axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <ruchith.ferna...@gmail.com>
Subject Re: Rampart module
Date Wed, 25 Oct 2006 12:22:48 GMT
Hi Sriram,

We cannot specify service specific parameters in the axis2.xml file.
Therefore we have an alternative way to configure the clients when
talking to multiple services. You can use two helper classes to
generate the parameters dynamically and set them in the options object
of the client before invoking the service.

Please have a look at "sample11" of this [1] presentation.

Thanks,
Ruchith

[1] http://www.wso2.net/presentations/rampart/java/2006/08/04/secure-ws

On 10/25/06, Sriram Vaidyanathan <Sriram.Vaidyanathan@copart.com> wrote:
> Hi Ruchith,
>     Thanks  a lot for the response. That solved the issue.
>
>     I have another question regarding using a single client to send secure messages to
different services  and each service expects the incoming message to be encrypted.
>
> But in my client's axis2.xml  for the OutflowSecurity parameter the <encryptionUser>
 can specify the alias for any one of the service's public certificate. Is there any way this
alias can be supplied dynamically based on a condition instead of having it hardcoded in the
axis2.xml.  Any insight on this would be appreciated.
>
> Thanks
> Sriram
>
>
> ________________________________
>
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Wed 10/18/2006 9:51 PM
> To: axis-user@ws.apache.org
> Subject: Re: Rampart module
>
>
>
> Hi Sriram,
>
> Seems like the body is encrypted twice! That's why you cannot find the
> the second DataReference
> (EncryptedContent-35c3b4c0-4192-48b3-ab5d-629c7abcc6e2) in the message
> - since its encrypted.
>
> Therefore please try changing the "items" in the inflow configuration to :
> <items>Signature Encrypt Encrypt Timestamp</items>
>
> Thanks,
> Ruchith
>
> On 10/19/06, Sriram Vaidyanathan <Sriram.Vaidyanathan@copart.com> wrote:
> > Hi Ruchith,
> >         Pasted below is the generated message from the .NET client with the extra
encryptedKey element and on the server side, the axis2 xml is configured for InflowSecurity
as "<items>Signature Encrypt Timestamp</items>"
> >
> > Thanks
> > Sriram
> >
> > <?xml version="1.0" encoding="utf-8"?>
> >   <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> >     <soap:Header>
> >       <wsa:Action wsu:Id="Id-392264f7-703f-4ac0-b84d-810f91fe8f86">http://abc.testservice.com/echo</wsa:Action>
> >       <wsa:MessageID wsu:Id="Id-5d8a4918-a4f4-46d6-b275-66a3bba829c5">uuid:a9d09b03-8924-4bdb-b29b-2a88d4c9d457</wsa:MessageID>
> >       <wsa:ReplyTo wsu:Id="Id-9579ae46-5658-4e12-9119-64e2d440e89e">
> >         <wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address>
> >       </wsa:ReplyTo>
> >       <wsa:To wsu:Id="Id-e0ea75ce-232b-45c7-a069-475e602b6f49">https://abc.testservice.com/services/SampleService</wsa:To>
> >       <wsse:Security soap:mustUnderstand="1">
> >         <wsu:Timestamp wsu:Id="Timestamp-3655fce3-efaa-4ee4-8143-2d9bb5b0ccb6">
> >           <wsu:Created>2006-10-18T13:36:56Z</wsu:Created>
> >           <wsu:Expires>2006-10-18T13:41:56Z</wsu:Expires>
> >         </wsu:Timestamp>
> >         <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-d51b1d39-71ff-46d8-9e13-64bd8b3ff398">MIIBujCCAWigAwIBAgIQ8RrjeUJb0JNNW53UzT9SWzAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA2MTAwMjE1NDcxNVoXDTM5MTIzMTIzNTk1OVowHTEbMBkGA1UEAxMSQ0RUVGVzdENlcnRpZmljYXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAUVXoOkoffCVPxzmGLGaPtLT8vF3h+Im8gbByZu/CBZWjPmqHRk62NsBr5923NtsMJR52fuMgaYbivSk9xxJfd4Q0OD35Y1sqx/veUOPW0N1kTdB5r51KadOU05C4/B3hBOJYq/FEpPwMYLEgZbUH2tDKbo8Qj+ntJmkD9yYQJQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBADuVU60NZd3oX90ZJNasST6EsvNKpKLE7WtjXIS/QpxgLA3xwuTUQViGSZ5rKw7Z3TNy3LDxA4K8TY/Kh7fo9Xg=</wsse:BinarySecurityToken>
> >         <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> >           <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
/>
> >           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> >             <wsse:SecurityTokenReference>
> >               <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">6+TG/qjIwXgY6PC0uB9PEV+DEfE=</wsse:KeyIdentifier>
> >             </wsse:SecurityTokenReference>
> >           </KeyInfo>
> >           <xenc:CipherData>
> >             <xenc:CipherValue>NQ5JNFqRvllJ00dhS9pQ1Ux+n+on1dwSayYMFZ7JK9whQYC8ZXiiw3IwXXdrGYRtyuKqvdoPn1rZyBh+KWMguISsTz2SclRhsBmg2UpBuzUKabedVxdY2nU6wsI55i2JX0qLZhGURdVYZ0B/hKsQMWunYGjncEcJGuO1GAyFFFI=</xenc:CipherValue>
