You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Maik Hassel <ha...@simplyefficient.ca> on 2008/12/02 01:53:24 UTC
Message encryption works but fault messages are send in plain text
Hello everyone,
I have a web service using the security policy below (signed and
encrypted message body), which works fine, except that my fault
messages do not get encrypted. I get the "missing security header"
exception at the client - using TCPMon I can see that indeed the fault
message is send without any security related info and in plain text.
Am I missing something? Do I have to add additional configuration
parameters for the signing and encryption of fault messages?
Thanks for any hints,
Maik
---- snip ---
<serviceGroup>
<service name="SearchServices">
<messageReceivers>
<messageReceiver mep="http://www.w3.org/ns/wsdl/in-out"
class="ca.bc.xyz.SearchServicesMessageReceiverInOut"/>
</messageReceivers>
<parameter name="ServiceClass"
locked="false">ca.bc.xyz.SearchServiceImplementation</parameter>
<!--
<parameter name="useOriginalwsdl">true</parameter>
<parameter name="modifyUserWSDLPortAddress">true</parameter>
-->
<operation name="SSearch"
mep="http://www.w3.org/ns/wsdl/in-out" namespace="....">
<actionMapping>SyncSearch</actionMapping>
<outputActionMapping>....</outputActionMapping>
<faultActionMapping
faultName="DPSearchFault">...</faultActionMapping>
<faultActionMapping
faultName="XYZFault">urn:....</faultActionMapping>
</operation>
<module ref="rampart" />
<wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="mypolicy">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefEmbeddedToken />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<RampartConfig xmlns="http://ws.apache.org/rampart/policy">
<user>s1</user>
<encryptionUser>useReqSigCert</encryptionUser>
<passwordCallbackClass> ca.....webservice.server.search.PasswordCallbackHandler
</passwordCallbackClass>
<signatureCrypto>
<crypto provider="org.apache.ws.security.components.crypto.Merlin">
<property
name="org.apache.ws.security.crypto.merlin.keystore.type"> JKS
</property>
<property
name="org.apache.ws.security.crypto.merlin.file"> keystore.ks
</property>
<property
name="org.apache.ws.security.crypto.merlin.keystore.password"> ....
</property>
</crypto>
</signatureCrypto>
<encryptionCrypto>
<crypto provider="org.apache.ws.security.components.crypto.Merlin">
<property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS </property>
<property name="org.apache.ws.security.crypto.merlin.file">
keystore.ks </property>
<property
name="org.apache.ws.security.crypto.merlin.keystore.password">....</property>
</crypto>
</encryptionCrypto>
</RampartConfig>
</wsp:Policy>
</service>
</serviceGroup>
--
Simply Efficient - IT Services, Consulting, Training Inc.
"We Keep Our Promises"
Vancouver, BC
Phone: +1 604.315.8446
Fax : +1 604.731.1147
http://www.simplyefficient.ca
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Message encryption works but fault messages are send in plain
text
Posted by Maik Hassel <ha...@simplyefficient.ca>.
Since quite a few folks contacted me off list with the same issue,
here a quick follow up: Turns out this is a solid bug in Rampart which
- after some digging around in JIRA - has been known for quite a
while. Thanks to Bob Jakobi for pointing me in the right direction on
how to patch the Rampart code to fix it.
Please see https://issues.apache.org/jira/browse/RAMPART-193 for details
Quoting Maik Hassel <ha...@simplyefficient.ca>:
> Hello everyone,
>
> I have a web service using the security policy below (signed and
> encrypted message body), which works fine, except that my fault
> messages do not get encrypted. I get the "missing security header"
> exception at the client - using TCPMon I can see that indeed the fault
> message is send without any security related info and in plain text.
>
> Am I missing something? Do I have to add additional configuration
> parameters for the signing and encryption of fault messages?
