You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Bryan Field-Elliot <br...@nextalarm.com> on 2009/09/02 18:43:23 UTC
Ws-Addressing
We are using Rampart 1.5 RC (downloaded yesterday).
We have built a client, which accesses a web service hosted by .Net.
This web service uses WS-SecureConversation and WS-Addressing.
The web service is hanging on the .Net end, and the service provider
is so far befuddled as to why this is occurring.
I am comparing a sample client document emanating from Rampart,
against a sample client document that their C# code is generating (to
kick off the WS-SecureConversation), and I am noticing the following:
Rampart 1.5 is using this schema for WS-Addressing: http://schemas.xmlsoap.org/ws/2004/08/addressing
The .Net server is using this schema: http://www.w3.org/2005/08/addressing
Finally, the original WSDL file (emanating from the .Net service) also
refers to the 2005 Addressing schema rather than the 2004.
I don't know whether or not this is "the problem", I'm just
speculating. Could it be a problem? Is there a way I could coax
Rampart 1.5 to use the 2005 WS-Addressing schema rather than the '04
(particularly since the '05 schema is referenced in the original WSDL)?
Thank you,
Bryan
Re: Turning off signature checking with WS-SecureConversation
Posted by Bryan Field-Elliot <br...@nextalarm.com>.
Thank you Nandana,
I am pasting the policy below. The web service provider (who is
using .Net) is telling me to refer to section 5.1.1 of the WS-
SecurityPolicy spec (July 2005), where it says "The SignedParts
assertion ... can be satisfied using WSS:SOAP Message Security, or by
mechanisms out of scope of SOAP message security, for example by
sending the message over a secure transport protocol like HTTPS". They
are implying that since we are already over HTTPS, our client
(Rampart) should relax the SignedParts assertion. They believe that
our implementation (Rampart) should already know that we are over
HTTPS and therefore should not be enforcing the SignedParts policy.
So it seems to be a valid question, is there a way to have Rampart not
check for signatures via some configuration option? i.e.
stub._getServiceClient().getOptions.setProperty(... some option
related to message signature checking ...)?
Now, below is the complete policy as you asked, from their WSDL:
<wsp:Policy wsu:Id="WSHttpBinding_IServices_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing
"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing
"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
On Sep 2, 2009, at 1:34 PM, Nandana Mihindukulasooriya wrote:
Bryan,
Whether the message should be signed or not is defined in the
policy. All
security requirements are defined in the policy. Can you please post the
security policy of your service ? By modifying the policy, you can
remove
the requirement for signature.
regards,
Nandana
On Wed, Sep 2, 2009 at 9:41 PM, Bryan Field-Elliot
<br...@nextalarm.com>wrote:
> Using Rampart 1.5, we have implemented a client which communicates
> with a
> server using WS-SecureConversation. The transport layer is https
> (SSL), and
> thus is protected. The messages received from the web service, are not
> signed. Rampart is complaining that the message is not signed
> (AxisFault:
> Message is not signed). I am told that we should be able to relax this
> requirement in Rampart (since the transport layer is encrypted), but I
> cannot find the option to do so. Can someone please direct me?
>
> I am frankly not sure if this should be addressed at the Axis2 level
> or the
> Rampart level.
>
> Thank you,
>
> Bryan
>
>
>
>
Re: Turning off signature checking with WS-SecureConversation
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Bryan,
Whether the message should be signed or not is defined in the policy. All
security requirements are defined in the policy. Can you please post the
security policy of your service ? By modifying the policy, you can remove
the requirement for signature.
regards,
Nandana
On Wed, Sep 2, 2009 at 9:41 PM, Bryan Field-Elliot <br...@nextalarm.com>wrote:
> Using Rampart 1.5, we have implemented a client which communicates with a
> server using WS-SecureConversation. The transport layer is https (SSL), and
> thus is protected. The messages received from the web service, are not
> signed. Rampart is complaining that the message is not signed (AxisFault:
> Message is not signed). I am told that we should be able to relax this
> requirement in Rampart (since the transport layer is encrypted), but I
> cannot find the option to do so. Can someone please direct me?
>
> I am frankly not sure if this should be addressed at the Axis2 level or the
> Rampart level.
>
> Thank you,
>
> Bryan
>
>
>
>
Turning off signature checking with WS-SecureConversation
Posted by Bryan Field-Elliot <br...@nextalarm.com>.
Using Rampart 1.5, we have implemented a client which communicates
with a server using WS-SecureConversation. The transport layer is
https (SSL), and thus is protected. The messages received from the web
service, are not signed. Rampart is complaining that the message is
not signed (AxisFault: Message is not signed). I am told that we
should be able to relax this requirement in Rampart (since the
transport layer is encrypted), but I cannot find the option to do so.
Can someone please direct me?
I am frankly not sure if this should be addressed at the Axis2 level
or the Rampart level.
