axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philippe A." <futhar...@gmail.com>
Subject Re: [rampart 1.5.2] SignedEncryptedSupportingTokens -> Unexpected signature
Date Wed, 25 Apr 2012 14:17:17 GMT
I have been able to put sp:UsernameToken inside
sp:SignedEncryptedSupportingTokens. I do not know what I did wrong
initially.

Here's what I have now.

          <sp:SignedEncryptedSupportingTokens>
            <wsp:Policy>
              <sp:UsernameToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
"/>
            </wsp:Policy>
          </sp:SignedEncryptedSupportingTokens>

This is with Axis 1.5.6 + Rampart 1.5.2.

2012/4/18 Philippe A. <futhark77@gmail.com>

>
>
> 2012/4/17 Philippe A. <futhark77@gmail.com>
>
> Hello,
>>
>> I am writing a web service and a corresponding client. If I put my
>> username token inside a SignedEncryptedSupportingTokens assertion, the
>> server will systematically produce an exception upon receiving requests.:
>>
>> org.apache.axis2.AxisFault: Unexpected signature
>>         at
>> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
>>         at
>> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
>>         at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
>>         at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:254)
>>         at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
>>         at
>> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173)
>>         at
>> org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:266)
>>         at
>> org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
>>         at
>> org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
>>         at
>> org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
>>         at
>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>>         at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>>         at java.lang.Thread.run(Thread.java:662)
>> Caused by: org.apache.rampart.RampartException: Unexpected signature
>>         at
>> org.apache.rampart.PolicyBasedResultsValidator.validateEncrSig(PolicyBasedResultsValidator.java:226)
>>         at
>> org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:132)
>>         at
>> org.apache.rampart.RampartEngine.process(RampartEngine.java:308)
>>         at
>> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
>>         ... 11 more
>>
>> Since Rampart seems to be always encrypting the username token, I decided
>> to use SignedSupportingTokens for now. But I don't really like doing that
>> as I feel my policy risks not producing the desired result if I change
>> client technology.
>>
>> This is with rampart 1.5.2 + axis 1.5.6.
>>
>
> The ws-securitypolicy 1.2 standard seem to allow the username token to be
> encrypted even if it is listed as a sp:SupportingToken.
>
> 760 When the UsernameToken is to be encrypted it SHOULD be listed as a
> 761 SignedEncryptedSupportingToken (Section 8.5),
> EndorsingEncryptedSupportingToken (Section 8.6) or
> 762 SignedEndorsingEncryptedSupportingToken (Section 8.7).
>
> 3807 3. A wsse:UsernameToken may be encrypted when a transport binding is
> not being used
> 3808 (Section 5.3.1).
>
> However, I strongly believe that listing the username token under
> sp:SignedEncryptedSupportingToken should not fault.
>
> --
> Philippe
>
>


-- 
Philippe

Mime
View raw message