 0) ) { log.debug("Processing signed supporting tokens"); ArrayList tokens = sgndSuppTokens.getTokens(); for (Object signedSupportingToken : tokens) { Token token = (Token)signedSupportingToken; if (token instanceof UsernameToken) { WSSecUsernameToken utBuilder = addUsernameToken(rmd, (UsernameToken)token); utBuilder.prepare(rmd.getDocument()); //Add the UT utBuilder.appendToHeader(rmd.getSecHeader()); } else { throw new RampartException( "unsupportedSignedSupportingToken", new String[] { "{" + token.getName() .getNamespaceURI() + "}" + token.getName() .getLocalPart() } ); } } } SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens(); if ( (sgndEndSuppTokens != null) && (sgndEndSuppTokens.getTokens() != null) && (sgndEndSuppTokens.getTokens() .size() > 0) ) { log.debug("Processing endorsing signed supporting tokens"); ArrayList tokens = sgndEndSuppTokens.getTokens(); SignedEncryptedParts signdParts = sgndEndSuppTokens.getSignedParts(); for (Object objectToken : tokens) { Token token = (Token)objectToken; if (token instanceof IssuedToken && rmd.isInitiator()) { signatureValues.add( doIssuedTokenSignature(rmd, token, signdParts) ); } else if (token instanceof X509Token) { signatureValues.add( doX509TokenSignature(rmd, token, signdParts) ); } } } SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens(); if ( (endSupptokens != null) && (endSupptokens.getTokens() != null) && (endSupptokens.getTokens() .size() > 0) ) { log.debug("Processing endorsing supporting tokens"); ArrayList tokens = endSupptokens.getTokens(); SignedEncryptedParts signdParts = endSupptokens.getSignedParts(); for (Object objectToken : tokens) { Token token = (Token)objectToken; if (token instanceof IssuedToken && rmd.isInitiator()) { signatureValues.add( doIssuedTokenSignature(rmd, token, signdParts) ); } else if (token instanceof X509Token) { signatureValues.add( doX509TokenSignature(rmd, token, signdParts) ); } else if (token instanceof SecureConversationToken) { handleSecureConversationTokens( rmd, (SecureConversationToken)token ); signatureValues.add( doSecureConversationSignature( rmd, token, signdParts ) ); } } } List supportingToks = rpd.getSupportingTokensList(); for (SupportingToken supportingTok : supportingToks) { this.handleSupportingTokens(rmd, supportingTok); } //Store the signature values list rmd.getMsgContext() .setProperty(WSHandlerConstants.SEND_SIGV, signatureValues); } else { addSignatureConfirmation(rmd, null); } if (tlog.isDebugEnabled()) { t1 = System.currentTimeMillis(); tlog.debug("Transport binding build took " + (t1 - t0)); } } /** * DOCUMENT ME! * * @since 1.0 * * @param secHeader DOCUMENT ME! * @param appendingChild DOCUMENT ME! */ private void appendToHeader(WSSecHeader secHeader, Element appendingChild) { // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())" // but WSS4J has remove append methods. Need to find why ? Element secHeaderElement = secHeader.getSecurityHeader(); secHeaderElement.appendChild(appendingChild); } /** * IssuedToken signature * * @param rmd * @param token * @param signdParts * * @return DOCUMENT ME! * * @throws RampartException */ private byte[] doIssuedTokenSignature( RampartMessageData rmd, Token token, SignedEncryptedParts signdParts ) throws RampartException { RampartPolicyData rpd = rmd.getPolicyData(); Document doc = rmd.getDocument(); //Get the issued token String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token); int inclusion = token.getInclusion(); org.apache.rahas.Token tok = null; try { tok = rmd.getTokenStorage() .getToken(id); } catch (TrustException e) { throw new RampartException( "errorExtractingToken", new String[] {id}, e ); } boolean tokenIncluded = false; if ( (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) || ( ( ( inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE) ) && rmd.isInitiator() ) ) { //Add the token rmd.getSecHeader() .getSecurityHeader() .appendChild(doc.importNode((Element)tok.getToken(), true)); tokenIncluded = true; } List sigParts = new ArrayList(); if (this.timestampElement != null) { sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); } if (rpd.isTokenProtection() && tokenIncluded) { sigParts.add(new WSEncryptionPart(id)); } if (signdParts != null) { if (signdParts.isBody()) { SOAPEnvelope env = rmd.getMsgContext() .getEnvelope(); sigParts.add( new WSEncryptionPart( RampartUtil.addWsuIdToElement(env.getBody()) ) ); } ArrayList headers = signdParts.getHeaders(); for (Object signedHeader : headers) { Header header = (Header)signedHeader; WSEncryptionPart wep = new WSEncryptionPart( header.getName(), header.getNamespace(), "Content" ); sigParts.add(wep); } } //check for derived keys AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite(); if (token.isDerivedKeys()) { //Create a derived key and add try { //Do Signature with derived keys WSSecDKSign dkSign = new WSSecDKSign(); // Setting the AttachedReference or the UnattachedReference according to the flag OMElement ref; if (tokenIncluded) { ref = tok.getAttachedReference(); } else { ref = tok.getUnattachedReference(); } if (ref != null) { dkSign.setExternalKey( tok.getSecret(), (Element)doc.importNode((Element)ref, true) ); } else { dkSign.setExternalKey(tok.getSecret(), tok.getId()); } //Set the algo info dkSign.