Return-Path: 
 <axis-user-return-46000-apmail-ws-axis-user-archive=ws.apache.org@ws.apache.org>
Delivered-To: apmail-ws-axis-user-archive@www.apache.org
Received: (qmail 35579 invoked from network); 16 Jun 2006 10:32:53 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 16 Jun 2006 10:32:53 -0000
Received: (qmail 76879 invoked by uid 500); 16 Jun 2006 10:32:42 -0000
Delivered-To: apmail-ws-axis-user-archive@ws.apache.org
Received: (qmail 76864 invoked by uid 500); 16 Jun 2006 10:32:42 -0000
Mailing-List: contact axis-user-help@ws.apache.org; run by ezmlm
Precedence: bulk
Reply-To: axis-user@ws.apache.org
list-help: <mailto:axis-user-help@ws.apache.org>
list-unsubscribe: <mailto:axis-user-unsubscribe@ws.apache.org>
List-Post: <mailto:axis-user@ws.apache.org>
List-Id: <axis-user.ws.apache.org>
Delivered-To: mailing list axis-user@ws.apache.org
Received: (qmail 76853 invoked by uid 99); 16 Jun 2006 10:32:42 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Jun 2006 03:32:42 -0700
X-ASF-Spam-Status: No, hits=1.9 required=10.0
	tests=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,MSGID_FROM_MTA_HEADER,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of jroch@hotmail.com designates
 65.54.229.26 as permitted sender)
Received: from [65.54.229.26] (HELO hotmail.com) (65.54.229.26)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Jun 2006 03:32:41 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Fri, 16 Jun 2006 03:32:20 -0700
Message-ID: <BAY110-F16CDD6E4C2DADCD3C6840CB3830@phx.gbl>
Received: from 65.54.229.220 by by110fd.bay110.hotmail.msn.com with HTTP;
	Fri, 16 Jun 2006 10:32:17 GMT
X-Originating-IP: [81.246.31.164]
X-Originating-Email: [jroch@hotmail.com]
X-Sender: jroch@hotmail.com
In-Reply-To: <559c463d0606132136r64abdf96x752185343448888b@mail.gmail.com>
From: "Johan Roch" <jroch@hotmail.com>
To: axis-user@ws.apache.org
Subject: Re: Axis2: Checking signed SOAP requests with Rampart...
Date: Fri, 16 Jun 2006 12:32:17 +0200
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
X-OriginalArrivalTime: 16 Jun 2006 10:32:20.0675 (UTC)
 FILETIME=[25E35130:01C69130]
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N


Thanks!
Now I just have one question left: if we want to customize verification to 
perform additional checks, what is the best way to do it? For example, if we 
want to check the signer certificate's validity dates and revocation 
status... Should we use an additional handler ?

>From: "Ruchith Fernando" <ruchith.fernando@gmail.com>
>Reply-To: axis-user@ws.apache.org
>To: axis-user@ws.apache.org
>Subject: Re: Axis2: Checking signed SOAP requests with Rampart...
>Date: Wed, 14 Jun 2006 10:06:06 +0530
>
>Hi,
>
>You have a slight typo in the rampart configuration parameter.
>
>>  <parameter name="InFlowSecurity">
>
>The above should change to <parameter name="InflowSecurity">
>Note that the third letter of the parameter name is lower case 'f'.
>
>Also since you only expect Timestamp and Signature (and no encryption)
>the action/items should not have 'Encrypt' in it. Therefore it should
>change to:
><items>Timestamp Signature</items>
>
>Thanks,
>Ruchith
>
>---------- Forwarded message ----------
>From: Johan Roch <jroch@hotmail.com>
>Date: Jun 13, 2006 9:17 PM
>Subject: Axis2: Checking signed SOAP requests with Rampart...
>To: axis-user@ws.apache.org
>
>
>
>Hello,
>
>I would like to check security for incoming soap requests at server side
>using the Rampart module(Axis 2). I have an existing client that sends
>signed SOAP requests(no encryption).
