You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by stlecho <st...@gmail.com> on 2007/06/07 09:25:12 UTC
[Rampart] Ignore Timestamp and Addressing from client
Hi,
I have configured the InflowSecurity parameter (extracted included
underneath) on the server side with the "Signature" item.
One of our clients is using a C# client. The SOAP request that is received
from this client contains Timestamp and Addressing related elements. This
results in an "WSDoAllReceiver: security processing failed (actions
mismatch)" AxisFault.
Is there a way to "ignore" the Timestamp and Addressing related elements on
the server ?
Extract axis2.xml:
<parameter name="InflowSecurity">
<action>
<items>Signature</items>
<signaturePropFile>interopin.properties</signaturePropFile>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
<signatureParts>{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body</signatureParts>
</action>
</parameter>
Regards, Stefan Lecho.
--
View this message in context: http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-client-tf3882252.html#a11003191
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Rampart] Ignore Timestamp and Addressing from client
Posted by Ruchith Fernando <ru...@gmail.com>.
There's no way to ignore the Timestamp if it is sent. In that case you
should update Rampart configuration to expect the timestamp or fix the
to behave correctly according to the policy expressed by the service.
Thanks,
Ruchith
On 7/10/07, Tony Dean <To...@sas.com> wrote:
> As an example suppose you want Rampart to expect and always process a UsernameToken. You would set <action><items>UsernameToken</items></action>. However, by default .net clients always send a Timestamp. So even though the .net client sends a UsernameToken, a mismatch occurs because it sends a Timestamp as well. Is there a way to configure Rampart to just ignore a Timestamp since it is not expected? I think this is what Stefan is saying also. Maybe this is against ws-security guidelines. I don't know. Thanks.
>
> > -----Original Message-----
> > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > Sent: Tuesday, July 10, 2007 5:37 AM
> > To: axis-user@ws.apache.org
> > Subject: Re: [Rampart] Ignore Timestamp and Addressing from client
> >
> > The actions mismatch error occurs when you configure rampart
> > to expect security actions different to what the incoming
> > message contains. When you configure Rampart to process all
> > security operations performed on the message you will able to
> > get rid of this error.
> >
> > Thanks,
> > Ruchith
> >
> > On 7/2/07, stlecho <st...@gmail.com> wrote:
> > >
> > > All,
> > >
> > > Is there a solution or workaround for this issue ?
> > >
> > > Regards, Stefan Lecho.
> > >
> > >
> > > stlecho wrote:
> > > >
> > > > Hi,
> > > >
> > > > I have configured the InflowSecurity parameter (extracted included
> > > > underneath) on the server side with the "Signature" item.
> > > >
> > > > One of our clients is using a C# client. The SOAP request that is
> > > > received from this client contains Timestamp and
> > Addressing related
> > > > elements. This results in an "WSDoAllReceiver: security
> > processing
> > > > failed (actions mismatch)" AxisFault.
> > > >
> > > > Is there a way to "ignore" the Timestamp and Addressing related
> > > > elements on the server ?
> > > >
> > > > Extract axis2.xml:
> > > > <parameter name="InflowSecurity">
> > > > <action>
> > > > <items>Signature</items>
> > > > <signaturePropFile>interopin.properties</signaturePropFile>
> > > >
> > <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > > >
> > > >
> > <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve
> > lope/}Body</signatureParts>
> > > > </action>
> > > > </parameter>
> > > >
> > > >
> > > > Regards, Stefan Lecho.
> > > >
> > >
> > > --
> > > View this message in context:
> > >
> > http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c
> > > lient-tf3882252.html#a11392800 Sent from the Axis - User
> > mailing list
> > > archive at Nabble.com.
> > >
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Rampart] Ignore Timestamp and Addressing from client
Posted by Ruchith Fernando <ru...@gmail.com>.
Rampart certainly does process timestamp at
org.apache.rampart.PolicyBasedResultsValidator#verifyTimestamp()
Also WSS4J org.apache.ws.security.processor.TimestampProcessor#handleTimestamp()
verifies the timstamp before control reaches Rampart level validation.
