You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-c-dev@ws.apache.org by "Dave Meier (JIRA)" <ji...@apache.org> on 2008/02/29 01:45:52 UTC

[jira] Commented: (RAMPARTC-76) Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional

    [ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573534#action_12573534 ] 

Dave Meier commented on RAMPARTC-76:
------------------------------------

According to the spec, if IncludeToken is not provided it should default to Always, so I'm wrong about that.

The spec also shows how to OR things together in the policy, but when I tried that it in rampart/c it didn't work.  Here's what I tried (showing just the SignedSupportingTokens:

        <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <wsp:ExactlyOne>
            <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
            <sp:SamlToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
          </wsp:ExactlyOne>
        </wsp:Policy>
        </sp:SignedSupportingTokens>

This should accept either UsernameToken or SamlToken.

Thanks,

-Dave.

> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPARTC-76
>                 URL: https://issues.apache.org/jira/browse/RAMPARTC-76
>             Project: Rampart/C
>          Issue Type: Bug
>          Components: Rampart-core
>    Affects Versions: Current
>         Environment: Windows XP
>            Reporter: Dave Meier
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Critical
>         Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute.  Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional.  I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there.  Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
>   <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>     <wsp:ExactlyOne>
>       <wsp:All>
>         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>           <wsp:Policy>
>             <sp:InitiatorToken>
>               <wsp:Policy>
>                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>                   <wsp:Policy>
>                     <sp:WssX509V3Token10/>
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:InitiatorToken>
>             <sp:RecipientToken>
>               <wsp:Policy>
>                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>                   <wsp:Policy>
>                     <sp:WssX509V3Token10/>
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:RecipientToken>
>             <sp:Layout>
>               <wsp:Policy>
>                 <sp:Strict/>
>               </wsp:Policy>
>             </sp:Layout>
>             <sp:IncludeTimestamp/>
>           </wsp:Policy>
>         </sp:AsymmetricBinding>
>         <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>         <wsp:Policy>
>           <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>             <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
>               <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
>               <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
>             </sp:RequestSecurityTokenTemplate>
>           </sp:IssuedToken>
>           <sp:UsernameToken/>
>         </wsp:Policy>
>         </sp:SignedSupportingTokens>
>         <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
>             <rampc:TimeToLive>360</rampc:TimeToLive>
>             <rampc:PasswordType>plainText</rampc:PasswordType>
>             <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
>         </rampc:RampartConfig>
>       </wsp:All>
>     </wsp:ExactlyOne>
>   </wsp:Policy>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.