> >           </xenc:CipherData>
> >           <xenc:ReferenceList>
> >             <xenc:DataReference URI="#EncryptedContent-8b343733-6984-4b42-9b35-83bb20fa5f0f"
/>
> >           </xenc:ReferenceList>
> >         </xenc:EncryptedKey>
> >         <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> >           <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
/>
> >           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> >             <wsse:SecurityTokenReference>
> >               <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">6+TG/qjIwXgY6PC0uB9PEV+DEfE=</wsse:KeyIdentifier>
> >             </wsse:SecurityTokenReference>
> >           </KeyInfo>
> >           <xenc:CipherData>
> >             <xenc:CipherValue>a1PVPSkrjtjVf4R+4U5UODOSCqBaENKvXCIl+/jJyTilsTAUyasv5Iy/tay5oMzgVQvrgYhsOnETLrjx7MJXwFIL0stKhOIOeQLmP94MMnrNim6+KujylObPdMh/hTtSesJFGg0A9lZ79gWmNLH/vCagP5HZPSQ/9+BiOfkPWfE=</xenc:CipherValue>
> >           </xenc:CipherData>
> >           <xenc:ReferenceList>
> >             <xenc:DataReference URI="#EncryptedContent-35c3b4c0-4192-48b3-ab5d-629c7abcc6e2"
/>
> >           </xenc:ReferenceList>
> >         </xenc:EncryptedKey>
> >         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> >           <SignedInfo>
> >             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
> >             <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
> >             <Reference URI="#Id-392264f7-703f-4ac0-b84d-810f91fe8f86">
> >               <Transforms>
> >                 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
> >               </Transforms>
> >               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
> >               <DigestValue>XPsgAkRid9zqbvBCCcRAtfuDdvc=</DigestValue>
> >             </Reference>
> >             <Reference URI="#Id-5d8a4918-a4f4-46d6-b275-66a3bba829c5">
> >               <Transforms>
> >                 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
> >               </Transforms>
> >               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
> >               <DigestValue>4oqh/ZBIeqGO8aZBizjab2nA1Do=</DigestValue>
> >             </Reference>
> >             <Reference URI="#Id-9579ae46-5658-4e12-9119-64e2d440e89e">
> >               <Transforms>
> >                 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
> >               </Transforms>
> >               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
> >               <DigestValue>HAK41b2OHRKQ32hMS/jf0Mz0Gp4=</DigestValue>
> >             </Reference>
> >             <Reference URI="#Id-e0ea75ce-232b-45c7-a069-475e602b6f49">
> >               <Transforms>
> >                 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
> >               </Transforms>
> >               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
> >               <DigestValue>cwCmR+Yko4zoBey8wOVizE6zPTw=</DigestValue>
> >             </Reference>
> >             <Reference URI="#Timestamp-3655fce3-efaa-4ee4-8143-2d9bb5b0ccb6">
> >               <Transforms>
> >                 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
> >               </Transforms>
> >               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
> >               <DigestValue>veIjhp8Ubw/V2Sa6kdArohMD6nw=</DigestValue>
> >             </Reference>
> >             <Reference URI="#Id-89cc079d-6dea-406e-ad20-5b7c7a925767">
> >               <Transforms>
> >                 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
> >               </Transforms>
> >               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
> >               <DigestValue>jeT3j5JGalurE0pODG0gS1qmeCw=</DigestValue>
> >             </Reference>
> >           </SignedInfo>
> >           <SignatureValue>vGgQHG8/MvSsM8xXaahSyGZ408ji8LfbX7yfxcnJ40c7CDCDYwoj75ZmZD7T7u1Igzmn7CmM7rzFCcb+MM34bj7HVChMTAuw8bluKEHksTzJItqwSYxWmPb2QHyuGaea8ahy3CFmr+FNCujZ/kfEZQ98CmtXmj9idtMvTzJkBbQ=</SignatureValue>
> >           <KeyInfo>
> >             <wsse:SecurityTokenReference>
> >               <wsse:Reference URI="#SecurityToken-d51b1d39-71ff-46d8-9e13-64bd8b3ff398"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
> >             </wsse:SecurityTokenReference>
> >           </KeyInfo>
> >         </Signature>
> >       </wsse:Security>
> >     </soap:Header>
> >     <soap:Body wsu:Id="Id-89cc079d-6dea-406e-ad20-5b7c7a925767">