Thanks,
Ruchith
On 7/10/07, Tony Dean <To...@sas.com> wrote:
> Rampart does not do any processing with the Timestamp information, does it? However, you do make a valid point. The client should not send a Timestamp if service is not expecting it. Unfortunately, WSSE 3.0 sends one by default with a UsernameToken. ;-(
>
> > -----Original Message-----
> > From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > Sent: Tuesday, July 10, 2007 10:59 AM
> > To: axis-user@ws.apache.org
> > Subject: Re: [Rampart] Ignore Timestamp and Addressing from client
> >
> > Hmm ... this is not possible with Rampart-1.0 style configuration!
> > (Using configuration parameters). IMHO we must validate all
> > elements in the wsse:Security header of the incoming message
> > and I don't think it is correct to let random unknown
> > elements in. We express exactly what we expect in the
> > security header in the security policy of the service and the
> > client MUST send exactly as expected by the service.
> > Otherwise it is the client's problem.
> >
> > Thanks,
> > Ruchith
> >
> > On 7/10/07, stlecho <st...@gmail.com> wrote:
> > >
> > > I completely agree with you Tony. If the client sends on top of the
> > > required UsernameToken some additional and unwanted information
> > > (timestamp, addressing, ...), Rampart should still be happy that it
> > > finds the UsernameToken information.
> > >
> > > Regards, Stefan.
> > >
> > >
> > > Tony Dean wrote:
> > > >
> > > > As an example suppose you want Rampart to expect and
> > always process
> > > > a UsernameToken. You would set
> > > > <action><items>UsernameToken</items></action>. However,
> > by default
> > > > .net clients always send a Timestamp. So even though the .net
> > > > client sends a UsernameToken, a mismatch occurs because
> > it sends a
> > > > Timestamp as well. Is there a way to configure Rampart to just
> > > > ignore a Timestamp since it is not expected? I think
> > this is what
> > > > Stefan is saying also. Maybe this is against ws-security
> > guidelines. I don't know. Thanks.
> > > >
> > > >> -----Original Message-----
> > > >> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > > >> Sent: Tuesday, July 10, 2007 5:37 AM
> > > >> To: axis-user@ws.apache.org
> > > >> Subject: Re: [Rampart] Ignore Timestamp and Addressing
> > from client
> > > >>
> > > >> The actions mismatch error occurs when you configure rampart to
> > > >> expect security actions different to what the incoming message
> > > >> contains. When you configure Rampart to process all security
> > > >> operations performed on the message you will able to get rid of
> > > >> this error.
> > > >>
> > > >> Thanks,
> > > >> Ruchith
> > > >>
> > > >> On 7/2/07, stlecho <st...@gmail.com> wrote:
> > > >> >
> > > >> > All,
> > > >> >
> > > >> > Is there a solution or workaround for this issue ?
> > > >> >
> > > >> > Regards, Stefan Lecho.
> > > >> >
> > > >> >
> > > >> > stlecho wrote:
> > > >> > >
> > > >> > > Hi,
> > > >> > >
> > > >> > > I have configured the InflowSecurity parameter (extracted
> > > >> > > included
> > > >> > > underneath) on the server side with the "Signature" item.
> > > >> > >
> > > >> > > One of our clients is using a C# client. The SOAP
> > request that
> > > >> > > is received from this client contains Timestamp and
> > > >> Addressing related
> > > >> > > elements. This results in an "WSDoAllReceiver: security
> > > >> processing
> > > >> > > failed (actions mismatch)" AxisFault.
> > > >> > >
> > > >> > > Is there a way to "ignore" the Timestamp and
> > Addressing related
> > > >> > > elements on the server ?
> > > >> > >
> > > >> > > Extract axis2.xml:
> > > >> > > <parameter name="InflowSecurity">
> > > >> > > <action>
> > > >> > > <items>Signature</items>
> > > >> > >
> > <signaturePropFile>interopin.properties</signaturePropFile>
> > > >> > >
> > > >> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > > >> > >
> > > >> > >
> > > >> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve
> > > >> lope/}Body</signatureParts>
> > > >> > > </action>
> > > >> > > </parameter>
> > > >> > >
> > > >> > >
> > > >> > > Regards, Stefan Lecho.
> > > >> > >
> > > >> >
> > > >> > --
> > > >> > View this message in context:
> > > >> >
> > > >>
> > http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-fro
> > > >> m-c
> > > >> > lient-tf3882252.html#a11392800 Sent from the Axis - User
> > > >> mailing list
> > > >> > archive at Nabble.com.