Thank you,
Bryan
Turning off signature checking with WS-SecureConversation
Posted by Bryan Field-Elliot <br...@nextalarm.com>.
Using Rampart 1.5, we have implemented a client which communicates
with a server using WS-SecureConversation. The transport layer is
https (SSL), and thus is protected. The messages received from the web
service, are not signed. Rampart is complaining that the message is
not signed (AxisFault: Message is not signed). I am told that we
should be able to relax this requirement in Rampart (since the
transport layer is encrypted), but I cannot find the option to do so.
Can someone please direct me?
I am frankly not sure if this should be addressed at the Axis2 level
or the Rampart level.
Thank you,
Bryan
Re: Ws-Addressing
Posted by Bryan Field-Elliot <br...@nextalarm.com>.
That did it, thank you.
For future reference, it appears that a .Net web service server (or at
least this particular installation of .Net) really doesn't like it
when clients use the 2004 WS-A schema.
On Sep 2, 2009, at 10:01 AM, Nandana Mihindukulasooriya wrote:
Hi Bryan,
You can use the client options to change the addressing version.
options
.setProperty
(org.apache.axis2.addressing.AddressingConstants.WS_ADDRESSING_VERSION,
org.apache.axis2.addressing.AddressingConstants.Final.WSA_NAMESPACE);
org
.apache.axis2.addressing.AddressingConstants.Submission.WSA_NAMESPACE -
http://schemas.xmlsoap.org/ws/2004/08/addressing
org.apache.axis2.addressing.AddressingConstants.Final.WSA_NAMESPACE -
http://www.w3.org/2005/08/addressing
regards,
Nandana
On Wed, Sep 2, 2009 at 6:43 PM, Bryan Field-Elliot <
bryan+rampart@nextalarm.com <br...@nextalarm.com>> wrote:
> We are using Rampart 1.5 RC (downloaded yesterday).
>
> We have built a client, which accesses a web service hosted by .Net.
> This
> web service uses WS-SecureConversation and WS-Addressing.
>
> The web service is hanging on the .Net end, and the service provider
> is so
> far befuddled as to why this is occurring.
>
> I am comparing a sample client document emanating from Rampart,
> against a
> sample client document that their C# code is generating (to kick off
> the
> WS-SecureConversation), and I am noticing the following:
>
> Rampart 1.5 is using this schema for WS-Addressing:
> http://schemas.xmlsoap.org/ws/2004/08/addressing
>
> The .Net server is using this schema: http://www.w3.org/2005/08/addressing
>
> Finally, the original WSDL file (emanating from the .Net service) also
> refers to the 2005 Addressing schema rather than the 2004.
>
> I don't know whether or not this is "the problem", I'm just
> speculating.
> Could it be a problem? Is there a way I could coax Rampart 1.5 to
> use the
> 2005 WS-Addressing schema rather than the '04 (particularly since
> the '05
> schema is referenced in the original WSDL)?
>
> Thank you,
>
> Bryan
>
>
Re: Ws-Addressing
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Bryan,
You can use the client options to change the addressing version.
options.setProperty(org.apache.axis2.addressing.AddressingConstants.WS_ADDRESSING_VERSION,
org.apache.axis2.addressing.AddressingConstants.Final.WSA_NAMESPACE);
org.apache.axis2.addressing.AddressingConstants.Submission.WSA_NAMESPACE -
http://schemas.xmlsoap.org/ws/2004/08/addressing
org.apache.axis2.addressing.AddressingConstants.Final.WSA_NAMESPACE -
http://www.w3.org/2005/08/addressing
regards,
Nandana
On Wed, Sep 2, 2009 at 6:43 PM, Bryan Field-Elliot <
bryan+rampart@nextalarm.com <br...@nextalarm.com>> wrote:
> We are using Rampart 1.5 RC (downloaded yesterday).
>
> We have built a client, which accesses a web service hosted by .Net. This
> web service uses WS-SecureConversation and WS-Addressing.
>
> The web service is hanging on the .Net end, and the service provider is so
> far befuddled as to why this is occurring.
>
> I am comparing a sample client document emanating from Rampart, against a
> sample client document that their C# code is generating (to kick off the
> WS-SecureConversation), and I am noticing the following:
>
> Rampart 1.5 is using this schema for WS-Addressing:
> http://schemas.xmlsoap.org/ws/2004/08/addressing
>
> The .Net server is using this schema: http://www.w3.org/2005/08/addressing
>
> Finally, the original WSDL file (emanating from the .Net service) also
> refers to the 2005 Addressing schema rather than the 2004.
>
> I don't know whether or not this is "the problem", I'm just speculating.
> Could it be a problem? Is there a way I could coax Rampart 1.5 to use the
> 2005 WS-Addressing schema rather than the '04 (particularly since the '05
> schema is referenced in the original WSDL)?
>
> Thank you,
>
> Bryan
>
>