axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RonnieMJ <ronniemjo...@hotmail.com>
Subject Re: Rampart Username and signed certificate
Date Tue, 07 Oct 2008 02:40:16 GMT

I don't actually get an exception (well I do get a soap fault for not having
all of the right headers from their server).

The message usually gets sent out simply without the username token.  If I
DO get the username token to go, it's as a signedsupportingtoken (which is
not what they want).



Samisa Abeysinghe-2 wrote:
> 
> What is the exception that you get?
> 
> Samisa...
> 
> RonnieMJ wrote:
>> I'm pretty new to WS, and especially the security piece, but I'm using
>> rampart 1.4 using policy files to try to function as a client to an
>> existing
>> (external to my company) web service.
>>
>> I know that I need to send both a usernameToken and sign the header with
>> a
>> certificate.  I've been able to do EITHER, but so far haven't been able
>> to
>> do both.
>>
>> I've tried it about 20 different ways, but my most recent attempt is:
>>
>>
>> <wsp:Policy wsu:Id="SigAndUName"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>> 	<wsp:All>
>> 		<sp:AsymmetricBinding
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> 			<wsp:Policy>
>> 				<sp:InitiatorToken>
>> 					<wsp:Policy>
>> 						<sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>> 							<wsp:Policy>
>> 								<sp:WssX509V3Token10/>
>> 							</wsp:Policy>
>> 						</sp:X509Token>
>> 					</wsp:Policy>
>> 				</sp:InitiatorToken>
>> 				<sp:RecipientToken>
>> 					<wsp:Policy>
>> 						<sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>> 							<wsp:Policy>
>> 								<sp:WssX509V3Token10/>
>> 							</wsp:Policy>
>> 						</sp:X509Token>
>> 					</wsp:Policy>
>> 				</sp:RecipientToken>
>> 				<sp:AlgorithmSuite>
>> 					<wsp:Policy>
>> 						<sp:Basic128Rsa15/>
>> 					</wsp:Policy>
>> 				</sp:AlgorithmSuite>
>> 				<sp:Layout>
>> 					<wsp:Policy>
>> 						<sp:Lax/>
>> 					</wsp:Policy>
>> 				</sp:Layout>
>> 				<sp:OnlySignEntireHeadersAndBody/>
>> 				<sp:SupportingTokens>
>> 					<wsp:Policy>
>> 						<sp:UsernameToken
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
>> />
>> 					</wsp:Policy>
>> 				</sp:SupportingTokens>
>> 			</wsp:Policy>
>> 		</sp:AsymmetricBinding>
>>
>>
>> 		<sp:Wss10
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> 			<wsp:Policy>
>> 				<sp:MustSupportRefKeyIdentifier />
>> 				<sp:MustSupportRefIssuerSerial />
>> 			</wsp:Policy>
>> 		</sp:Wss10>
>>
>>
>> 		<sp:SignedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> 			<sp:Body/>
>> 		</sp:SignedParts>
>>
>> 		<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>> 			<ramp:user>user</ramp:user>
>> 			<ramp:encryptionUser>user</ramp:encryptionUser>
>> 		
>> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>>
>> 			<ramp:signatureCrypto>
>> 				<ramp:crypto
>> provider="org.apache.ws.security.components.crypto.Merlin">
>> 					<ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> 					<ramp:property
>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>> 					<ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
>> 					<ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
>> 				</ramp:crypto>
>> 			</ramp:signatureCrypto>
>> 		</ramp:RampartConfig>
>>
>> 	</wsp:All>
>> </wsp:Policy>
>>
>>
>>
>> I expect the final header output to be something like:
>> <SOAP-ENV:Header >
>> 	<wsse:Security >
>> 		<wsse:UsernameToken >
>> 			<wsse:Username >XXX</wsse:Username>
>> 		</wsse:UsernameToken>
>> 		<wsse:BinarySecurityToken >binaryTokenHere</wsse:BinarySecurityToken>
>> 		<ds:Signature >
>> 			<ds:SignedInfo >
>> 				<ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> 				<ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> 				<ds:Reference >
>> 					<ds:Transforms >
>> 						<ds:Transform />
>> 					</ds:Transforms>
>> 					<ds:DigestMethod />
>> 					<ds:DigestValue </ds:DigestValue>
>> 				</ds:Reference>
>> 				<ds:Reference >
>> 					<ds:Transforms >
>> 						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> 					</ds:Transforms>
>> 					<ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> 					<ds:DigestValue </ds:DigestValue>
>> 				</ds:Reference>
>> 			</ds:SignedInfo>
>> 			<ds:SignatureValue </ds:SignatureValue>
>> 			<ds:KeyInfo >
>> 				<wsse:SecurityTokenReference >
>> 					<wsse:Reference />
>> 				</wsse:SecurityTokenReference>
>> 			</ds:KeyInfo>
>> 		</ds:Signature>
>> 	</wsse:Security>
>> </SOAP-ENV:Header>
>>
>>
>> I'm fairly sure I've just got the policy file slightly off.  Any
>> suggestions?  Thanks for any reply.
>>   
> 
> 
> -- 
> Samisa Abeysinghe
> 
> http://people.apache.org/~samisa/
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
Sent from the Axis - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message