> > > >> >
> > > >> >
> > > >> >
> > > >>
> > -------------------------------------------------------------------
> > > >> --
> > > >> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > >> > For additional commands, e-mail: axis-user-help@ws.apache.org
> > > >> >
> > > >> >
> > > >>
> > > >>
> > > >> --
> > > >> www.ruchith.org
> > > >> www.wso2.org
> > > >>
> > > >>
> > -------------------------------------------------------------------
> > > >> -- To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > >> For additional commands, e-mail: axis-user-help@ws.apache.org
> > > >>
> > > >>
> > > >
> > > >
> > --------------------------------------------------------------------
> > > > - To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > > >
> > > >
> > > >
> > >
> > > --
> > > View this message in context:
> > >
> > http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c
> > > lient-tf3882252.html#a11521124 Sent from the Axis - User
> > mailing list
> > > archive at Nabble.com.
> > >
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
RE: [Rampart] Ignore Timestamp and Addressing from client
Posted by Tony Dean <To...@sas.com>.
Rampart does not do any processing with the Timestamp information, does it? However, you do make a valid point. The client should not send a Timestamp if service is not expecting it. Unfortunately, WSSE 3.0 sends one by default with a UsernameToken. ;-(
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Tuesday, July 10, 2007 10:59 AM
> To: axis-user@ws.apache.org
> Subject: Re: [Rampart] Ignore Timestamp and Addressing from client
>
> Hmm ... this is not possible with Rampart-1.0 style configuration!
> (Using configuration parameters). IMHO we must validate all
> elements in the wsse:Security header of the incoming message
> and I don't think it is correct to let random unknown
> elements in. We express exactly what we expect in the
> security header in the security policy of the service and the
> client MUST send exactly as expected by the service.
> Otherwise it is the client's problem.
>
> Thanks,
> Ruchith
>
> On 7/10/07, stlecho <st...@gmail.com> wrote:
> >
> > I completely agree with you Tony. If the client sends on top of the
> > required UsernameToken some additional and unwanted information
> > (timestamp, addressing, ...), Rampart should still be happy that it
> > finds the UsernameToken information.
> >
> > Regards, Stefan.
> >
> >
> > Tony Dean wrote:
> > >
> > > As an example suppose you want Rampart to expect and
> always process
> > > a UsernameToken. You would set
> > > <action><items>UsernameToken</items></action>. However,
> by default
> > > .net clients always send a Timestamp. So even though the .net
> > > client sends a UsernameToken, a mismatch occurs because
> it sends a
> > > Timestamp as well. Is there a way to configure Rampart to just
> > > ignore a Timestamp since it is not expected? I think
> this is what
> > > Stefan is saying also. Maybe this is against ws-security
> guidelines. I don't know. Thanks.
> > >
> > >> -----Original Message-----
> > >> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> > >> Sent: Tuesday, July 10, 2007 5:37 AM
> > >> To: axis-user@ws.apache.org
> > >> Subject: Re: [Rampart] Ignore Timestamp and Addressing
> from client
> > >>
> > >> The actions mismatch error occurs when you configure rampart to
> > >> expect security actions different to what the incoming message
> > >> contains. When you configure Rampart to process all security
> > >> operations performed on the message you will able to get rid of
> > >> this error.
> > >>
> > >> Thanks,
> > >> Ruchith
> > >>
> > >> On 7/2/07, stlecho <st...@gmail.com> wrote:
> > >> >
> > >> > All,
> > >> >
> > >> > Is there a solution or workaround for this issue ?
> > >> >
> > >> > Regards, Stefan Lecho.
> > >> >
> > >> >
> > >> > stlecho wrote:
> > >> > >
> > >> > > Hi,
> > >> > >
> > >> > > I have configured the InflowSecurity parameter (extracted
> > >> > > included
> > >> > > underneath) on the server side with the "Signature" item.
> > >> > >
> > >> > > One of our clients is using a C# client. The SOAP
> request that
> > >> > > is received from this client contains Timestamp and
> > >> Addressing related
> > >> > > elements. This results in an "WSDoAllReceiver: security
> > >> processing
> > >> > > failed (actions mismatch)" AxisFault.
> > >> > >
> > >> > > Is there a way to "ignore" the Timestamp and
> Addressing related
> > >> > > elements on the server ?
