axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samisa Abeysinghe <samisa.abeysin...@gmail.com>
Subject Re: Rampart Username and signed certificate
Date Tue, 07 Oct 2008 03:04:27 GMT
1. What is your server side?
2. Did you author this policy, or did you get it from the service?
3. What is the fault that you get?

Thanks,
Samisa...

RonnieMJ wrote:
> I don't actually get an exception (well I do get a soap fault for not having
> all of the right headers from their server).
>
> The message usually gets sent out simply without the username token.  If I
> DO get the username token to go, it's as a signedsupportingtoken (which is
> not what they want).
>
>
>
> Samisa Abeysinghe-2 wrote:
>   
>> What is the exception that you get?
>>
>> Samisa...
>>
>> RonnieMJ wrote:
>>     
>>> I'm pretty new to WS, and especially the security piece, but I'm using
>>> rampart 1.4 using policy files to try to function as a client to an
>>> existing
>>> (external to my company) web service.
>>>
>>> I know that I need to send both a usernameToken and sign the header with
>>> a
>>> certificate.  I've been able to do EITHER, but so far haven't been able
>>> to
>>> do both.
>>>
>>> I've tried it about 20 different ways, but my most recent attempt is:
>>>
>>>
>>> <wsp:Policy wsu:Id="SigAndUName"
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>> 	<wsp:All>
>>> 		<sp:AsymmetricBinding
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> 			<wsp:Policy>
>>> 				<sp:InitiatorToken>
>>> 					<wsp:Policy>
>>> 						<sp:X509Token
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>>> 							<wsp:Policy>
>>> 								<sp:WssX509V3Token10/>
>>> 							</wsp:Policy>
>>> 						</sp:X509Token>
>>> 					</wsp:Policy>
>>> 				</sp:InitiatorToken>
>>> 				<sp:RecipientToken>
>>> 					<wsp:Policy>
>>> 						<sp:X509Token
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>>> 							<wsp:Policy>
>>> 								<sp:WssX509V3Token10/>
>>> 							</wsp:Policy>
>>> 						</sp:X509Token>
>>> 					</wsp:Policy>
>>> 				</sp:RecipientToken>
>>> 				<sp:AlgorithmSuite>
>>> 					<wsp:Policy>
>>> 						<sp:Basic128Rsa15/>
>>> 					</wsp:Policy>
>>> 				</sp:AlgorithmSuite>
>>> 				<sp:Layout>
>>> 					<wsp:Policy>
>>> 						<sp:Lax/>
>>> 					</wsp:Policy>
>>> 				</sp:Layout>
>>> 				<sp:OnlySignEntireHeadersAndBody/>
>>> 				<sp:SupportingTokens>
>>> 					<wsp:Policy>
>>> 						<sp:UsernameToken
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
>>> />
>>> 					</wsp:Policy>
>>> 				</sp:SupportingTokens>
>>> 			</wsp:Policy>
>>> 		</sp:AsymmetricBinding>
>>>
>>>
>>> 		<sp:Wss10
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> 			<wsp:Policy>
>>> 				<sp:MustSupportRefKeyIdentifier />
>>> 				<sp:MustSupportRefIssuerSerial />
>>> 			</wsp:Policy>
>>> 		</sp:Wss10>
>>>
>>>
>>> 		<sp:SignedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> 			<sp:Body/>
>>> 		</sp:SignedParts>
>>>
>>> 		<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>> 			<ramp:user>user</ramp:user>
>>> 			<ramp:encryptionUser>user</ramp:encryptionUser>
>>> 		
>>> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>>>
>>> 			<ramp:signatureCrypto>
>>> 				<ramp:crypto
>>> provider="org.apache.ws.security.components.crypto.Merlin">
>>> 					<ramp:property
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> 					<ramp:property
>>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>>> 					<ramp:property
>>> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
>>> 					<ramp:property
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
>>> 				</ramp:crypto>
>>> 			</ramp:signatureCrypto>
>>> 		</ramp:RampartConfig>
>>>
>>> 	</wsp:All>
>>> </wsp:Policy>
>>>
>>>
>>>
>>> I expect the final header output to be something like:
>>> <SOAP-ENV:Header >
>>> 	<wsse:Security >
>>> 		<wsse:UsernameToken >
>>> 			<wsse:Username >XXX</wsse:Username>
>>> 		</wsse:UsernameToken>
>>> 		<wsse:BinarySecurityToken >binaryTokenHere</wsse:BinarySecurityToken>
>>> 		<ds:Signature >
>>> 			<ds:SignedInfo >
>>> 				<ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> 				<ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> 				<ds:Reference >
>>> 					<ds:Transforms >
>>> 						<ds:Transform />
>>> 					</ds:Transforms>
>>> 					<ds:DigestMethod />
>>> 					<ds:DigestValue </ds:DigestValue>
>>> 				</ds:Reference>
>>> 				<ds:Reference >
>>> 					<ds:Transforms >
>>> 						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> 					</ds:Transforms>
>>> 					<ds:DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> 					<ds:DigestValue </ds:DigestValue>
>>> 				</ds:Reference>
>>> 			</ds:SignedInfo>
>>> 			<ds:SignatureValue </ds:SignatureValue>
>>> 			<ds:KeyInfo >
>>> 				<wsse:SecurityTokenReference >
>>> 					<wsse:Reference />
>>> 				</wsse:SecurityTokenReference>
>>> 			</ds:KeyInfo>
>>> 		</ds:Signature>
>>> 	</wsse:Security>
>>> </SOAP-ENV:Header>
>>>
>>>
>>> I'm fairly sure I've just got the policy file slightly off.  Any
>>> suggestions?  Thanks for any reply.
>>>   
>>>       
>> -- 
>> Samisa Abeysinghe
>>
>> http://people.apache.org/~samisa/
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>>
>>     
>
>   


-- 
Samisa Abeysinghe

http://people.apache.org/~samisa/


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message