>The problem is that the signature is never checked. I can see this in the
>log(debug level):
>
>DEBUG - Phase.invoke(372) | Invoking phase "Security"
>DEBUG - Phase.invoke(379) | Invoking Handler 'SecurityInHandler' in Phase
>'Security'
>DEBUG - WSDoAllReceiver.processMessage(92) | WSDoAllReceiver: enter 
>invoke()
>DEBUG - Phase.invoke(392) | Checking post-conditions for phase "Security"
>DEBUG - Phase.invoke(362) | Checking pre-condition for Phase "PreDispatch"
>DEBUG - Phase.invoke(372) | Invoking phase "PreDispatch"
>DEBUG - Phase.invoke(379) | Invoking Handler 'AddressingFinalInHandler' in
>Phase 'PreDispatch'
>DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Final IN
>handler ...
>DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding 
>to
>WS-Addressing Final
>DEBUG - Phase.invoke(379) | Invoking Handler 
>'AddressingSubmissionInHandler'
>in Phase 'PreDispatch'
>DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Submission
>IN handler ...
>DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding 
>to
>WS-Addressing Submission
>
>
>It seems that the handler is invoked but the security headers are not 
>found.
>Is there something wrong with my request below?
>
>Thx in advance.
>Johan.
>
><?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
>xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>xmlns:xsd="http://www.w3.org/2001/XMLSchema">
><soapenv:Header>
><wsse:Security
>xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>mustUnderstand="1" soapenv:actor="">
><wsse:BinarySecurityToken
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>wsu:Id="Id-ref2VerifySignature"
>EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDjjCCAnagAwIBAgILAQAAAAABAxNSI6QwDQYJKoZIhvcNAQEFBQAwJTELMAkGA1UEBhMCQkUx
>FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0EwHhcNMDUwNDA1MTcwNDM5WhcNMDYwNDA1MTcwNDM5WjBE
>MQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHRlJOQi5CRTEUMBIGA1UEChMLNDA5LjM1Ny4zMjExDTAL
>BgNVBAsTBEZSTkIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp1VEDpvYhctJp+agiQdpzsWsC6zI
>nIUo7EkrIGQEbrI1COcvLIsQp3CN10sHAhOkFIu0A+H+onJ2XgTEt2FAhwIDAQABo4IBZjCCAWIw
>RAYDVR0gBD0wOzA5BgdgOAEBAQMDMC4wLAYIKwYBBQUHAgEWIGh0dHA6Ly9yZXBvc2l0b3J5LmVp
>ZC5iZWxnaXVtLmJlMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBT1Qdziis6XVgXoU2dG1/RP
>Z7J2DzAdBgNVHQ4EFgQUXiuc2/NDXnAqbnoTGE1JHzTX0VAwPQYDVR0fBDYwNDAyoDCgLoYsaHR0
>cDovL2NybC5laWQuYmVsZ2l1bS5iZS9nb3Zlcm5tZW50MjAwNS5jcmwwCQYDVR0TBAIwADARBglg
>hkgBhvhCAQEEBAMCBLAwbQYIKwYBBQUHAQEEYTBfMDUGCCsGAQUFBzAChilodHRwOi8vY2VydHMu
>ZWlkLmJlbGdpdW0uYmUvYmVsZ2l1bXJzLmNydDAmBggrBgEFBQcwAYYaaHR0cDovL29jc3AuZWlk
>LmJlbGdpdW0uYmUwDQYJKoZIhvcNAQEFBQADggEBABOqebsV63FaY1Ekf5TS9WufW4+zJRe3BOZs
>ZUGPMFUJs65nWsjlzMtOHS3wfyReq01uIG2HQkZ0XK+/NJ56Xh+xJNywgbo9mxRhCBgTUqSM/feT
>uYPrZAB1O7QHEH4PLoDNtJtZ8+Zz+GXfARLS5AMSfjqtxwvj4+Pgt6HAuxHb/4mDS1C4xFQNZhZR
>+XkFtFku1AjN9cXQMFN6vtmYKhwduPj6yxtE4wmnZ559V9DyFLi/feonoA1/H1vIwAGWbhYIjEDG
>yApoBEBoGkpHvoWeoQRWwiRf9WGIbLZ5Mcq1SFGPF06+4kkYmJUnPNtXT3yO2hHBP8c4ftXsrgHu
>iBo=</wsse:BinarySecurityToken><ds:Signature
>xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
><ds:SignedInfo>
><ds:CanonicalizationMethod
>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
>/>