> >       <xenc:EncryptedData Id="EncryptedContent-8b343733-6984-4b42-9b35-83bb20fa5f0f"
Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> >         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
/>
> >         <xenc:CipherData>
> >           <xenc:CipherValue>/tc/143BkwW4h6qmKy4bi+iLMEYI8xe5XdIy83kwDlSZZpFgA9RePh9c0Z+whSlZ3nQ7j3FPnODKA9eknQh02BHZwcmp2GcdghfnB8HNGm7rnKSJmXUkG6C5FzPWqI84lhYToQTJh/rpmbwMzav1uBqVvPWzeUaYRFnGTvNlEkddDuOfOXaX+VY7BahU/ExCXANlk1LY9nGrm+j5dda7uQjbKNTzsULFXvqgyKLU4S4Zq9zcy2bFHqTXavJotQnafIRQheSRzHdk2FkhJOYYAzAdStLfYS4Tzx4x2L2w8ZrqnkdHgLn8I0Hq05XGHI2c5GxOt5CqXkuCQ93ZlR1DLY+5nnnVaWIk75vjePIrw8kmXgpcy2/bI7AYnZxWJpSpzXXGvOiznvcF7iQubgi674j0PPrA7cbGlY+fS4pAIUaRAM00wMyjPQcs6jPJrjvV5Ndj+6siCl9Ptj6BPpCmPHxS+wW0zXeVGpPn1u9nquvQXsTEhldknsc7p/gIOSf8wQmlPJAjOvAe+4lUHnGBkq6mF7A+9uqbt2xCuzbMMEKg9pRCVCtM2GVdhGNSSsKLmuPpdnTzAdKlcHPHaIx659kcAKKcq0XTXDZInOJK7ggkwwPQKSeLajwkVIbCs8UTOuUErI39t2m79T3Wvy5JTC+6ptCSbSM1J7dsV2IKrN5NmoyWSsIzbKC4RSOGEL/P</xenc:CipherValue>
> >         </xenc:CipherData>
> >       </xenc:EncryptedData>
> >     </soap:Body>
> >   </soap:Envelope>
> >
> > -----Original Message-----
> > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > Sent: Wednesday, October 18, 2006 6:57 PM
> > To: axis-user@ws.apache.org
> > Subject: Re: Rampart module
> >
> > Hi Sriram,
> >
> > Yes, the extra EncryptedKey with a RefList (meaning there's content
> > that is encrypted with that key) can be causing the action mismatch.
> > Can you please post the message generated by the .NET client?
> >
> > Thanks,
> > Ruchith
> >
> > On 10/18/06, Sriram Vaidyanathan <Sriram.Vaidyanathan@copart.com> wrote:
> > >     Thanks for the response, Ruchith.
> > >
> > >       I had a question with the WSDoAllReceiver.  There is a check for matching
the Actions in the right order, which throws a WSDoAllReceiver: security processing failed
(actions mismatch)") in case the actions don't match with the actual results and the configured
actions.
> > > We are having a .NET client trying to send the message but it always fails
for the actions mismatch check. On looking at it they have an extra <xenc:encryptedKey>
element, which is having a referenceData URI, but the URI doesn't match to any particular
element in the document.   We have the Server axis2.xml configured as
> > > "<items>Signature Encrypt Timestamp</items>"
> > >
> > > Could the extra encrypted element in the request be causing this "Actions Mismatch"
error.  Any help on this would be appreciated.
> > >
> > > Thanks
> > > Sriram
> > >
> > >
> > > -----Original Message-----
> > > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > > Sent: Wednesday, October 18, 2006 12:47 AM
> > > To: axis-user@ws.apache.org
> > > Subject: Re: Rampart module
> > >
> > > Hi Sriram,
> > >
> > > On 10/18/06, Sriram Vaidyanathan <Sriram.Vaidyanathan@copart.com> wrote:
> > > > Hi,
> > > >    Where can I get the source files for the Rampart Module?
> > >
> > > Trunk:
> > > https://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/security
> > >
> > > 1.1 Branch:
> > > https://svn.apache.org/repos/asf/webservices/axis2/branches/java/1_1/modules/security
> > >
> > > >    Also, any idea when will the Rampart 1.1 version coming out?
> > > I think we can release rampart a week or two after the Axis2 1.1 release.
> > >
> > > Thanks,
> > > Ruchith
> > >
> > > >
> > > > Thanks
> > > > Sriram
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > > > Sent: Monday, October 16, 2006 10:45 PM
> > > > To: axis-user@ws.apache.org
> > > > Subject: Re: Rampart module
> > > >
> > > > Please try this :
> > > >
> > > > http://people.apache.org/repository/org.apache.axis2/mars/rampart-1.1-SNAPSHOT.mar
> > > >
> > > > Thanks,
> > > > Ruchith
> > > >
> > > > On 10/17/06, Marcel Casado <marcel@ucar.edu> wrote:
> > > > > Hi,
> > > > >
> > > > > Where I can find a snapshot of the Rampart module that works fine
with
> > > > > an snapshot of Axis2 1.1 ?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > -Marcel
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > www.ruchith.org
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > > >
> > > >
> > >
> > >
> > > --
> > > www.ruchith.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> >
> >
> > --
> > www.ruchith.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> --
> www.ruchith.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>


-- 
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message