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); dkSign.setDerivedKeyLength( algorithmSuite.getSignatureDerivedKeyLength() ); dkSign.prepare(doc); /** * Add .. to security * header. We need to add this just after Encrypted Key and just before .. * elements. (As a convention) */ dkSign.appendDKElementToHeader(rmd.getSecHeader()); dkSign.setParts(sigParts); List referenceList = dkSign.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature dkSign.computeSignature(referenceList, false, null); // TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader()) // this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement()); return dkSign.getSignatureValue(); } catch (ConversationException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } catch (WSSecurityException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } } else { try { WSSecSignature sig = new WSSecSignature(); sig.setWsConfig(rmd.getConfig()); String tokId = tok.getId(); if (tokId.charAt(0) == '#') { tokId = tokId.substring(1); } sig.setCustomTokenId(tokId); sig.setCustomTokenValueType( RampartUtil.getSAML10AssertionNamespace() ); sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm( algorithmSuite.getAsymmetricSignature() ); sig.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); sig.prepare( rmd.getDocument(), RampartUtil.getSignatureCrypto( rpd.getRampartConfig(), rmd.getCustomClassLoader() ), rmd.getSecHeader() ); sig.setParts(sigParts); //Added by MRL sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); List referenceList = sig.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature sig.computeSignature(referenceList); //Add elements to header this.setInsertionLocation( RampartUtil.insertSiblingAfter( rmd, this.getInsertionLocation(), sig.getSignatureElement() ) ); return sig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException( "errorInSignatureWithACustomToken", e ); } } } /** * DOCUMENT ME! * * @since 1.0 * * @param rmd DOCUMENT ME! * @param token DOCUMENT ME! * @param signdParts DOCUMENT ME! * * @return DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ private byte[] doSecureConversationSignature( RampartMessageData rmd, Token token, SignedEncryptedParts signdParts ) throws RampartException { RampartPolicyData rpd = rmd.getPolicyData(); Document doc = rmd.getDocument(); //Get the issued token String id = rmd.getSecConvTokenId(); int inclusion = token.getInclusion(); org.apache.rahas.Token tok = null; try { tok = rmd.getTokenStorage() .getToken(id); } catch (TrustException e) { throw new RampartException( "errorExtractingToken", new String[] {id}, e ); } boolean tokenIncluded = false; if ( (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) || ( ( ( inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE) ) && rmd.isInitiator() ) ) { //Add the token rmd.getSecHeader() .getSecurityHeader() .appendChild(doc.importNode((Element)tok.getToken(), true)); tokenIncluded = true; } List sigParts = new ArrayList(); if (this.timestampElement != null) { sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); } if (rpd.isTokenProtection() && tokenIncluded) { sigParts.add(new WSEncryptionPart(id)); } if (signdParts != null) { if (signdParts.isBody()) { SOAPEnvelope env = rmd.getMsgContext() .getEnvelope(); sigParts.add( new WSEncryptionPart( RampartUtil.addWsuIdToElement(env.getBody()) ) ); } ArrayList headers = signdParts.getHeaders(); for (Object objectHeader : headers) { Header header = (Header)objectHeader; WSEncryptionPart wep = new WSEncryptionPart( header.getName(), header.getNamespace(), "Content" ); sigParts.add(wep); } } //check for derived keys AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite(); if (token.isDerivedKeys()) { //Create a derived key and add try { //Do Signature with derived keys WSSecDKSign dkSign = new WSSecDKSign(); // Setting the AttachedReference or the UnattachedReference according to the flag OMElement ref; if (tokenIncluded) { ref = tok.getAttachedReference(); } else { ref = tok.getUnattachedReference(); } if (ref != null) { dkSign.setExternalKey( tok.getSecret(), (Element)doc.importNode((Element)ref, true) ); } else { dkSign.setExternalKey(tok.getSecret(), tok.getId()); } //Set the algo info dkSign.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); dkSign.setDerivedKeyLength( algorithmSuite.getSignatureDerivedKeyLength() ); dkSign.prepare(doc); /** * Add .. to security * header. We need to add this just after Encrypted Key and just before .. * elements. (As a convention) */ dkSign.appendDKElementToHeader(rmd.getSecHeader()); dkSign.setParts(sigParts); List referenceList = dkSign.