> > >> > >
> > >> > > Extract axis2.xml:
> > >> > > <parameter name="InflowSecurity">
> > >> > > <action>
> > >> > > <items>Signature</items>
> > >> > >
> <signaturePropFile>interopin.properties</signaturePropFile>
> > >> > >
> > >> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > >> > >
> > >> > >
> > >> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve
> > >> lope/}Body</signatureParts>
> > >> > > </action>
> > >> > > </parameter>
> > >> > >
> > >> > >
> > >> > > Regards, Stefan Lecho.
> > >> > >
> > >> >
> > >> > --
> > >> > View this message in context:
> > >> >
> > >>
> http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-fro
> > >> m-c
> > >> > lient-tf3882252.html#a11392800 Sent from the Axis - User
> > >> mailing list
> > >> > archive at Nabble.com.
> > >> >
> > >> >
> > >> >
> > >>
> -------------------------------------------------------------------
> > >> --
> > >> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > >> > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >> >
> > >> >
> > >>
> > >>
> > >> --
> > >> www.ruchith.org
> > >> www.wso2.org
> > >>
> > >>
> -------------------------------------------------------------------
> > >> -- To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > >> For additional commands, e-mail: axis-user-help@ws.apache.org
> > >>
> > >>
> > >
> > >
> --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> > >
> >
> > --
> > View this message in context:
> >
> http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c
> > lient-tf3882252.html#a11521124 Sent from the Axis - User
> mailing list
> > archive at Nabble.com.
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> --
> www.ruchith.org
> www.wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Rampart] Ignore Timestamp and Addressing from client
Posted by Ruchith Fernando <ru...@gmail.com>.
Hmm ... this is not possible with Rampart-1.0 style configuration!
(Using configuration parameters). IMHO we must validate all elements
in the wsse:Security header of the incoming message and I don't think
it is correct to let random unknown elements in. We express exactly
what we expect in the security header in the security policy of the
service and the client MUST send exactly as expected by the service.
Otherwise it is the client's problem.
Thanks,
Ruchith
On 7/10/07, stlecho <st...@gmail.com> wrote:
>
> I completely agree with you Tony. If the client sends on top of the required
> UsernameToken some additional and unwanted information (timestamp,
> addressing, ...), Rampart should still be happy that it finds the
> UsernameToken information.
>
> Regards, Stefan.
>
>
> Tony Dean wrote:
> >
> > As an example suppose you want Rampart to expect and always process a
> > UsernameToken. You would set
> > <action><items>UsernameToken</items></action>. However, by default .net
> > clients always send a Timestamp. So even though the .net client sends a
> > UsernameToken, a mismatch occurs because it sends a Timestamp as well. Is
> > there a way to configure Rampart to just ignore a Timestamp since it is
> > not expected? I think this is what Stefan is saying also. Maybe this is
> > against ws-security guidelines. I don't know. Thanks.
> >
> >> -----Original Message-----
> >> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> >> Sent: Tuesday, July 10, 2007 5:37 AM
> >> To: axis-user@ws.apache.org
> >> Subject: Re: [Rampart] Ignore Timestamp and Addressing from client
> >>
> >> The actions mismatch error occurs when you configure rampart
> >> to expect security actions different to what the incoming
> >> message contains. When you configure Rampart to process all
> >> security operations performed on the message you will able to
> >> get rid of this error.
> >>
> >> Thanks,
> >> Ruchith
> >>
> >> On 7/2/07, stlecho <st...@gmail.com> wrote:
> >> >
> >> > All,
> >> >
> >> > Is there a solution or workaround for this issue ?
> >> >
> >> > Regards, Stefan Lecho.
> >> >
> >> >
> >> > stlecho wrote:
> >> > >
> >> > > Hi,
> >> > >
> >> > > I have configured the InflowSecurity parameter (extracted included
> >> > > underneath) on the server side with the "Signature" item.
> >> > >
> >> > > One of our clients is using a C# client. The SOAP request that is
> >> > > received from this client contains Timestamp and
> >> Addressing related
> >> > > elements. This results in an "WSDoAllReceiver: security
> >> processing
> >> > > failed (actions mismatch)" AxisFault.
> >> > >
> >> > > Is there a way to "ignore" the Timestamp and Addressing related
> >> > > elements on the server ?
> >> > >
> >> > > Extract axis2.xml:
> >> > > <parameter name="InflowSecurity">
> >> > > <action>
> >> > > <items>Signature</items>
> >> > > <signaturePropFile>interopin.properties</signaturePropFile>
> >> > >
> >> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> >> > >
> >> > >
> >> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve
> >> lope/}Body</signatureParts>
> >> > > </action>
> >> > > </parameter>
> >> > >
> >> > >
> >> > > Regards, Stefan Lecho.
