You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@synapse.apache.org by Jeff Davis <jd...@idalica.com> on 2008/06/11 21:16:25 UTC
Question on engaging security for UserNameToken style policy
Hi everyone,
Example 200 shows how to engage security on a proxy that uses a x509 style
policy. That works great. However, I am trying to instead use UsernameToken
style with the following policy:
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedSupportingTokens xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
<ramp:user>alice</ramp:user>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
My inbound SOAP message looks like:
<soapenv:Envelope xmlns:hel="http://helloworld" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<wsse:UsernameToken wsu:Id="UsernameToken-14134009" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsse:Username>alice</wsse:Username>
<wsse:Password Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<hel:getGreetings>
<hel:name>Hi!</hel:name>
</hel:getGreetings>
</soapenv:Body>
</soapenv:Envelope>
However, I always get soap fault with a description of: InvalidSecurity
I think my policy file is okay, cause when I use for engaging security on an
outbound message, it works fine (i.e., adds the WS-Security header).
Any ideas?
jeff
Re: Question on engaging security for UserNameToken style policy
Posted by Jeff Davis <jd...@idalica.com>.
Thanks for looking into this!
Turns out my issue was related to that WS-Addressing matter we talked about
a few days back. Namely, the security implementation for Synapse requires
WS-Addressing, but the client tool I was using was not adding that. This
resulted in the invalidSecurity error (not sure why that was the error
message). You can this for yourself by trying the policy I referenced
earlier in this thread with example 200, then remove the wsa:MessageID and
was:Action headers.
Regards,
jeff
On Wed, Jun 11, 2008 at 10:26 PM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Ruwan,
> The policy looks oky. This policy is not recommended when we
> consider the security aspects, as you can see the clear text password is
> going over the wire in an unsecured transport but this should work. I
> checked this policy with Axis2 1.4 / Rampart 1.4 and it worked fine for me.
> ,
>
> Jeff,
> What is the error you are getting at the server side ?
>
> thanks,
> nandana
>
> On Thu, Jun 12, 2008 at 10:35 AM, Ruwan Linton <ru...@gmail.com>
> wrote:
>
> > Hi Jeff,
> >
> > Lets first get this policy validated from one of the security experts :-)
> >
> > Nandana, can you please help us on this?
> >
> > Thanks,
> > Ruwan
> >
> > On Thu, Jun 12, 2008 at 12:46 AM, Jeff Davis <jd...@idalica.com> wrote:
> >
> > > Hi everyone,
> > >
> > > Example 200 shows how to engage security on a proxy that uses a x509
> > style
> > > policy. That works great. However, I am trying to instead use
> > UsernameToken
> > > style with the following policy:
> > >
> > > <wsp:Policy wsu:Id="UTOverTransport"
> > > xmlns:wsu="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > "
> > >
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SignedSupportingTokens xmlns:sp="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > > <wsp:Policy>
> > > <sp:UsernameToken sp:IncludeToken="
> > >
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > > ">
> > > </sp:UsernameToken>
> > > </wsp:Policy>
> > > </sp:SignedSupportingTokens>
> > > <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy
> > ">
> > >
> > >
> > >
> >
> <ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
> > > <ramp:user>alice</ramp:user>
> > > </ramp:RampartConfig>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > My inbound SOAP message looks like:
> > >
> > > <soapenv:Envelope xmlns:hel="http://helloworld" xmlns:soapenv="
> > > http://schemas.xmlsoap.org/soap/envelope/">
> > > <soapenv:Header>
> > > <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > > ">
> > > <wsse:UsernameToken wsu:Id="UsernameToken-14134009" xmlns:wsu="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > ">
> > > <wsse:Username>alice</wsse:Username>
> > > <wsse:Password Type="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > > ">password</wsse:Password>
> > > </wsse:UsernameToken>
> > > </wsse:Security>
> > > </soapenv:Header>
> > > <soapenv:Body>
> > > <hel:getGreetings>
> > > <hel:name>Hi!</hel:name>
> > > </hel:getGreetings>
> > > </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > > However, I always get soap fault with a description of: InvalidSecurity
> > >
> > > I think my policy file is okay, cause when I use for engaging security
> on
> > > an
> > > outbound message, it works fine (i.e., adds the WS-Security header).
> > >
> > > Any ideas?
> > >
> > > jeff
> > >
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
>
Re: Question on engaging security for UserNameToken style policy
Posted by Ruwan Linton <ru...@gmail.com>.
OK Nandana, thanks a lot.
Jeff,
Can you please attach the debug log of synapse, so that I can find what went
wrong.
BTW: I tried this policy with sample 200 and it worked just fine for me.
Thanks,
Ruwan
On Thu, Jun 12, 2008 at 10:56 AM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Ruwan,
> The policy looks oky. This policy is not recommended when we
> consider the security aspects, as you can see the clear text password is
> going over the wire in an unsecured transport but this should work. I
> checked this policy with Axis2 1.4 / Rampart 1.4 and it worked fine for me.
> ,
>
> Jeff,
> What is the error you are getting at the server side ?
>
> thanks,
> nandana
>
> On Thu, Jun 12, 2008 at 10:35 AM, Ruwan Linton <ru...@gmail.com>
> wrote:
>
> > Hi Jeff,
> >
> > Lets first get this policy validated from one of the security experts :-)
> >
> > Nandana, can you please help us on this?