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature dkSign.computeSignature(referenceList, false, null); //this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement()); return dkSign.getSignatureValue(); } catch (ConversationException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } catch (WSSecurityException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } } else { try { WSSecSignature sig = new WSSecSignature(); sig.setWsConfig(rmd.getConfig()); sig.setCustomTokenId(tok.getId().substring(1)); sig.setCustomTokenValueType( RampartUtil.getSAML10AssertionNamespace() ); sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm( algorithmSuite.getAsymmetricSignature() ); sig.setSignatureAlgorithm( algorithmSuite.getSymmetricSignature() ); sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); sig.prepare( rmd.getDocument(), RampartUtil.getSignatureCrypto( rpd.getRampartConfig(), rmd.getCustomClassLoader() ), rmd.getSecHeader() ); sig.setParts(sigParts); //Added by MRL sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); List referenceList = sig.addReferencesToSign(sigParts, rmd.getSecHeader()); //Do signature sig.computeSignature( referenceList, false, this.getInsertionLocation() ); //Add elements to header this.setInsertionLocation(sig.getSignatureElement()); return sig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException( "errorInSignatureWithACustomToken", e ); } } } /** * X.509 signature * * @param rmd * @param token * @param signdParts * * @return DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ private byte[] doX509TokenSignature( RampartMessageData rmd, Token token, SignedEncryptedParts signdParts ) throws RampartException { RampartPolicyData rpd = rmd.getPolicyData(); Document doc = rmd.getDocument(); List sigParts = new ArrayList(); if (this.timestampElement != null) { sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); } if (signdParts != null) { if (signdParts.isBody()) { SOAPEnvelope env = rmd.getMsgContext() .getEnvelope(); sigParts.add( new WSEncryptionPart( RampartUtil.addWsuIdToElement(env.getBody()) ) ); } ArrayList headers = signdParts.getHeaders(); for (Iterator iterator = headers.iterator(); iterator.hasNext();) { Header header = (Header)iterator.next(); WSEncryptionPart wep = new WSEncryptionPart( header.getName(), header.getNamespace(), "Content" ); sigParts.add(wep); } } if (token.isDerivedKeys()) { //In this case we will have to encrypt the ephmeral key with the //other party's key and then use it as the parent key of the // derived keys try { WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token); Element bstElem = encrKey.getBinarySecurityTokenElement(); if (bstElem != null) { RampartUtil.appendChildToSecHeader(rmd, bstElem); } // Add .. // to security header. encrKey.appendToHeader(rmd.getSecHeader()); WSSecDKSign dkSig = new WSSecDKSign(); dkSig.setWsConfig(rmd.getConfig()); dkSig.setSigCanonicalization( rpd.getAlgorithmSuite().getInclusiveC14n() ); dkSig.setSignatureAlgorithm( rpd.getAlgorithmSuite().getSymmetricSignature() ); dkSig.setDerivedKeyLength( rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8 ); /** * Add a reference to encrypted key in the derived key */ dkSig.setExternalKey( encrKey.getEphemeralKey(), encrKey.getId() ); dkSig.prepare(doc, rmd.getSecHeader()); if (rpd.isTokenProtection()) { sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId())); } dkSig.setParts(sigParts); //Added by MRL dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest()); List referenceList = dkSig.addReferencesToSign(sigParts, rmd.getSecHeader()); /** * Add .. to security * header. We need to add this just after Encrypted Key and just before .. * elements. (As a convention) */ dkSig.appendDKElementToHeader(rmd.getSecHeader()); //Do signature and append to the security header dkSig.computeSignature(referenceList, false, null); // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())" // but WSS4J has remove append methods. Need to find why ? //this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement()); return dkSig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } catch (ConversationException e) { throw new RampartException( "errorInDerivedKeyTokenSignature", e ); } } else { try { WSSecSignature sig = this.getSignatureBuilder(rmd, token); sig.appendBSTElementToHeader(rmd.getSecHeader()); if ( rpd.isTokenProtection() && !( SPConstants.INCLUDE_TOKEN_NEVER == token.getInclusion() ) ) { sigParts.add(new WSEncryptionPart(sig.getBSTTokenId())); } //Added by MRL sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); List referenceList = sig.addReferencesToSign(sigParts, rmd.getSecHeader()); // TODO changed the order - verify // Compute signature and append to the header sig.computeSignature(referenceList, false, null); return sig.getSignatureValue(); } catch (WSSecurityException e) { throw new RampartException("errorInSignatureWithX509Token", e); } } } /** * DOCUMENT ME! * * @since 1.0 * * @param rmd DOCUMENT ME! * @param secConvTok DOCUMENT ME! * * @throws RampartException DOCUMENT ME! */ private void handleSecureConversationTokens( RampartMessageData rmd, SecureConversationToken secConvTok ) throws RampartException { MessageContext msgContext = rmd.getMsgContext(); String secConvTokenId = rmd.getSecConvTokenId(); //The RSTR has to be secured with the cancelled token String action = msgContext.getOptions() .getAction(); boolean cancelReqResp = action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT ) || action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT ) || action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT ) || action.equals( RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT ); //In the case of the cancel req or resp we should mark the token as cancelled if ((secConvTokenId != null) && cancelReqResp) { try { rmd.getTokenStorage() .getToken(secConvTokenId) .setState(org.apache.rahas.Token.CANCELLED); msgContext.setProperty( RampartMessageData.SCT_ID, secConvTokenId ); //remove from the local map of contexts String contextIdentifierKey = RampartUtil.getContextIdentifierKey(msgContext); RampartUtil.getContextMap(msgContext) .remove(contextIdentifierKey); } catch (TrustException e) { throw new RampartException("errorExtractingToken", e); } } if ( (secConvTokenId == null) || ( (secConvTokenId != null) && ( !RampartUtil.isTokenValid(rmd, secConvTokenId) && !cancelReqResp ) ) ) { log.debug( "No SecureConversationToken found, requesting a new token" ); try { secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok); rmd.setSecConvTokenId(secConvTokenId); } catch (TrustException e) { throw new RampartException("errorInObtainingSct", e); } } /* org.apache.rahas.Token token; try { token = rmd.getTokenStorage().getToken(secConvTokenId); } catch (TrustException e) { throw new RampartException("errorExtractingToken", e); } //Add the token to the header Element siblingElem = RampartUtil .insertSiblingAfter(rmd, this.getInsertionLocation(), (Element) token.getToken()); this.setInsertionLocation(siblingElem);*/ } } > SHA256 not supported for DigestAlgorithm for TransportBinding when specified correctly in policy.xml > ---------------------------------------------------------------------------------------------------- > > Key: RAMPART-437 > URL: https://issues.apache.org/jira/browse/RAMPART-437 > Project: Rampart > Issue Type: Bug > Components: rampart-core > Affects Versions: 1.6.2, 1.6.3, 1.6.4, 1.7.0 > Environment: I am using version 1.6.2, but see the code is not fixed in version 1.7.0 yet either. > Reporter: Marjorie Lindsey > Priority: Minor > > TransportBinding is not recognizing SHA256 when specified in the policy.xml on the DigestAlgorithm. SignatureAlgorithm however is recognizing SHA256. This is because org.apache.rampart.builder.TransportBindingBuilder.java is not setting the digestAlgorithm, and thus using the default of SHA1. To correct this, add this line in 3 locations in this class: > sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); > and add this line in 1 location in this class: > dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest()); > Listed below is the entire class with the lines inserted for reference. Thank you. > /* > * ============================================================================= > * > * Copyright (c) 2003-2013 Hewitt Associates, LLC. > * 100 Half Day Road, Lincolnshire, Illinois, 60069, U.S.A. > * All rights reserved. > * > * This program contains proprietary and confidential information and trade > * secrets of Hewitt Associates LLC. This program may not be duplicated, > * disclosed or provided to any third parties without the prior written consent > * of Hewitt Associates LLC. Disassembly or decompilation of the software and > * reverse engineering of the object code are prohibited. > * > * ============================================================================= > */ > package org.apache.rampart.builder; > import org.apache.axiom.om.OMElement; > import org.apache.axiom.soap.SOAPEnvelope; > import org.apache.axis2.context.MessageContext; > import org.apache.commons.logging.Log; > import org.apache.commons.logging.LogFactory; > import org.apache.rahas.RahasConstants; > import org.apache.rahas.TrustException; > import org.apache.rampart.RampartConstants; > import org.apache.rampart.RampartException; > import org.apache.rampart.RampartMessageData; > import org.apache.rampart.policy.RampartPolicyData; > import org.apache.rampart.util.RampartUtil; > import org.apache.ws.secpolicy.SPConstants; > import org.apache.ws.secpolicy.model.AlgorithmSuite; > import org.apache.ws.secpolicy.model.Header; > import org.apache.ws.secpolicy.model.IssuedToken; > import org.apache.ws.secpolicy.model.SecureConversationToken; > import org.apache.ws.secpolicy.model.SignedEncryptedParts; > import org.apache.ws.secpolicy.model.SupportingToken; > import org.apache.ws.secpolicy.model.Token; > import org.apache.ws.secpolicy.model.UsernameToken; > import org.apache.ws.secpolicy.model.X509Token; > import org.apache.ws.security.WSConstants; > import org.apache.ws.security.WSEncryptionPart; > import org.apache.ws.security.WSSecurityException; > import org.apache.ws.security.conversation.ConversationException; > import org.apache.ws.security.handler.WSHandlerConstants; > import org.apache.ws.security.message.