You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Ric Emery <re...@us.axway.com> on 2007/03/29 20:09:21 UTC
WSS encryption using policy.xml
Could someone point me at an example policy.xml that configures WSS
Encryption only (no signature). Preferably a policy file that works with
Rampart. I have tried to build one myself, but I am not having much luck.
Thanks in advance,
ric
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS encryption using policy.xml
Posted by Ric Emery <re...@us.axway.com>.
I tried using a policy.xml that did not contain a signed parts. Looking at
the Rampart code lead me to believe that Rampart cannot perform
encryption-only using a policy file for configuration.
I opened a bug in jira - issue RAMPART-31 - and included a modification to
AssymetricBindingBuilder.java that addresses the issue.
-ric
On 4/23/07 1:53 PM, "Dennis Sosnoski" <dm...@sosnoski.com> wrote:
> FWIW I had similar problems trying to do encryption-only with Rampart. I
> stripped out all <sp:SignedParts> from the policy.xml, along with
> <sp:IncludeTimestamp/> and <sp:OnlySignEntireHeadersAndBody/>, and the
> <ramp:signatureCrypto>, but Rampart apparently still tries to do signing
> (and throws an exception in the process). Here's the exception I get:
>
> [java] java.lang.NullPointerException
> [java] at
> org.apache.rampart.util.RampartUtil.addWsuIdToElement(RampartUtil.java:463)
> [java] at
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(Asymme
> tricBindingBuilder.java:277)
> [java] at
> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBui
> lder.java:85)
> [java] at
> org.apache.rampart.MessageBuilder.build(MessageBuilder.java:129)
> [java] at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:59)
> [java] at org.apache.axis2.engine.Phase.invoke(Phase.java:382)
> ...
>
> I'm attaching the actual policy file, based on the Rampart sample for
> signing+encryption+timestamps. This is using Rampart 1.1 with Axis2 1.1.1.
>
> - Dennis
>
> Dennis M. Sosnoski
> SOA and Web Services in Java
> Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
> Ruchith Fernando wrote:
>> Please try specifying only the <EncryptedParts> assertion *without*
>> the <SignatureParts> assertion.
>>
>> Thanks,
>> Ruchith
>>
>> On 3/29/07, Ric Emery <re...@us.axway.com> wrote:
>>>
>>> Could someone point me at an example policy.xml that configures WSS
>>> Encryption only (no signature). Preferably a policy file that works with
>>> Rampart. I have tried to build one myself, but I am not having much
>>> luck.
>>>
>>> Thanks in advance,
>>> ric
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>
>>>
>>
>>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> !
> ! Copyright 2006 The Apache Software Foundation.
> !
> ! Licensed under the Apache License, Version 2.0 (the "License");
> ! you may not use this file except in compliance with the License.
> ! You may obtain a copy of the License at
> !
> ! http://www.apache.org/licenses/LICENSE-2.0
> !
> ! Unless required by applicable law or agreed to in writing, software
> ! distributed under the License is distributed on an "AS IS" BASIS,
> ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> ! See the License for the specific language governing permissions and
> ! limitations under the License.
> !-->
> <wsp:Policy wsu:Id="Encr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
> utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeT
> oken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeT
> oken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>client</ramp:user>
> <ramp:encryptionUser>service</ramp:encryptionUser>
> <ramp:passwordCallbackClass>com.sosnoski.seismic.adb.PWCBHandler</ramp:passwor
> dCallbackClass>
>
> <ramp:encryptionCypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:pro
> perty>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS encryption using policy.xml
Posted by Ric Emery <re...@us.axway.com>.
I tried using a policy.xml that did not contain a signed parts. Looking at
the Rampart code lead me to believe that Rampart cannot perform
encryption-only using a policy file for configuration.
I opened a bug in jira - issue RAMPART-31 - and included a modification to
AssymetricBindingBuilder.java that addresses the issue.
-ric
On 4/23/07 1:53 PM, "Dennis Sosnoski" <dm...@sosnoski.com> wrote:
> FWIW I had similar problems trying to do encryption-only with Rampart. I
> stripped out all <sp:SignedParts> from the policy.xml, along with
> <sp:IncludeTimestamp/> and <sp:OnlySignEntireHeadersAndBody/>, and the
> <ramp:signatureCrypto>, but Rampart apparently still tries to do signing
> (and throws an exception in the process). Here's the exception I get:
>
> [java] java.lang.NullPointerException
> [java] at
> org.apache.rampart.util.RampartUtil.addWsuIdToElement(RampartUtil.java:463)
> [java] at
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(Asymme
> tricBindingBuilder.java:277)
> [java] at
> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBui
> lder.java:85)
> [java] at
> org.apache.rampart.MessageBuilder.build(MessageBuilder.java:129)
> [java] at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:59)
> [java] at org.apache.axis2.engine.Phase.invoke(Phase.java:382)
> ...
>
> I'm attaching the actual policy file, based on the Rampart sample for
> signing+encryption+timestamps. This is using Rampart 1.1 with Axis2 1.1.1.
>
> - Dennis
>
> Dennis M. Sosnoski
> SOA and Web Services in Java
> Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
>
>
> Ruchith Fernando wrote:
>> Please try specifying only the <EncryptedParts> assertion *without*
>> the <SignatureParts> assertion.
