axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johan Roch" <jr...@hotmail.com>
Subject Re: Axis2: Checking signed SOAP requests with Rampart...
Date Fri, 16 Jun 2006 10:32:17 GMT

Thanks!
Now I just have one question left: if we want to customize verification to 
perform additional checks, what is the best way to do it? For example, if we 
want to check the signer certificate's validity dates and revocation 
status... Should we use an additional handler ?

>From: "Ruchith Fernando" <ruchith.fernando@gmail.com>
>Reply-To: axis-user@ws.apache.org
>To: axis-user@ws.apache.org
>Subject: Re: Axis2: Checking signed SOAP requests with Rampart...
>Date: Wed, 14 Jun 2006 10:06:06 +0530
>
>Hi,
>
>You have a slight typo in the rampart configuration parameter.
>
>>  <parameter name="InFlowSecurity">
>
>The above should change to <parameter name="InflowSecurity">
>Note that the third letter of the parameter name is lower case 'f'.
>
>Also since you only expect Timestamp and Signature (and no encryption)
>the action/items should not have 'Encrypt' in it. Therefore it should
>change to:
><items>Timestamp Signature</items>
>
>Thanks,
>Ruchith
>
>---------- Forwarded message ----------
>From: Johan Roch <jroch@hotmail.com>
>Date: Jun 13, 2006 9:17 PM
>Subject: Axis2: Checking signed SOAP requests with Rampart...
>To: axis-user@ws.apache.org
>
>
>
>Hello,
>
>I would like to check security for incoming soap requests at server side
>using the Rampart module(Axis 2). I have an existing client that sends
>signed SOAP requests(no encryption).
>The problem is that the signature is never checked. I can see this in the
>log(debug level):
>
>DEBUG - Phase.invoke(372) | Invoking phase "Security"
>DEBUG - Phase.invoke(379) | Invoking Handler 'SecurityInHandler' in Phase
>'Security'
>DEBUG - WSDoAllReceiver.processMessage(92) | WSDoAllReceiver: enter 
>invoke()
>DEBUG - Phase.invoke(392) | Checking post-conditions for phase "Security"
>DEBUG - Phase.invoke(362) | Checking pre-condition for Phase "PreDispatch"
>DEBUG - Phase.invoke(372) | Invoking phase "PreDispatch"
>DEBUG - Phase.invoke(379) | Invoking Handler 'AddressingFinalInHandler' in
>Phase 'PreDispatch'
>DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Final IN
>handler ...
>DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding 
>to
>WS-Addressing Final
>DEBUG - Phase.invoke(379) | Invoking Handler 
>'AddressingSubmissionInHandler'
>in Phase 'PreDispatch'
>DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Submission
>IN handler ...
>DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding 
>to
>WS-Addressing Submission
>
>
>It seems that the handler is invoked but the security headers are not 
>found.
>Is there something wrong with my request below?
>
>Thx in advance.
>Johan.
>
><?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
>xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>xmlns:xsd="http://www.w3.org/2001/XMLSchema">
><soapenv:Header>
><wsse:Security
>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>mustUnderstand="1" soapenv:actor="">
><wsse:BinarySecurityToken
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>wsu:Id="Id-ref2VerifySignature"
>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDjjCCAnagAwIBAgILAQAAAAABAxNSI6QwDQYJKoZIhvcNAQEFBQAwJTELMAkGA1UEBhMCQkUx
>FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0EwHhcNMDUwNDA1MTcwNDM5WhcNMDYwNDA1MTcwNDM5WjBE
>MQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHRlJOQi5CRTEUMBIGA1UEChMLNDA5LjM1Ny4zMjExDTAL
>BgNVBAsTBEZSTkIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp1VEDpvYhctJp+agiQdpzsWsC6zI
>nIUo7EkrIGQEbrI1COcvLIsQp3CN10sHAhOkFIu0A+H+onJ2XgTEt2FAhwIDAQABo4IBZjCCAWIw
>RAYDVR0gBD0wOzA5BgdgOAEBAQMDMC4wLAYIKwYBBQUHAgEWIGh0dHA6Ly9yZXBvc2l0b3J5LmVp
>ZC5iZWxnaXVtLmJlMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBT1Qdziis6XVgXoU2dG1/RP
>Z7J2DzAdBgNVHQ4EFgQUXiuc2/NDXnAqbnoTGE1JHzTX0VAwPQYDVR0fBDYwNDAyoDCgLoYsaHR0
>cDovL2NybC5laWQuYmVsZ2l1bS5iZS9nb3Zlcm5tZW50MjAwNS5jcmwwCQYDVR0TBAIwADARBglg