*; > import org.w3c.dom.Document; > import org.w3c.dom.Element; > import java.util.ArrayList; > import java.util.Iterator; > import java.util.List; > import javax.xml.crypto.dsig.Reference; > /** > * DOCUMENT ME! > * > * @hahistory 8/11/16 $author$ Initial creation. > * @since 1.0 > */ > public class TransportBindingBuilder extends BindingBuilder > { > /** > * DOCUMENT ME! > * > * @since 1.0 > */ > private static Log log = LogFactory.getLog(TransportBindingBuilder.class); > /** > * DOCUMENT ME! > * > * @since 1.0 > */ > private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG); > /** > * DOCUMENT ME! > * > * @since 1.0 > * > * @param rmd DOCUMENT ME! > * > * @throws RampartException DOCUMENT ME! > */ > public void build(RampartMessageData rmd) throws RampartException > { > log.debug("TransportBindingBuilder build invoked"); > long t0 = 0, t1 = 0; > if (tlog.isDebugEnabled()) > { > t1 = System.currentTimeMillis(); > } > RampartPolicyData rpd = rmd.getPolicyData(); > if (rpd.isIncludeTimestamp()) > { > addTimestamp(rmd); > } > /* > * Process Supporting tokens > */ > if (rmd.isInitiator()) > { > List signatureValues = new ArrayList(); > SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens(); > if ( > (sgndSuppTokens != null) && > (sgndSuppTokens.getTokens() != null) && > (sgndSuppTokens.getTokens() > .size() > 0) > ) > { > log.debug("Processing signed supporting tokens"); > ArrayList tokens = sgndSuppTokens.getTokens(); > for (Object signedSupportingToken : tokens) > { > Token token = (Token)signedSupportingToken; > if (token instanceof UsernameToken) > { > WSSecUsernameToken utBuilder = > addUsernameToken(rmd, (UsernameToken)token); > utBuilder.prepare(rmd.getDocument()); > //Add the UT > utBuilder.appendToHeader(rmd.getSecHeader()); > } > else > { > throw new RampartException( > "unsupportedSignedSupportingToken", > new String[] > { > "{" + token.getName() > .getNamespaceURI() + "}" + > token.getName() > .getLocalPart() > } > ); > } > } > } > SupportingToken sgndEndSuppTokens = > rpd.getSignedEndorsingSupportingTokens(); > if ( > (sgndEndSuppTokens != null) && > (sgndEndSuppTokens.getTokens() != null) && > (sgndEndSuppTokens.getTokens() > .size() > 0) > ) > { > log.debug("Processing endorsing signed supporting tokens"); > ArrayList tokens = sgndEndSuppTokens.getTokens(); > SignedEncryptedParts signdParts = > sgndEndSuppTokens.getSignedParts(); > for (Object objectToken : tokens) > { > Token token = (Token)objectToken; > if (token instanceof IssuedToken && rmd.isInitiator()) > { > signatureValues.add( > doIssuedTokenSignature(rmd, token, signdParts) > ); > } > else if (token instanceof X509Token) > { > signatureValues.add( > doX509TokenSignature(rmd, token, signdParts) > ); > } > } > } > SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens(); > if ( > (endSupptokens != null) && > (endSupptokens.getTokens() != null) && > (endSupptokens.getTokens() > .size() > 0) > ) > { > log.debug("Processing endorsing supporting tokens"); > ArrayList tokens = endSupptokens.getTokens(); > SignedEncryptedParts signdParts = > endSupptokens.getSignedParts(); > for (Object objectToken : tokens) > { > Token token = (Token)objectToken; > if (token instanceof IssuedToken && rmd.isInitiator()) > { > signatureValues.add( > doIssuedTokenSignature(rmd, token, signdParts) > ); > } > else if (token instanceof X509Token) > { > signatureValues.add( > doX509TokenSignature(rmd, token, signdParts) > ); > } > else if (token instanceof SecureConversationToken) > { > handleSecureConversationTokens( > rmd, (SecureConversationToken)token > ); > signatureValues.add( > doSecureConversationSignature( > rmd, token, signdParts > ) > ); > } > } > } > List supportingToks = > rpd.getSupportingTokensList(); > for (SupportingToken supportingTok : supportingToks) > { > this.handleSupportingTokens(rmd, supportingTok); > } > //Store the signature values list > rmd.getMsgContext() > .setProperty(WSHandlerConstants.SEND_SIGV, signatureValues); > } > else > { > addSignatureConfirmation(rmd, null); > } > if (tlog.isDebugEnabled()) > { > t1 = System.currentTimeMillis(); > tlog.debug("Transport binding build took " + (t1 - t0)); > } > } > /** > * DOCUMENT ME! > * > * @since 1.0 > * > * @param secHeader DOCUMENT ME! > * @param appendingChild DOCUMENT ME! > */ > private void appendToHeader(WSSecHeader secHeader, Element appendingChild) > { > // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())" > // but WSS4J has remove append methods. Need to find why ? > Element secHeaderElement = secHeader.getSecurityHeader(); > secHeaderElement.appendChild(appendingChild); > } > /** > * IssuedToken signature > * > * @param rmd > * @param token > * @param signdParts > * > * @return DOCUMENT ME! > * > * @throws RampartException > */ > private byte[] doIssuedTokenSignature( > RampartMessageData rmd, Token token, SignedEncryptedParts signdParts > ) throws RampartException > { > RampartPolicyData rpd = rmd.getPolicyData(); > Document doc = rmd.getDocument(); > //Get the issued token > String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token); > int inclusion = token.getInclusion(); > org.apache.rahas.Token tok = null; > try > { > tok = rmd.getTokenStorage() > .getToken(id); > } > catch (TrustException e) > { > throw new RampartException( > "errorExtractingToken", new String[] {id}, e > ); > } > boolean