Return-Path: Delivered-To: apmail-axis-java-user-archive@www.apache.org Received: (qmail 34841 invoked from network); 24 Feb 2011 13:31:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Feb 2011 13:31:29 -0000 Received: (qmail 98970 invoked by uid 500); 24 Feb 2011 13:31:27 -0000 Delivered-To: apmail-axis-java-user-archive@axis.apache.org Received: (qmail 98610 invoked by uid 500); 24 Feb 2011 13:31:24 -0000 Mailing-List: contact java-user-help@axis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-user@axis.apache.org Delivered-To: mailing list java-user@axis.apache.org Received: (qmail 98602 invoked by uid 99); 24 Feb 2011 13:31:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Feb 2011 13:31:24 +0000 X-ASF-Spam-Status: No, hits=2.9 required=5.0 tests=HTML_MESSAGE,SPF_NEUTRAL,T_FILL_THIS_FORM_SHORT,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [141.99.1.41] (HELO mail.uni-siegen.de) (141.99.1.41) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Feb 2011 13:31:18 +0000 Received: from [141.99.96.129] (141.99.96.129) by mailf1.uni-siegen.de (141.99.1.44) with Microsoft SMTP Server id 8.3.137.0; Thu, 24 Feb 2011 14:30:56 +0100 Message-ID: <4D665D90.3070404@fb5.uni-siegen.de> Date: Thu, 24 Feb 2011 14:30:56 +0100 From: Thomas Fielenbach User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7 MIME-Version: 1.0 To: Thilina Mahesh Buddhika CC: "java-user@axis.apache.org" Subject: Re: Loading external WSS Policy by Rampart References: <4D6641F3.5000903@fb5.uni-siegen.de> In-Reply-To: Content-Type: multipart/alternative; boundary="------------000308080007030907050405" --------------000308080007030907050405 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 8bit Am 24.02.2011 13:57, schrieb Thilina Mahesh Buddhika: > Do you see any errors during the service deployment when an external > policy reference is used? > > I guess, the policy is not properly attached to the service which is > the most probable reason for the Must Understand check failed error. > > Thanks, > Thilina > > On Thu, Feb 24, 2011 at 5:03 PM, Thomas Fielenbach > > > wrote: > > Hi all, > > Currently I'm working on securing messages with rampart. Therefore > I just add Username/Pass/Timestamp in a policy. This works all > fine (at client and at server-side) using a code first approach > and defining the policy as well as the rampart-config in the > services.xml. > services.xml (partially): > > unt.UserNameToken > > > class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" /> > > > ... > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" > /> > > > > unt.PWCBHandler > > > ... > > When I want to use contract first and load a policy document from > an external source (e.g. > http://ip:port/axis2/external-policy.xml), the Axis2-framework > responds with " > Exception in thread "main" org.apache.axis2.AxisFault: Must > Understand check failed for header > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > : Security at > org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:446) > ..." > > The (relevant) part of the WSDL: > > > > > > > > URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS" > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/> > > > The services.xml is the same like above but wss- policy is > deleted. I have tried to define the rampart-config 1) in the > services.xml 2) in the external-policy.xml, but both times the > error stated above occurs. > > Tracking the request with TCPMon shows that the client sends a > valid request to the server. > > Is it generally possbile to use references to policies with > rampart? If so, how do I have to change my code for that? > > Thanks in advance & Best regards > > > -- > ************************* > Universit�t Siegen > Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit > H�lderlinstr. 3 > 57068 Siegen > > Raum: H-C 8329/3 > Tel.: +49-271-740-3041 > Fax: +49-271-740-3444 > Mail: fielenbach@fb5.uni-siegen.de > > > Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de > ************************* > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org > > For additional commands, e-mail: java-user-help@axis.apache.org > > > > > > -- > Thilina Mahesh Buddhika > http://blog.thilinamb.com Hi, There is no error occuring during deployment. Web Service is available, rampart is engaged as module and there are no exceptions during deployment (AXIS2 as webapp in a tomcat). Thats the question. Is axis2/rampart capable of reading an external policy (here available in the tomcat)? In my wsdl the policy is bound to the portType with: Moreover there is the question where/how I have to define the rampart-configs? Normally this would be placed directly in the policy defined in the services.xml but maybe thats not a feasible approach if the policy is placed externally. Best regards Thomas -- ************************* Universit�t Siegen Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit H�lderlinstr. 3 57068 Siegen Raum: H-C 8329/3 Tel.: +49-271-740-3041 Fax: +49-271-740-3444 Mail: fielenbach@fb5.uni-siegen.de Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de ************************* --------------000308080007030907050405 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Am 24.02.2011 13:57, schrieb Thilina Mahesh Buddhika:
Do you see any errors during the service deployment when an external policy reference is used?

