axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From amiteshksingh <amiteshksi...@live.com>
Subject Re: AXIS2 - Security Policy Problem (Is this a bug?)
Date Thu, 09 Jul 2009 22:38:01 GMT

Hi Nandana,

Thanks for your reply.
I will try the alternative way you have suggested. However, does
Axis2/Rampart will support this feature in future?

Thanks,
Amitesh

Nunny wrote:
> 
> Hi Amitesh,
>          Axis2/Rampart doesn't support policy alternatives, which is the
> feature you are referring to. When multiple policy alternatives present,
> it
> will only honor the first alternative. That is why your experiencing this
> behavior. One work around would be to have multiple bindings with these
> alternative policies and clients can choose which binding to talk to.
> 
> thanks,
> Nandana
> 
> On Mon, Jul 6, 2009 at 9:53 PM, amiteshksingh
> <amiteshksingh@live.com>wrote:
> 
>>
>> Is anyone done this before? It seems bug to me, however I am not sure
>> becaue
>> I am new to AXIS2.
>>
>>
>>
>> amiteshksingh wrote:
>> >
>> > Hi,
>> >
>> > I have one Service which contains two separate policy for two different
>> > clients using the <sp:ExactlyOne> policy operator as given below
>> > Service Policy:
>> > <wsp:Policy wsu:Id="SgnOnlyAnonymous"
>> >
>> > xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> "
>> >               xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> >               xmlns:wsa="
>> http://schemas.xmlsoap.org/ws/2004/08/addressing"
>> >               xmlns:sp="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >       <wsp:ExactlyOne>
>> >               <wsp:All>
>> >               <wsp:ExactlyOne>
>> >               <sp:AsymmetricBinding
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >                               <wsp:Policy>
>> >                                       <sp:InitiatorToken>
>> >                                               <wsp:Policy>
>> >                                                       <sp:X509Token
>> > sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>> ">
>> >
>> <wsp:Policy>
>> >
>> <sp:RequireThumbprintReference/>
>> >
>> <sp:WssX509V3Token10/>
>> >
>> </wsp:Policy>
>> >                                                       </sp:X509Token>
>> >                                               </wsp:Policy>
>> >                                       </sp:InitiatorToken>
>> >                                       <sp:RecipientToken>
>> >                                               <wsp:Policy>
>> >                                                       <sp:X509Token
>> > sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>> >
>> <wsp:Policy>
>> >
>> <sp:RequireThumbprintReference/>
>> >
>> <sp:WssX509V3Token10/>
>> >
>> </wsp:Policy>
>> >                                                       </sp:X509Token>
>> >                                               </wsp:Policy>
>> >                                       </sp:RecipientToken>
>> >                                       <sp:AlgorithmSuite>
>> >                                               <wsp:Policy>
>> >
>> <sp:TripleDesRsa15/>
>> >                                               </wsp:Policy>
>> >                                       </sp:AlgorithmSuite>
>> >                                       <sp:Layout>
>> >                                               <wsp:Policy>
>> >                                                       <sp:Strict/>
>> >                                               </wsp:Policy>
>> >                                       </sp:Layout>
>> >                                       <sp:IncludeTimestamp/>
>> >                                      
>> <sp:OnlySignEntireHeadersAndBody/>
>> >                               </wsp:Policy>
>> >                       </sp:AsymmetricBinding>
>> >                       <sp:TransportBinding
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >                         <wsp:Policy>
>> >                               <sp:TransportToken>
>> >                                 <wsp:Policy>
>> >                                       <!--  <sp:HttpsToken
>> RequireClientCertificate="false"/> -->
>> >                                 </wsp:Policy>
>> >                               </sp:TransportToken>
>> >                               <sp:AlgorithmSuite>
>> >                                 <wsp:Policy>
>> >                                       <sp:Basic256/>
>> >                                 </wsp:Policy>
>> >                               </sp:AlgorithmSuite>
>> >                               <sp:Layout>
>> >                                 <wsp:Policy>
>> >                                       <sp:Lax/>
>> >                                 </wsp:Policy>
>> >                               </sp:Layout>
>> >                               <sp:IncludeTimestamp/>
>> >                         </wsp:Policy>
>> >                       </sp:TransportBinding>
>> >               </wsp:ExactlyOne>
>> >               <ramp:RampartConfig xmlns:ramp="
>> http://ws.apache.org/rampart/policy">
>> >                               <ramp:user>service</ramp:user>
>> >
>> <ramp:encryptionUser>client</ramp:encryptionUser>
>> >
>> >
>> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass>
>> >
>> >                               <ramp:signatureCrypto>
>> >                                       <ramp:crypto
>> > provider="org.apache.ws.security.components.crypto.Merlin">
>> >                                               <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>> >                                               <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
>> >                                               <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>> >                                       </ramp:crypto>
>> >                               </ramp:signatureCrypto>
>> >               </ramp:RampartConfig>
>> >               </wsp:All>
>> >       </wsp:ExactlyOne>
>> > </wsp:Policy>
>> >
>> > 1st client policy:
>> >
>> > <wsp:Policy wsu:Id="UTOverTransport"
>> > xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> "
>> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >       <wsp:ExactlyOne>
>> >         <wsp:All>