tokenIncluded = false; > if ( > (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) || > ( > ( > ( > inclusion == > SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT > ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE) > ) && rmd.isInitiator() > ) > ) > { > //Add the token > rmd.getSecHeader() > .getSecurityHeader() > .appendChild(doc.importNode((Element)tok.getToken(), true)); > tokenIncluded = true; > } > List sigParts = new ArrayList(); > if (this.timestampElement != null) > { > sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); > } > if (rpd.isTokenProtection() && tokenIncluded) > { > sigParts.add(new WSEncryptionPart(id)); > } > if (signdParts != null) > { > if (signdParts.isBody()) > { > SOAPEnvelope env = rmd.getMsgContext() > .getEnvelope(); > sigParts.add( > new WSEncryptionPart( > RampartUtil.addWsuIdToElement(env.getBody()) > ) > ); > } > ArrayList headers = signdParts.getHeaders(); > for (Object signedHeader : headers) > { > Header header = (Header)signedHeader; > WSEncryptionPart wep = > new WSEncryptionPart( > header.getName(), header.getNamespace(), "Content" > ); > sigParts.add(wep); > } > } > //check for derived keys > AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite(); > if (token.isDerivedKeys()) > { > //Create a derived key and add > try > { > //Do Signature with derived keys > WSSecDKSign dkSign = new WSSecDKSign(); > // Setting the AttachedReference or the UnattachedReference according to the flag > OMElement ref; > if (tokenIncluded) > { > ref = tok.getAttachedReference(); > } > else > { > ref = tok.getUnattachedReference(); > } > if (ref != null) > { > dkSign.setExternalKey( > tok.getSecret(), > (Element)doc.importNode((Element)ref, true) > ); > } > else > { > dkSign.setExternalKey(tok.getSecret(), tok.getId()); > } > //Set the algo info > dkSign.setSignatureAlgorithm( > algorithmSuite.getSymmetricSignature() > ); > dkSign.setDerivedKeyLength( > algorithmSuite.getSignatureDerivedKeyLength() > ); > dkSign.prepare(doc); > /** > * Add .. to security > * header. We need to add this just after Encrypted Key and just before .. > * elements. (As a convention) > */ > dkSign.appendDKElementToHeader(rmd.getSecHeader()); > dkSign.setParts(sigParts); > List referenceList = > dkSign.addReferencesToSign(sigParts, rmd.getSecHeader()); > //Do signature > dkSign.computeSignature(referenceList, false, null); > // TODO verify before migration - dkSign.appendSigToHeader(rmd.getSecHeader()) > // this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement()); > return dkSign.getSignatureValue(); > } > catch (ConversationException e) > { > throw new RampartException( > "errorInDerivedKeyTokenSignature", e > ); > } > catch (WSSecurityException e) > { > throw new RampartException( > "errorInDerivedKeyTokenSignature", e > ); > } > } > else > { > try > { > WSSecSignature sig = new WSSecSignature(); > sig.setWsConfig(rmd.getConfig()); > String tokId = tok.getId(); > if (tokId.charAt(0) == '#') > { > tokId = tokId.substring(1); > } > sig.setCustomTokenId(tokId); > sig.setCustomTokenValueType( > RampartUtil.getSAML10AssertionNamespace() > ); > sig.setSecretKey(tok.getSecret()); > sig.setSignatureAlgorithm( > algorithmSuite.getAsymmetricSignature() > ); > sig.setSignatureAlgorithm( > algorithmSuite.getSymmetricSignature() > ); > sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); > sig.prepare( > rmd.getDocument(), > RampartUtil.getSignatureCrypto( > rpd.getRampartConfig(), rmd.getCustomClassLoader() > ), rmd.getSecHeader() > ); > sig.setParts(sigParts); > //Added by MRL > sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); > List referenceList = > sig.addReferencesToSign(sigParts, rmd.getSecHeader()); > //Do signature > sig.computeSignature(referenceList); > //Add elements to header > this.setInsertionLocation( > RampartUtil.insertSiblingAfter( > rmd, this.getInsertionLocation(), > sig.getSignatureElement() > ) > ); > return sig.getSignatureValue(); > } > catch (WSSecurityException e) > { > throw new RampartException( > "errorInSignatureWithACustomToken", e > ); > } > } > } > /** > * DOCUMENT ME! > * > * @since 1.0 > * > * @param rmd DOCUMENT ME! > * @param token DOCUMENT ME! > * @param signdParts DOCUMENT ME! > * > * @return DOCUMENT ME! > * > * @throws RampartException DOCUMENT ME! > */ > private byte[] doSecureConversationSignature( > RampartMessageData rmd, Token token, SignedEncryptedParts signdParts > ) throws RampartException > { > RampartPolicyData rpd = rmd.getPolicyData(); > Document doc = rmd.getDocument(); > //Get the issued token > String id = rmd.getSecConvTokenId(); > int inclusion = token.getInclusion(); > org.apache.rahas.Token tok = null; > try > { > tok = rmd.getTokenStorage() > .getToken(id); > } > catch (TrustException e) > { > throw new RampartException( > "errorExtractingToken", new String[] {id}, e > ); > } > boolean tokenIncluded = false; > if ( > (inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS) || > ( > ( > ( > inclusion == > SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT > ) || (inclusion == SPConstants.INCLUDE_TOKEN_ONCE) > ) && rmd.isInitiator() > ) > ) > { > //Add