>>
>> Thanks,
>> Ruchith
>>
>> On 3/29/07, Ric Emery <re...@us.axway.com> wrote:
>>>
>>> Could someone point me at an example policy.xml that configures WSS
>>> Encryption only (no signature). Preferably a policy file that works with
>>> Rampart. I have tried to build one myself, but I am not having much
>>> luck.
>>>
>>> Thanks in advance,
>>> ric
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>
>>>
>>
>>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> !
> ! Copyright 2006 The Apache Software Foundation.
> !
> ! Licensed under the Apache License, Version 2.0 (the "License");
> ! you may not use this file except in compliance with the License.
> ! You may obtain a copy of the License at
> !
> ! http://www.apache.org/licenses/LICENSE-2.0
> !
> ! Unless required by applicable law or agreed to in writing, software
> ! distributed under the License is distributed on an "AS IS" BASIS,
> ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> ! See the License for the specific language governing permissions and
> ! limitations under the License.
> !-->
> <wsp:Policy wsu:Id="Encr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
> utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeT
> oken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeT
> oken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>client</ramp:user>
> <ramp:encryptionUser>service</ramp:encryptionUser>
> <ramp:passwordCallbackClass>com.sosnoski.seismic.adb.PWCBHandler</ramp:passwor
> dCallbackClass>
>
> <ramp:encryptionCypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:pro
> perty>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS encryption using policy.xml
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
FWIW I had similar problems trying to do encryption-only with Rampart. I
stripped out all <sp:SignedParts> from the policy.xml, along with
<sp:IncludeTimestamp/> and <sp:OnlySignEntireHeadersAndBody/>, and the
<ramp:signatureCrypto>, but Rampart apparently still tries to do signing
(and throws an exception in the process). Here's the exception I get:
[java] java.lang.NullPointerException
[java] at
org.apache.rampart.util.RampartUtil.addWsuIdToElement(RampartUtil.java:463)
[java] at
org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:277)
[java] at
org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:85)
[java] at
org.apache.rampart.MessageBuilder.build(MessageBuilder.java:129)
[java] at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:59)
[java] at org.apache.axis2.engine.Phase.invoke(Phase.java:382)
...
I'm attaching the actual policy file, based on the Rampart sample for
signing+encryption+timestamps. This is using Rampart 1.1 with Axis2 1.1.1.
- Dennis
Dennis M. Sosnoski
SOA and Web Services in Java
Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
Ruchith Fernando wrote:
> Please try specifying only the <EncryptedParts> assertion *without*
> the <SignatureParts> assertion.
>
> Thanks,
> Ruchith
>
> On 3/29/07, Ric Emery <re...@us.axway.com> wrote:
>>
>> Could someone point me at an example policy.xml that configures WSS
>> Encryption only (no signature). Preferably a policy file that works with
>> Rampart. I have tried to build one myself, but I am not having much
>> luck.
>>
>> Thanks in advance,
>> ric
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>
>
Re: WSS encryption using policy.xml
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
FWIW I had similar problems trying to do encryption-only with Rampart. I
stripped out all <sp:SignedParts> from the policy.xml, along with
<sp:IncludeTimestamp/> and <sp:OnlySignEntireHeadersAndBody/>, and the
<ramp:signatureCrypto>, but Rampart apparently still tries to do signing
(and throws an exception in the process). Here's the exception I get:
[java] java.lang.NullPointerException
[java] at
org.apache.rampart.util.RampartUtil.addWsuIdToElement(RampartUtil.java:463)
[java] at
org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:277)
[java] at
org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:85)
[java] at
org.apache.rampart.MessageBuilder.build(MessageBuilder.java:129)
[java] at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:59)
[java] at org.apache.axis2.engine.Phase.invoke(Phase.java:382)
...
I'm attaching the actual policy file, based on the Rampart sample for
signing+encryption+timestamps. This is using Rampart 1.1 with Axis2 1.1.1.
- Dennis
Dennis M. Sosnoski
SOA and Web Services in Java
Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
Ruchith Fernando wrote:
> Please try specifying only the <EncryptedParts> assertion *without*
> the <SignatureParts> assertion.
>
> Thanks,
> Ruchith
>
> On 3/29/07, Ric Emery <re...@us.axway.com> wrote:
>>
>> Could someone point me at an example policy.xml that configures WSS
>> Encryption only (no signature). Preferably a policy file that works with
>> Rampart. I have tried to build one myself, but I am not having much
>> luck.
>>
>> Thanks in advance,
>> ric
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>
>
Re: WSS encryption using policy.xml
Posted by Ruchith Fernando <ru...@gmail.com>.
Please try specifying only the <EncryptedParts> assertion *without*
the <SignatureParts> assertion.
Thanks,
Ruchith
On 3/29/07, Ric Emery <re...@us.axway.com> wrote:
>
> Could someone point me at an example policy.xml that configures WSS
> Encryption only (no signature). Preferably a policy file that works with
> Rampart. I have tried to build one myself, but I am not having much luck.
>
> Thanks in advance,
> ric
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS encryption using policy.xml
Posted by Ruchith Fernando <ru...@gmail.com>.
Please try specifying only the <EncryptedParts> assertion *without*
the <SignatureParts> assertion.
Thanks,
Ruchith
On 3/29/07, Ric Emery <re...@us.axway.com> wrote:
>
> Could someone point me at an example policy.xml that configures WSS
> Encryption only (no signature). Preferably a policy file that works with
> Rampart. I have tried to build one myself, but I am not having much luck.
>
> Thanks in advance,
> ric
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org