><ds:Reference URI="#id-21826773">
><ds:Transforms>
><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
></ds:Transforms>
><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
><ds:DigestValue>iLwjzNrDGK562cdtEMfDi0mALgM=</ds:DigestValue>
></ds:Reference>
></ds:SignedInfo>
><ds:SignatureValue>
>gLziQrLd7oAAxd67IChIDKgImRuPbKrLe0ZuyIa+fFesfrZFuCc643Q6lfTMs0rXXYEU3btQdEpQ
>CQObiTCH1A==
></ds:SignatureValue>
><ds:KeyInfo Id="KeyId-1899108">
><wsse:SecurityTokenReference
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>wsu:Id="STRId-8047015"><wsse:Reference URI="#Id-ref2VerifySignature"
>/></wsse:SecurityTokenReference>
></ds:KeyInfo>
></ds:Signature>
><wsu:Timestamp
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2006-06-13T15:31:03Z</wsu:Created><wsu:Expires>2006-06-13T15:31:03Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body
>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>wsu:Id="id-21826773"><fphp100
>xmlns="http://fsb.belgium.be/prove"><ns1:fphp100
>xmlns:ns1="http://fsb.belgium.be/prove/fphp100"><ns2:notary
>xmlns:ns2="http://fsb.belgium.be/prove/notary"><ns2:office_id>217063</ns2:office_id><ns2:lang>fr</ns2:lang><ns2:nrn>60052301706</ns2:nrn><ns2:num_kbo_not>0477430931</ns2:num_kbo_not><ns2:num_kbo_fed>0409357321</ns2:num_kbo_fed></ns2:notary><ns1:person><ns1:last_name>r</ns1:last_name><ns1:birth_date_year>1977</ns1:birth_date_year></ns1:person></ns1:fphp100></fphp100></soapenv:Body></soapenv:Envelope>
>
>Services.xml:
>
><serviceGroup>
>        <service name="findPerson">
>        <messageReceivers>
>                <messageReceiver 
>mep="http://www.w3.org/2004/08/wsdl/in-out"
>class="com.notary.fphp.FindPersonMessageReceiverInOut"/>
>        </messageReceivers>
>        <parameter name="ServiceClass" locked="false">
>                com.notary.fphp.FindPersonSkeleton
>        </parameter>
>
>        <parameter name="InFlowSecurity">
>                <action>
>                        <items>Timestamp Signature Encrypt</items>
>
><signaturePropFile>interop.properties</signaturePropFile>
>                </action>
>        </parameter>
>
>        <operation name="fphp100" 
>mep="http://www.w3.org/2004/08/wsdl/in-out">
>
><actionMapping>http://fsb.belgium.be/prove/fphp100</actionMapping>
>        </operation>
>        <operation name="testSOAPFault"
>mep="http://www.w3.org/2004/08/wsdl/in-out">
>
><actionMapping>http://fsb.belgium.be/prove/testSOAPFault</actionMapping>
>        </operation>
>        <operation name="ping" mep="http://www.w3.org/2004/08/wsdl/in-out">
>                
><actionMapping>http://fsb.belgium.be/prove/ping</actionMapping>
>        </operation>
></service>
></serviceGroup>
>
>interop.properties:
>
>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>org.apache.ws.security.crypto.merlin.keystore.type=jks
>org.apache.ws.security.crypto.merlin.keystore.password=changeit
>org.apache.ws.security.crypto.merlin.file=D:/WebServices/keystore/testKeystore
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>For additional commands, e-mail: axis-user-help@ws.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>For additional commands, e-mail: axis-user-help@ws.apache.org
>



---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org