>
>
> Thanks for any hints,
> Maik
>
> ---- snip ---
>
> <serviceGroup>
> <service name="SearchServices">
> <messageReceivers>
> <messageReceiver mep="http://www.w3.org/ns/wsdl/in-out"
> class="ca.bc.xyz.SearchServicesMessageReceiverInOut"/>
> </messageReceivers>
> <parameter name="ServiceClass"
> locked="false">ca.bc.xyz.SearchServiceImplementation</parameter>
> <!--
> <parameter name="useOriginalwsdl">true</parameter>
> <parameter name="modifyUserWSDLPortAddress">true</parameter>
> -->
> <operation name="SSearch"
> mep="http://www.w3.org/ns/wsdl/in-out" namespace="....">
> <actionMapping>SyncSearch</actionMapping>
> <outputActionMapping>....</outputActionMapping>
> <faultActionMapping
> faultName="DPSearchFault">...</faultActionMapping>
> <faultActionMapping
> faultName="XYZFault">urn:....</faultActionMapping>
> </operation>
>
>
> <module ref="rampart" />
>
>
> <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="mypolicy">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
>
> <sp:Wss10>
> <wsp:Policy>
> <sp:MustSupportRefEmbeddedToken />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
>
> <sp:SignedParts>
> <sp:Body />
> </sp:SignedParts>
>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
>
> <RampartConfig xmlns="http://ws.apache.org/rampart/policy">
> <user>s1</user>
> <encryptionUser>useReqSigCert</encryptionUser>
> <passwordCallbackClass> ca.....webservice.server.search.PasswordCallbackHandler
> </passwordCallbackClass>
>
> <signatureCrypto>
> <crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.type"> JKS
> </property>
> <property
> name="org.apache.ws.security.crypto.merlin.file"> keystore.ks
> </property>
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.password"> ....
> </property>
> </crypto>
> </signatureCrypto>
>
> <encryptionCrypto>
> <crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS </property>
> <property name="org.apache.ws.security.crypto.merlin.file">
> keystore.ks </property>
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.password">....</property>
> </crypto>
> </encryptionCrypto>
> </RampartConfig>
>
> </wsp:Policy>
>
> </service>
> </serviceGroup>
>
>
>
>
>
>
> --
> Simply Efficient - IT Services, Consulting, Training Inc.
> "We Keep Our Promises"
> Vancouver, BC
> Phone: +1 604.315.8446
> Fax : +1 604.731.1147
> http://www.simplyefficient.ca
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
--
Simply Efficient - IT Services, Consulting, Training Inc.
"We Keep Our Promises"
Vancouver, BC
Phone: +1 604.315.8446
Fax : +1 604.731.1147
http://www.simplyefficient.ca
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Message encryption works but fault messages are send in plain
text
Posted by Maik Hassel <ha...@simplyefficient.ca>.
Unfortunately not as my problem is different as the one described:
My encryption/descryption works fine across multiple machines and
normal soap requests do get both de- and encrypted fine on both ends!
It's the fault messages only that impose a problem: The server does
NOT encrypt/sign fault messages (it DOES, however, encrypt the regular
messages). Fault messages only are send b the server without any
security headers whatsoever...
Quoting Prabath Siriwardena <pr...@wso2.com>:
> Hi Mark;
>
> You may find the answer here[1].
>
> Thanks & regards.
> -Prabath
> [1]:http://wso2.org/forum/thread/4340#comment-7247
>
> Maik Hassel wrote:
>> Hello everyone,
>>
>> I have a web service using the security policy below (signed and
>> encrypted message body), which works fine, except that my fault messages
>> do not get encrypted. I get the "missing security header" exception at
>> the client - using TCPMon I can see that indeed the fault message is
>> send without any security related info and in plain text.
>>
>> Am I missing something? Do I have to add additional configuration
>> parameters for the signing and encryption of fault messages?