the token > rmd.getSecHeader() > .getSecurityHeader() > .appendChild(doc.importNode((Element)tok.getToken(), true)); > tokenIncluded = true; > } > List sigParts = new ArrayList(); > if (this.timestampElement != null) > { > sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); > } > if (rpd.isTokenProtection() && tokenIncluded) > { > sigParts.add(new WSEncryptionPart(id)); > } > if (signdParts != null) > { > if (signdParts.isBody()) > { > SOAPEnvelope env = rmd.getMsgContext() > .getEnvelope(); > sigParts.add( > new WSEncryptionPart( > RampartUtil.addWsuIdToElement(env.getBody()) > ) > ); > } > ArrayList headers = signdParts.getHeaders(); > for (Object objectHeader : headers) > { > Header header = (Header)objectHeader; > WSEncryptionPart wep = > new WSEncryptionPart( > header.getName(), header.getNamespace(), "Content" > ); > sigParts.add(wep); > } > } > //check for derived keys > AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite(); > if (token.isDerivedKeys()) > { > //Create a derived key and add > try > { > //Do Signature with derived keys > WSSecDKSign dkSign = new WSSecDKSign(); > // Setting the AttachedReference or the UnattachedReference according to the flag > OMElement ref; > if (tokenIncluded) > { > ref = tok.getAttachedReference(); > } > else > { > ref = tok.getUnattachedReference(); > } > if (ref != null) > { > dkSign.setExternalKey( > tok.getSecret(), > (Element)doc.importNode((Element)ref, true) > ); > } > else > { > dkSign.setExternalKey(tok.getSecret(), tok.getId()); > } > //Set the algo info > dkSign.setSignatureAlgorithm( > algorithmSuite.getSymmetricSignature() > ); > dkSign.setDerivedKeyLength( > algorithmSuite.getSignatureDerivedKeyLength() > ); > dkSign.prepare(doc); > /** > * Add .. to security > * header. We need to add this just after Encrypted Key and just before .. > * elements. (As a convention) > */ > dkSign.appendDKElementToHeader(rmd.getSecHeader()); > dkSign.setParts(sigParts); > List referenceList = > dkSign.addReferencesToSign(sigParts, rmd.getSecHeader()); > //Do signature > dkSign.computeSignature(referenceList, false, null); > //this.appendToHeader(rmd.getSecHeader(), dkSign.getSignatureElement()); > return dkSign.getSignatureValue(); > } > catch (ConversationException e) > { > throw new RampartException( > "errorInDerivedKeyTokenSignature", e > ); > } > catch (WSSecurityException e) > { > throw new RampartException( > "errorInDerivedKeyTokenSignature", e > ); > } > } > else > { > try > { > WSSecSignature sig = new WSSecSignature(); > sig.setWsConfig(rmd.getConfig()); > sig.setCustomTokenId(tok.getId().substring(1)); > sig.setCustomTokenValueType( > RampartUtil.getSAML10AssertionNamespace() > ); > sig.setSecretKey(tok.getSecret()); > sig.setSignatureAlgorithm( > algorithmSuite.getAsymmetricSignature() > ); > sig.setSignatureAlgorithm( > algorithmSuite.getSymmetricSignature() > ); > sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); > sig.prepare( > rmd.getDocument(), > RampartUtil.getSignatureCrypto( > rpd.getRampartConfig(), rmd.getCustomClassLoader() > ), rmd.getSecHeader() > ); > sig.setParts(sigParts); > //Added by MRL > sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); > List referenceList = > sig.addReferencesToSign(sigParts, rmd.getSecHeader()); > //Do signature > sig.computeSignature( > referenceList, false, this.getInsertionLocation() > ); > //Add elements to header > this.setInsertionLocation(sig.getSignatureElement()); > return sig.getSignatureValue(); > } > catch (WSSecurityException e) > { > throw new RampartException( > "errorInSignatureWithACustomToken", e > ); > } > } > } > /** > * X.509 signature > * > * @param rmd > * @param token > * @param signdParts > * > * @return DOCUMENT ME! > * > * @throws RampartException DOCUMENT ME! > */ > private byte[] doX509TokenSignature( > RampartMessageData rmd, Token token, SignedEncryptedParts signdParts > ) throws RampartException > { > RampartPolicyData rpd = rmd.getPolicyData(); > Document doc = rmd.getDocument(); > List sigParts = new ArrayList(); > if (this.timestampElement != null) > { > sigParts.add(new WSEncryptionPart(rmd.getTimestampId())); > } > if (signdParts != null) > { > if (signdParts.isBody()) > { > SOAPEnvelope env = rmd.getMsgContext() > .getEnvelope(); > sigParts.add( > new WSEncryptionPart( > RampartUtil.addWsuIdToElement(env.getBody()) > ) > ); > } > ArrayList headers = signdParts.getHeaders(); > for (Iterator iterator = headers.iterator(); iterator.hasNext();) > { > Header header = (Header)iterator.next(); > WSEncryptionPart wep = > new WSEncryptionPart( > header.getName(), header.getNamespace(), "Content" > ); > sigParts.add(wep); > } > } > if (token.isDerivedKeys()) > { > //In this case we will have to encrypt the ephmeral key with the > //other party's key and then use it as the parent key of the > // derived keys > try > { > WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token); > Element bstElem = encrKey.getBinarySecurityTokenElement(); > if (bstElem != null) > { > RampartUtil.appendChildToSecHeader(rmd, bstElem); > } > // Add .. > // to security header. > encrKey.appendToHeader(rmd.getSecHeader()); > WSSecDKSign dkSig = new WSSecDKSign(); > dkSig.setWsConfig(rmd.getConfig()); > dkSig.setSigCanonicalization( > rpd.getAlgorithmSuite().getInclusiveC14n() > ); > dkSig.setSignatureAlgorithm( > rpd.getAlgorithmSuite().getSymmetricSignature() > ); > dkSig.setDerivedKeyLength( > rpd.