>> >               <sp:TransportBinding
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >                 <wsp:Policy>
>> >                       <sp:TransportToken>
>> >                         <wsp:Policy>
>> >                               <!--  <sp:HttpsToken
>> RequireClientCertificate="false"/> -->
>> >                         </wsp:Policy>
>> >                       </sp:TransportToken>
>> >                       <sp:AlgorithmSuite>
>> >                         <wsp:Policy>
>> >                               <sp:Basic256/>
>> >                         </wsp:Policy>
>> >                       </sp:AlgorithmSuite>
>> >                       <sp:Layout>
>> >                         <wsp:Policy>
>> >                               <sp:Lax/>
>> >                         </wsp:Policy>
>> >                       </sp:Layout>
>> >                       <sp:IncludeTimestamp/>
>> >                 </wsp:Policy>
>> >               </sp:TransportBinding>
>> >               <ramp:RampartConfig xmlns:ramp="
>> http://ws.apache.org/rampart/policy">
>> >                       <ramp:user>client</ramp:user>
>> >                      
>> <ramp:encryptionUser>service</ramp:encryptionUser>
>> >
>> >
>> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass>
>> >                       <ramp:signatureCrypto>
>> >                               <ramp:crypto
>> > provider="org.apache.ws.security.components.crypto.Merlin">
>> >                                       <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>> >                                       <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>> >                                       <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>> >                               </ramp:crypto>
>> >                       </ramp:signatureCrypto>
>> >               </ramp:RampartConfig>
>> >         </wsp:All>
>> >       </wsp:ExactlyOne>
>> > </wsp:Policy>
>> >
>> > 2nd Client policy:
>> >
>> > <wsp:Policy wsu:Id="SigOnly"
>> > xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> "
>> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>> >       <wsp:ExactlyOne>
>> >               <wsp:All>
>> >                       <sp:AsymmetricBinding
>> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >                               <wsp:Policy>
>> >                                       <sp:InitiatorToken>
>> >                                               <wsp:Policy>
>> >                                                       <sp:X509Token
>> > sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>> ">
>> >
>> <wsp:Policy>
>> >
>> <sp:RequireThumbprintReference/>
>> >
>> <sp:WssX509V3Token10/>
>> >
>> </wsp:Policy>
>> >                                                       </sp:X509Token>
>> >                                               </wsp:Policy>
>> >                                       </sp:InitiatorToken>
>> >                                       <sp:RecipientToken>
>> >                                               <wsp:Policy>
>> >                                                       <sp:X509Token
>> > sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>> >
>> <wsp:Policy>
>> >
>> <sp:RequireThumbprintReference/>
>> >
>> <sp:WssX509V3Token10/>
>> >
>> </wsp:Policy>
>> >                                                       </sp:X509Token>
>> >                                               </wsp:Policy>
>> >                                       </sp:RecipientToken>
>> >                                       <sp:AlgorithmSuite>
>> >                                               <wsp:Policy>
>> >
>> <sp:TripleDesRsa15/>
>> >                                               </wsp:Policy>
>> >                                       </sp:AlgorithmSuite>
>> >                                       <sp:Layout>
>> >                                               <wsp:Policy>
>> >                                                       <sp:Strict/>
>> >                                               </wsp:Policy>
>> >                                       </sp:Layout>
>> >                                       <sp:IncludeTimestamp/>
>> >                                      
>> <sp:OnlySignEntireHeadersAndBody/>
>> >                               </wsp:Policy>
>> >                       </sp:AsymmetricBinding>
>> >                       <ramp:RampartConfig xmlns:ramp="
>> http://ws.apache.org/rampart/policy">
>> >                               <ramp:user>client</ramp:user>
>> >
>> <ramp:encryptionUser>service</ramp:encryptionUser>
>> >
>> >
>> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass>
>> >
>> >                               <ramp:signatureCrypto>
>> >                                       <ramp:crypto
>> > provider="org.apache.ws.security.components.crypto.Merlin">
>> >                                               <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>> >                                               <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>> >                                               <ramp:property
>> >
>> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>> >                                       </ramp:crypto>
>> >                               </ramp:signatureCrypto>
>> >                       </ramp:RampartConfig>
>> >               </wsp:All>
>> >       </wsp:ExactlyOne>
>> > </wsp:Policy>
>> >
>> > When I am running the 2nd client its working fine, since second
>> client's
>> > policy matches the service's <ExactlyOne>'s first element, and if I am
>> > running the 1'st client I am getting the error
>> > "org.apache.axis2.AxisFault: Message is not signed"
>> >
>> > In service if I am switching the policy sequences, then the 1'st client
>> > works fine and second client gives error.
>> >
>> > As per sepecification it should work for both client, Can anybody tell
>> me
>> > what I am doing wrong?
>> >
>> > Thanks in advance,
>> > Amitesh
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/AXIS2---Security-Policy-Problem-tp24314266p24358644.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/AXIS2---Security-Policy-Problem-tp24314266p24418988.html
Sent from the Axis - User mailing list archive at Nabble.com.


Mime
View raw message