> >> > >
> >> >
> >> > --
> >> > View this message in context:
> >> >
> >> http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c
> >> > lient-tf3882252.html#a11392800 Sent from the Axis - User
> >> mailing list
> >> > archive at Nabble.com.
> >> >
> >> >
> >> >
> >> ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> >> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >> >
> >> >
> >>
> >>
> >> --
> >> www.ruchith.org
> >> www.wso2.org
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: axis-user-help@ws.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-client-tf3882252.html#a11521124
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
RE: [Rampart] Ignore Timestamp and Addressing from client
Posted by stlecho <st...@gmail.com>.
I completely agree with you Tony. If the client sends on top of the required
UsernameToken some additional and unwanted information (timestamp,
addressing, ...), Rampart should still be happy that it finds the
UsernameToken information.
Regards, Stefan.
Tony Dean wrote:
>
> As an example suppose you want Rampart to expect and always process a
> UsernameToken. You would set
> <action><items>UsernameToken</items></action>. However, by default .net
> clients always send a Timestamp. So even though the .net client sends a
> UsernameToken, a mismatch occurs because it sends a Timestamp as well. Is
> there a way to configure Rampart to just ignore a Timestamp since it is
> not expected? I think this is what Stefan is saying also. Maybe this is
> against ws-security guidelines. I don't know. Thanks.
>
>> -----Original Message-----
>> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
>> Sent: Tuesday, July 10, 2007 5:37 AM
>> To: axis-user@ws.apache.org
>> Subject: Re: [Rampart] Ignore Timestamp and Addressing from client
>>
>> The actions mismatch error occurs when you configure rampart
>> to expect security actions different to what the incoming
>> message contains. When you configure Rampart to process all
>> security operations performed on the message you will able to
>> get rid of this error.
>>
>> Thanks,
>> Ruchith
>>
>> On 7/2/07, stlecho <st...@gmail.com> wrote:
>> >
>> > All,
>> >
>> > Is there a solution or workaround for this issue ?
>> >
>> > Regards, Stefan Lecho.
>> >
>> >
>> > stlecho wrote:
>> > >
>> > > Hi,
>> > >
>> > > I have configured the InflowSecurity parameter (extracted included
>> > > underneath) on the server side with the "Signature" item.
>> > >
>> > > One of our clients is using a C# client. The SOAP request that is
>> > > received from this client contains Timestamp and
>> Addressing related
>> > > elements. This results in an "WSDoAllReceiver: security
>> processing
>> > > failed (actions mismatch)" AxisFault.
>> > >
>> > > Is there a way to "ignore" the Timestamp and Addressing related
>> > > elements on the server ?
>> > >
>> > > Extract axis2.xml:
>> > > <parameter name="InflowSecurity">
>> > > <action>
>> > > <items>Signature</items>
>> > > <signaturePropFile>interopin.properties</signaturePropFile>
>> > >
>> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
>> > >
>> > >
>> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve
>> lope/}Body</signatureParts>
>> > > </action>
>> > > </parameter>
>> > >
>> > >
>> > > Regards, Stefan Lecho.
>> > >
>> >
>> > --
>> > View this message in context:
>> >
>> http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c
>> > lient-tf3882252.html#a11392800 Sent from the Axis - User
>> mailing list
>> > archive at Nabble.com.
>> >
>> >
>> >
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> > For additional commands, e-mail: axis-user-help@ws.apache.org
>> >
>> >
>>
>>
>> --
>> www.ruchith.org
>> www.wso2.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-client-tf3882252.html#a11521124
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
RE: [Rampart] Ignore Timestamp and Addressing from client
Posted by Tony Dean <To...@sas.com>.
As an example suppose you want Rampart to expect and always process a UsernameToken. You would set <action><items>UsernameToken</items></action>. However, by default .net clients always send a Timestamp. So even though the .net client sends a UsernameToken, a mismatch occurs because it sends a Timestamp as well. Is there a way to configure Rampart to just ignore a Timestamp since it is not expected? I think this is what Stefan is saying also. Maybe this is against ws-security guidelines. I don't know. Thanks.