>hkgBhvhCAQEEBAMCBLAwbQYIKwYBBQUHAQEEYTBfMDUGCCsGAQUFBzAChilodHRwOi8vY2VydHMu
>ZWlkLmJlbGdpdW0uYmUvYmVsZ2l1bXJzLmNydDAmBggrBgEFBQcwAYYaaHR0cDovL29jc3AuZWlk
>LmJlbGdpdW0uYmUwDQYJKoZIhvcNAQEFBQADggEBABOqebsV63FaY1Ekf5TS9WufW4+zJRe3BOZs
>ZUGPMFUJs65nWsjlzMtOHS3wfyReq01uIG2HQkZ0XK+/NJ56Xh+xJNywgbo9mxRhCBgTUqSM/feT
>uYPrZAB1O7QHEH4PLoDNtJtZ8+Zz+GXfARLS5AMSfjqtxwvj4+Pgt6HAuxHb/4mDS1C4xFQNZhZR
>+XkFtFku1AjN9cXQMFN6vtmYKhwduPj6yxtE4wmnZ559V9DyFLi/feonoA1/H1vIwAGWbhYIjEDG
>yApoBEBoGkpHvoWeoQRWwiRf9WGIbLZ5Mcq1SFGPF06+4kkYmJUnPNtXT3yO2hHBP8c4ftXsrgHu
>iBo=</wsse:BinarySecurityToken><ds:Signature
>xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
><ds:SignedInfo>
><ds:CanonicalizationMethod
>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
>/>
><ds:Reference URI="#id-21826773">
><ds:Transforms>
><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
></ds:Transforms>
><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
><ds:DigestValue>iLwjzNrDGK562cdtEMfDi0mALgM=</ds:DigestValue>
></ds:Reference>
></ds:SignedInfo>
><ds:SignatureValue>
>gLziQrLd7oAAxd67IChIDKgImRuPbKrLe0ZuyIa+fFesfrZFuCc643Q6lfTMs0rXXYEU3btQdEpQ
>CQObiTCH1A==
></ds:SignatureValue>
><ds:KeyInfo Id="KeyId-1899108">
><wsse:SecurityTokenReference
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>wsu:Id="STRId-8047015"><wsse:Reference URI="#Id-ref2VerifySignature"
>/></wsse:SecurityTokenReference>
></ds:KeyInfo>
></ds:Signature>
><wsu:Timestamp
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2006-06-13T15:31:03Z</wsu:Created><wsu:Expires>2006-06-13T15:31:03Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>wsu:Id="id-21826773"><fphp100
>xmlns="http://fsb.belgium.be/prove"><ns1:fphp100
>xmlns:ns1="http://fsb.belgium.be/prove/fphp100"><ns2:notary
>xmlns:ns2="http://fsb.belgium.be/prove/notary"><ns2:office_id>217063</ns2:office_id><ns2:lang>fr</ns2:lang><ns2:nrn>60052301706</ns2:nrn><ns2:num_kbo_not>0477430931</ns2:num_kbo_not><ns2:num_kbo_fed>0409357321</ns2:num_kbo_fed></ns2:notary><ns1:person><ns1:last_name>r</ns1:last_name><ns1:birth_date_year>1977</ns1:birth_date_year></ns1:person></ns1:fphp100></fphp100></soapenv:Body></soapenv:Envelope>
>
>Services.xml:
>
><serviceGroup>
>        <service name="findPerson">
>        <messageReceivers>
>                <messageReceiver 
>mep="http://www.w3.org/2004/08/wsdl/in-out"
>class="com.notary.fphp.FindPersonMessageReceiverInOut"/>
>        </messageReceivers>
>        <parameter name="ServiceClass" locked="false">
>                com.notary.fphp.FindPersonSkeleton
>        </parameter>
>
>        <parameter name="InFlowSecurity">
>                <action>
>                        <items>Timestamp Signature Encrypt</items>
>
><signaturePropFile>interop.properties</signaturePropFile>
>                </action>
>        </parameter>
>
>        <operation name="fphp100" 
>mep="http://www.w3.org/2004/08/wsdl/in-out">
>
><actionMapping>http://fsb.belgium.be/prove/fphp100</actionMapping>
>        </operation>
>        <operation name="testSOAPFault"
>mep="http://www.w3.org/2004/08/wsdl/in-out">
>
><actionMapping>http://fsb.belgium.be/prove/testSOAPFault</actionMapping>
>        </operation>
>        <operation name="ping" mep="http://www.w3.org/2004/08/wsdl/in-out">
>                
><actionMapping>http://fsb.belgium.be/prove/ping</actionMapping>
>        </operation>
></service>
></serviceGroup>
>
>interop.properties:
>
>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>org.apache.ws.security.crypto.merlin.keystore.type=jks
>org.apache.ws.security.crypto.merlin.keystore.password=changeit
>org.apache.ws.security.crypto.merlin.file=D:/WebServices/keystore/testKeystore
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>For additional commands, e-mail: axis-user-help@ws.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>For additional commands, e-mail: axis-user-help@ws.apache.org
>



---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message