axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Dean" <Tony.D...@sas.com>
Subject RE: [Rampart] Ignore Timestamp and Addressing from client
Date Tue, 10 Jul 2007 15:08:03 GMT
Rampart does not do any processing with the Timestamp information, does it?  However, you do
make a valid point.  The client should not send a Timestamp if service is not expecting it.
 Unfortunately, WSSE 3.0 sends one by default with a UsernameToken. ;-(

> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com] 
> Sent: Tuesday, July 10, 2007 10:59 AM
> To: axis-user@ws.apache.org
> Subject: Re: [Rampart] Ignore Timestamp and Addressing from client
> 
> Hmm ... this is not possible with Rampart-1.0 style configuration!
> (Using configuration parameters). IMHO we must validate all 
> elements in the wsse:Security header of the incoming message 
> and I don't think it is correct to let random unknown 
> elements in. We express exactly what we expect in the 
> security header in the security policy of the service and the 
> client MUST send exactly as expected by the service.
> Otherwise it is the client's problem.
> 
> Thanks,
> Ruchith
> 
> On 7/10/07, stlecho <stlecho@gmail.com> wrote:
> >
> > I completely agree with you Tony. If the client sends on top of the 
> > required UsernameToken some additional and unwanted information 
> > (timestamp, addressing, ...), Rampart should still be happy that it 
> > finds the UsernameToken information.
> >
> > Regards, Stefan.
> >
> >
> > Tony Dean wrote:
> > >
> > > As an example suppose you want Rampart to expect and 
> always process 
> > > a UsernameToken.  You would set 
> > > <action><items>UsernameToken</items></action>.  However,

> by default 
> > > .net clients always send a Timestamp.  So even though the .net 
> > > client sends a UsernameToken, a mismatch occurs because 
> it sends a 
> > > Timestamp as well.  Is there a way to configure Rampart to just 
> > > ignore a Timestamp since it is not expected?  I think 
> this is what 
> > > Stefan is saying also.  Maybe this is against ws-security 
> guidelines.  I don't know.  Thanks.
> > >
> > >> -----Original Message-----
> > >> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > >> Sent: Tuesday, July 10, 2007 5:37 AM
> > >> To: axis-user@ws.apache.org
> > >> Subject: Re: [Rampart] Ignore Timestamp and Addressing 
> from client
> > >>
> > >> The actions mismatch error occurs when you configure rampart to 
> > >> expect security actions different to what the incoming message 
> > >> contains. When you configure Rampart to process all security 
> > >> operations performed on the message you will able to get rid of 
> > >> this error.
> > >>
> > >> Thanks,
> > >> Ruchith
> > >>
> > >> On 7/2/07, stlecho <stlecho@gmail.com> wrote:
> > >> >
> > >> > All,
> > >> >
> > >> > Is there a solution or workaround for this issue ?
> > >> >
> > >> > Regards, Stefan Lecho.
> > >> >
> > >> >
> > >> > stlecho wrote:
> > >> > >
> > >> > > Hi,
> > >> > >
> > >> > > I have configured the InflowSecurity parameter (extracted 
> > >> > > included
> > >> > > underneath) on the server side with the "Signature" item.
> > >> > >
> > >> > > One of our clients is using a C# client. The SOAP 
> request that 
> > >> > > is received from this client contains Timestamp and
> > >> Addressing related
> > >> > > elements. This results in an "WSDoAllReceiver: security
> > >> processing
> > >> > > failed (actions mismatch)" AxisFault.
> > >> > >
> > >> > > Is there a way to "ignore" the Timestamp and 
> Addressing related 
> > >> > > elements on the server ?
> > >> > >
> > >> > > Extract axis2.xml:
> > >> > > <parameter name="InflowSecurity">
> > >> > >   <action>
> > >> > >     <items>Signature</items>
> > >> > >     
> <signaturePropFile>interopin.properties</signaturePropFile>
> > >> > >
> > >> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > >> > >
> > >> > >
> > >> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve
> > >> lope/}Body</signatureParts>
> > >> > >   </action>
> > >> > > </parameter>
> > >> > >
> > >> > >
> > >> > > Regards, Stefan Lecho.
> > >> > >
> > >> >
> > >> > --
> > >> > View this message in context:
> > >> >
> > >> 
> http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-fro
> > >> m-c
> > >> > lient-tf3882252.html#a11392800 Sent from the Axis - User
> > >> mailing list
> > >> > archive at Nabble.com.
> > >> >
> > >> >
> > >> >
> > >> 
> -------------------------------------------------------------------
> > >> --
> > >> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > >> > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >> >
> > >> >
> > >>
> > >>
> > >> --
> > >> www.ruchith.org
> > >> www.wso2.org
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > >> For additional commands, e-mail: axis-user-help@ws.apache.org
> > >>
> > >>
> > >
> > > 
> --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> > >
> >
> > --
> > View this message in context: 
> > 
> http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c
> > lient-tf3882252.html#a11521124 Sent from the Axis - User 
> mailing list 
> > archive at Nabble.com.
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
> 
> 
> --
> www.ruchith.org
> www.wso2.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message