> -----Original Message-----
> From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com]
> Sent: Tuesday, July 10, 2007 5:37 AM
> To: axis-user@ws.apache.org
> Subject: Re: [Rampart] Ignore Timestamp and Addressing from client
>
> The actions mismatch error occurs when you configure rampart
> to expect security actions different to what the incoming
> message contains. When you configure Rampart to process all
> security operations performed on the message you will able to
> get rid of this error.
>
> Thanks,
> Ruchith
>
> On 7/2/07, stlecho <st...@gmail.com> wrote:
> >
> > All,
> >
> > Is there a solution or workaround for this issue ?
> >
> > Regards, Stefan Lecho.
> >
> >
> > stlecho wrote:
> > >
> > > Hi,
> > >
> > > I have configured the InflowSecurity parameter (extracted included
> > > underneath) on the server side with the "Signature" item.
> > >
> > > One of our clients is using a C# client. The SOAP request that is
> > > received from this client contains Timestamp and
> Addressing related
> > > elements. This results in an "WSDoAllReceiver: security
> processing
> > > failed (actions mismatch)" AxisFault.
> > >
> > > Is there a way to "ignore" the Timestamp and Addressing related
> > > elements on the server ?
> > >
> > > Extract axis2.xml:
> > > <parameter name="InflowSecurity">
> > > <action>
> > > <items>Signature</items>
> > > <signaturePropFile>interopin.properties</signaturePropFile>
> > >
> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > >
> > >
> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/enve
> lope/}Body</signatureParts>
> > > </action>
> > > </parameter>
> > >
> > >
> > > Regards, Stefan Lecho.
> > >
> >
> > --
> > View this message in context:
> >
> http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-c
> > lient-tf3882252.html#a11392800 Sent from the Axis - User
> mailing list
> > archive at Nabble.com.
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> --
> www.ruchith.org
> www.wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Rampart] Ignore Timestamp and Addressing from client
Posted by Ruchith Fernando <ru...@gmail.com>.
The actions mismatch error occurs when you configure rampart to expect
security actions different to what the incoming message contains. When
you configure Rampart to process all security operations performed on
the message you will able to get rid of this error.
Thanks,
Ruchith
On 7/2/07, stlecho <st...@gmail.com> wrote:
>
> All,
>
> Is there a solution or workaround for this issue ?
>
> Regards, Stefan Lecho.
>
>
> stlecho wrote:
> >
> > Hi,
> >
> > I have configured the InflowSecurity parameter (extracted included
> > underneath) on the server side with the "Signature" item.
> >
> > One of our clients is using a C# client. The SOAP request that is received
> > from this client contains Timestamp and Addressing related elements. This
> > results in an "WSDoAllReceiver: security processing failed (actions
> > mismatch)" AxisFault.
> >
> > Is there a way to "ignore" the Timestamp and Addressing related elements
> > on the server ?
> >
> > Extract axis2.xml:
> > <parameter name="InflowSecurity">
> > <action>
> > <items>Signature</items>
> > <signaturePropFile>interopin.properties</signaturePropFile>
> > <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> >
> > <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body</signatureParts>
> > </action>
> > </parameter>
> >
> >
> > Regards, Stefan Lecho.
> >
>
> --
> View this message in context: http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-client-tf3882252.html#a11392800
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Rampart] Ignore Timestamp and Addressing from client
Posted by stlecho <st...@gmail.com>.
All,
Is there a solution or workaround for this issue ?
Regards, Stefan Lecho.
stlecho wrote:
>
> Hi,
>
> I have configured the InflowSecurity parameter (extracted included
> underneath) on the server side with the "Signature" item.
>
> One of our clients is using a C# client. The SOAP request that is received
> from this client contains Timestamp and Addressing related elements. This
> results in an "WSDoAllReceiver: security processing failed (actions
> mismatch)" AxisFault.
>
> Is there a way to "ignore" the Timestamp and Addressing related elements
> on the server ?
>
> Extract axis2.xml:
> <parameter name="InflowSecurity">
> <action>
> <items>Signature</items>
> <signaturePropFile>interopin.properties</signaturePropFile>
> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
>
> <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body</signatureParts>
> </action>
> </parameter>
>
>
> Regards, Stefan Lecho.
>
--
View this message in context: http://www.nabble.com/-Rampart--Ignore-Timestamp-and-Addressing-from-client-tf3882252.html#a11392800
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org