I guess, the policy is not properly attached to the service which is the most probable reason for the Must Understand check failed error.

Thanks,
Thilina

On Thu, Feb 24, 2011 at 5:03 PM, Thomas Fielenbach <fielenbach@fb5.uni-siegen.de> wrote:
Hi all,

Currently I'm working on securing messages with rampart. Therefore I just add Username/Pass/Timestamp in a policy. This works all fine (at client and at server-side) using a code first approach and defining the policy as well as the rampart-config in the services.xml.
services.xml (partially):
<service name="UserNameTokenService">
<parameter name="ServiceClass" locked="false">unt.UserNameToken
</parameter>
<operation name="add">
<messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
</operation>
<module ref="rampart" />
<wsp:Policy wsu:Id="UsernameTokenOverHTTP"
...
<sp:SignedSupportingTokens
                   xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
                           sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>unt.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
...

When I want to use contract first and load a policy document from an external source (e.g. http://ip:port/axis2/external-policy.xml), the Axis2-framework responds with "
Exception in thread "main" org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security    at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:446) ..."

The (relevant) part of the WSDL:
<wsdl:portType name="UserNameTokenExternalPolicyServicePortType">
<wsdl:operation name="add">
<wsdl:input message="ns:addRequest" wsaw:Action="urn:add">
</wsdl:input>
<wsdl:output message="ns:addResponse" wsaw:Action="urn:addResponse">
</wsdl:output>
</wsdl:operation>
<wsp:PolicyReference URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
</wsdl:portType>

The services.xml is the same like above but wss- policy is deleted. I have tried to define the rampart-config 1) in the services.xml 2) in the external-policy.xml, but both times the error stated above occurs.

Tracking the request with TCPMon shows that the client sends a valid request to the server.

Is it generally possbile to use references to policies with rampart? If so, how do I have to change my code for that?

Thanks in advance & Best regards


--
*************************
Universität Siegen
Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
Hölderlinstr. 3
57068 Siegen

Raum: H-C 8329/3
Tel.: +49-271-740-3041
Fax: +49-271-740-3444
Mail: fielenbach@fb5.uni-siegen.de

Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
*************************


---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org




--
Thilina Mahesh Buddhika
http://blog.thilinamb.com
Hi,

There is no error occuring during deployment. Web Service is available, rampart is engaged as module and there are no exceptions during deployment (AXIS2 as webapp in a tomcat).

Thats the question. Is axis2/rampart capable of reading an external policy  (here available in the tomcat)? In my wsdl the policy is bound to the portType with: <wsp:PolicyReference URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>

 Moreover there is the question where/how I have to define the rampart-configs? Normally this would be placed directly in the policy defined in the services.xml but maybe thats not a feasible approach if the policy is placed externally.

Best regards
Thomas

-- 
*************************
Universität Siegen
Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
Hölderlinstr. 3
57068 Siegen

Raum: H-C 8329/3
Tel.: +49-271-740-3041
Fax: +49-271-740-3444
Mail: fielenbach@fb5.uni-siegen.de

Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
*************************
--------------000308080007030907050405--