> >
> > Thanks,
> > Ruwan
> >
> > On Thu, Jun 12, 2008 at 12:46 AM, Jeff Davis <jd...@idalica.com> wrote:
> >
> > > Hi everyone,
> > >
> > > Example 200 shows how to engage security on a proxy that uses a x509
> > style
> > > policy. That works great. However, I am trying to instead use
> > UsernameToken
> > > style with the following policy:
> > >
> > > <wsp:Policy wsu:Id="UTOverTransport"
> > > xmlns:wsu="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > "
> > >
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SignedSupportingTokens xmlns:sp="
> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > > <wsp:Policy>
> > > <sp:UsernameToken sp:IncludeToken="
> > >
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > > ">
> > > </sp:UsernameToken>
> > > </wsp:Policy>
> > > </sp:SignedSupportingTokens>
> > > <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy
> > ">
> > >
> > >
> > >
> >
> <ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
> > > <ramp:user>alice</ramp:user>
> > > </ramp:RampartConfig>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > My inbound SOAP message looks like:
> > >
> > > <soapenv:Envelope xmlns:hel="http://helloworld" xmlns:soapenv="
> > > http://schemas.xmlsoap.org/soap/envelope/">
> > > <soapenv:Header>
> > > <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > > ">
> > > <wsse:UsernameToken wsu:Id="UsernameToken-14134009" xmlns:wsu="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > ">
> > > <wsse:Username>alice</wsse:Username>
> > > <wsse:Password Type="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > > ">password</wsse:Password>
> > > </wsse:UsernameToken>
> > > </wsse:Security>
> > > </soapenv:Header>
> > > <soapenv:Body>
> > > <hel:getGreetings>
> > > <hel:name>Hi!</hel:name>
> > > </hel:getGreetings>
> > > </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > > However, I always get soap fault with a description of: InvalidSecurity
> > >
> > > I think my policy file is okay, cause when I use for engaging security
> on
> > > an
> > > outbound message, it works fine (i.e., adds the WS-Security header).
> > >
> > > Any ideas?
> > >
> > > jeff
> > >
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
>
--
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"
Re: Question on engaging security for UserNameToken style policy
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Ruwan,
The policy looks oky. This policy is not recommended when we
consider the security aspects, as you can see the clear text password is
going over the wire in an unsecured transport but this should work. I
checked this policy with Axis2 1.4 / Rampart 1.4 and it worked fine for me.
,
Jeff,
What is the error you are getting at the server side ?
thanks,
nandana
On Thu, Jun 12, 2008 at 10:35 AM, Ruwan Linton <ru...@gmail.com>
wrote:
> Hi Jeff,
>
> Lets first get this policy validated from one of the security experts :-)
>
> Nandana, can you please help us on this?
>
> Thanks,
> Ruwan
>
> On Thu, Jun 12, 2008 at 12:46 AM, Jeff Davis <jd...@idalica.com> wrote:
>
> > Hi everyone,
> >
> > Example 200 shows how to engage security on a proxy that uses a x509
> style
> > policy. That works great. However, I am trying to instead use
> UsernameToken
> > style with the following policy:
> >
> > <wsp:Policy wsu:Id="UTOverTransport"
> > xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> >
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SignedSupportingTokens xmlns:sp="
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:UsernameToken sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SignedSupportingTokens>
> > <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy
> ">
> >
> >
> >
> <ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
> > <ramp:user>alice</ramp:user>
> > </ramp:RampartConfig>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > My inbound SOAP message looks like:
> >
> > <soapenv:Envelope xmlns:hel="http://helloworld" xmlns:soapenv="
> > http://schemas.xmlsoap.org/soap/envelope/">
> > <soapenv:Header>
> > <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > ">
> > <wsse:UsernameToken wsu:Id="UsernameToken-14134009" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > ">
> > <wsse:Username>alice</wsse:Username>
> > <wsse:Password Type="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > ">password</wsse:Password>
> > </wsse:UsernameToken>
> > </wsse:Security>
> > </soapenv:Header>
> > <soapenv:Body>
> > <hel:getGreetings>
> > <hel:name>Hi!</hel:name>
> > </hel:getGreetings>
> > </soapenv:Body>
> > </soapenv:Envelope>
> >
> > However, I always get soap fault with a description of: InvalidSecurity
> >
> > I think my policy file is okay, cause when I use for engaging security on
> > an
> > outbound message, it works fine (i.e., adds the WS-Security header).
> >
> > Any ideas?
> >
> > jeff
> >
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
Re: Question on engaging security for UserNameToken style policy
Posted by Ruwan Linton <ru...@gmail.com>.
Hi Jeff,
Lets first get this policy validated from one of the security experts :-)
Nandana, can you please help us on this?
Thanks,
Ruwan
On Thu, Jun 12, 2008 at 12:46 AM, Jeff Davis <jd...@idalica.com> wrote:
> Hi everyone,
>
> Example 200 shows how to engage security on a proxy that uses a x509 style
> policy. That works great. However, I am trying to instead use UsernameToken
> style with the following policy:
>
> <wsp:Policy wsu:Id="UTOverTransport"
> xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedSupportingTokens xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>
>
> <ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
> <ramp:user>alice</ramp:user>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> My inbound SOAP message looks like:
>
> <soapenv:Envelope xmlns:hel="http://helloworld" xmlns:soapenv="
> http://schemas.xmlsoap.org/soap/envelope/">
> <soapenv:Header>
> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <wsse:UsernameToken wsu:Id="UsernameToken-14134009" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <wsse:Username>alice</wsse:Username>
> <wsse:Password Type="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">password</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <hel:getGreetings>
> <hel:name>Hi!</hel:name>
> </hel:getGreetings>
> </soapenv:Body>
> </soapenv:Envelope>
>
> However, I always get soap fault with a description of: InvalidSecurity
>
> I think my policy file is okay, cause when I use for engaging security on
> an
> outbound message, it works fine (i.e., adds the WS-Security header).
>
> Any ideas?
>
> jeff
>
--
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"