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8 > ); > /** > * Add a reference to encrypted key in the derived key > */ > dkSig.setExternalKey( > encrKey.getEphemeralKey(), encrKey.getId() > ); > dkSig.prepare(doc, rmd.getSecHeader()); > if (rpd.isTokenProtection()) > { > sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId())); > } > dkSig.setParts(sigParts); > //Added by MRL > dkSig.setDigestAlgorithm(rpd.getAlgorithmSuite().getDigest()); > List referenceList = > dkSig.addReferencesToSign(sigParts, rmd.getSecHeader()); > /** > * Add .. to security > * header. We need to add this just after Encrypted Key and just before .. > * elements. (As a convention) > */ > dkSig.appendDKElementToHeader(rmd.getSecHeader()); > //Do signature and append to the security header > dkSig.computeSignature(referenceList, false, null); > // TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())" > // but WSS4J has remove append methods. Need to find why ? > //this.appendToHeader(rmd.getSecHeader(), dkSig.getSignatureElement()); > return dkSig.getSignatureValue(); > } > catch (WSSecurityException e) > { > throw new RampartException( > "errorInDerivedKeyTokenSignature", e > ); > } > catch (ConversationException e) > { > throw new RampartException( > "errorInDerivedKeyTokenSignature", e > ); > } > } > else > { > try > { > WSSecSignature sig = this.getSignatureBuilder(rmd, token); > sig.appendBSTElementToHeader(rmd.getSecHeader()); > if ( > rpd.isTokenProtection() && > !( > SPConstants.INCLUDE_TOKEN_NEVER == > token.getInclusion() > ) > ) > { > sigParts.add(new WSEncryptionPart(sig.getBSTTokenId())); > } > //Added by MRL > sig.setDigestAlgo(rpd.getAlgorithmSuite().getDigest()); > List referenceList = > sig.addReferencesToSign(sigParts, rmd.getSecHeader()); > // TODO changed the order - verify > // Compute signature and append to the header > sig.computeSignature(referenceList, false, null); > return sig.getSignatureValue(); > } > catch (WSSecurityException e) > { > throw new RampartException("errorInSignatureWithX509Token", e); > } > } > } > /** > * DOCUMENT ME! > * > * @since 1.0 > * > * @param rmd DOCUMENT ME! > * @param secConvTok DOCUMENT ME! > * > * @throws RampartException DOCUMENT ME! > */ > private void handleSecureConversationTokens( > RampartMessageData rmd, SecureConversationToken secConvTok > ) throws RampartException > { > MessageContext msgContext = rmd.getMsgContext(); > String secConvTokenId = rmd.getSecConvTokenId(); > //The RSTR has to be secured with the cancelled token > String action = msgContext.getOptions() > .getAction(); > boolean cancelReqResp = > action.equals( > RahasConstants.WST_NS_05_02 + > RahasConstants.RSTR_ACTION_CANCEL_SCT > ) || > action.equals( > RahasConstants.WST_NS_05_02 + > RahasConstants.RSTR_ACTION_CANCEL_SCT > ) || > action.equals( > RahasConstants.WST_NS_05_02 + > RahasConstants.RST_ACTION_CANCEL_SCT > ) || > action.equals( > RahasConstants.WST_NS_05_02 + > RahasConstants.RST_ACTION_CANCEL_SCT > ); > //In the case of the cancel req or resp we should mark the token as cancelled > if ((secConvTokenId != null) && cancelReqResp) > { > try > { > rmd.getTokenStorage() > .getToken(secConvTokenId) > .setState(org.apache.rahas.Token.CANCELLED); > msgContext.setProperty( > RampartMessageData.SCT_ID, secConvTokenId > ); > //remove from the local map of contexts > String contextIdentifierKey = > RampartUtil.getContextIdentifierKey(msgContext); > RampartUtil.getContextMap(msgContext) > .remove(contextIdentifierKey); > } > catch (TrustException e) > { > throw new RampartException("errorExtractingToken", e); > } > } > if ( > (secConvTokenId == null) || > ( > (secConvTokenId != null) && > ( > !RampartUtil.isTokenValid(rmd, secConvTokenId) && > !cancelReqResp > ) > ) > ) > { > log.debug( > "No SecureConversationToken found, requesting a new token" > ); > try > { > secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok); > rmd.setSecConvTokenId(secConvTokenId); > } > catch (TrustException e) > { > throw new RampartException("errorInObtainingSct", e); > } > } > /* org.apache.rahas.Token token; > try { > token = rmd.getTokenStorage().getToken(secConvTokenId); > } catch (TrustException e) { > throw new RampartException("errorExtractingToken", e); > } > //Add the token to the header > Element siblingElem = RampartUtil > .insertSiblingAfter(rmd, this.getInsertionLocation(), > (Element) token.getToken()); > this.setInsertionLocation(siblingElem);*/ > } > } > This is the policy.xml being used: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > aliasName > com.test.hro.benefits.fndt.security.ClientPasswordCallback > > > > JKS > keys/KeyStore > > > > > > -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org For additional commands, e-mail: java-dev-help@axis.apache.org