>>
>>
>> Thanks for any hints,
>> Maik
>>
>> ---- snip ---
>>
>> <serviceGroup>
>> <service name="SearchServices">
>> <messageReceivers>
>> <messageReceiver mep="http://www.w3.org/ns/wsdl/in-out"
>> class="ca.bc.xyz.SearchServicesMessageReceiverInOut"/>
>> </messageReceivers>
>> <parameter name="ServiceClass"
>> locked="false">ca.bc.xyz.SearchServiceImplementation</parameter>
>> <!--
>> <parameter name="useOriginalwsdl">true</parameter>
>> <parameter name="modifyUserWSDLPortAddress">true</parameter>
>> -->
>> <operation name="SSearch" mep="http://www.w3.org/ns/wsdl/in-out"
>> namespace="....">
>> <actionMapping>SyncSearch</actionMapping>
>> <outputActionMapping>....</outputActionMapping>
>> <faultActionMapping
>> faultName="DPSearchFault">...</faultActionMapping>
>> <faultActionMapping
>> faultName="XYZFault">urn:....</faultActionMapping>
>> </operation>
>>
>>
>> <module ref="rampart" />
>>
>>
>> <wsp:Policy
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>>
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>
>> wsu:Id="mypolicy">
>> <sp:AsymmetricBinding>
>> <wsp:Policy>
>> <sp:InitiatorToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>>
>> <wsp:Policy>
>> <sp:WssX509V3Token10 />
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:InitiatorToken>
>> <sp:RecipientToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>>
>> <wsp:Policy>
>> <sp:WssX509V3Token10 />
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:RecipientToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:TripleDesRsa15 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> </wsp:Policy>
>> </sp:AsymmetricBinding>
>>
>> <sp:Wss10>
>> <wsp:Policy>
>> <sp:MustSupportRefEmbeddedToken />
>> <sp:MustSupportRefIssuerSerial />
>> </wsp:Policy>
>> </sp:Wss10>
>>
>> <sp:SignedParts>
>> <sp:Body />
>> </sp:SignedParts>
>>
>> <sp:EncryptedParts>
>> <sp:Body />
>> </sp:EncryptedParts>
>>
>> <RampartConfig xmlns="http://ws.apache.org/rampart/policy">
>> <user>s1</user>
>> <encryptionUser>useReqSigCert</encryptionUser>
>> <passwordCallbackClass>
>> ca.....webservice.server.search.PasswordCallbackHandler
>> </passwordCallbackClass>
>>
>> <signatureCrypto>
>> <crypto
>> provider="org.apache.ws.security.components.crypto.Merlin">
>> <property
>> name="org.apache.ws.security.crypto.merlin.keystore.type"> JKS </property>
>> <property
>> name="org.apache.ws.security.crypto.merlin.file"> keystore.ks
>> </property>
>> <property
>> name="org.apache.ws.security.crypto.merlin.keystore.password"> ....
>> </property>
>> </crypto>
>> </signatureCrypto>
>>
>> <encryptionCrypto>
>> <crypto
>> provider="org.apache.ws.security.components.crypto.Merlin">
>> <property
>> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS
>> </property>
>> <property
>> name="org.apache.ws.security.crypto.merlin.file"> keystore.ks </property>
>> <property
>> name="org.apache.ws.security.crypto.merlin.keystore.password">....</property>
>>
>> </crypto>
>> </encryptionCrypto>
>> </RampartConfig>
>>
>> </wsp:Policy>
>>
>> </service>
>> </serviceGroup>
>>
>>
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
Simply Efficient - IT Services, Consulting, Training Inc.
"We Keep Our Promises"
Vancouver, BC
Phone: +1 604.315.8446
Fax : +1 604.731.1147
http://www.simplyefficient.ca
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Message encryption works but fault messages are send in plain
text
Posted by Prabath Siriwardena <pr...@wso2.com>.
Hi Mark;
You may find the answer here[1].
Thanks & regards.
-Prabath
[1]:http://wso2.org/forum/thread/4340#comment-7247
Maik Hassel wrote:
> Hello everyone,
>
> I have a web service using the security policy below (signed and
> encrypted message body), which works fine, except that my fault messages
> do not get encrypted. I get the "missing security header" exception at
> the client - using TCPMon I can see that indeed the fault message is
> send without any security related info and in plain text.
>
> Am I missing something? Do I have to add additional configuration
> parameters for the signing and encryption of fault messages?
>
>
> Thanks for any hints,
> Maik
>
> ---- snip ---
>
> <serviceGroup>
> <service name="SearchServices">
> <messageReceivers>
> <messageReceiver mep="http://www.w3.org/ns/wsdl/in-out"
> class="ca.bc.xyz.SearchServicesMessageReceiverInOut"/>
> </messageReceivers>
> <parameter name="ServiceClass"
> locked="false">ca.bc.xyz.SearchServiceImplementation</parameter>
> <!--
> <parameter name="useOriginalwsdl">true</parameter>
> <parameter name="modifyUserWSDLPortAddress">true</parameter>
> -->
> <operation name="SSearch" mep="http://www.w3.org/ns/wsdl/in-out"
> namespace="....">
> <actionMapping>SyncSearch</actionMapping>
> <outputActionMapping>....</outputActionMapping>
> <faultActionMapping
> faultName="DPSearchFault">...</faultActionMapping>
> <faultActionMapping
> faultName="XYZFault">urn:....</faultActionMapping>
> </operation>
>
>
> <module ref="rampart" />
>
>
> <wsp:Policy
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> wsu:Id="mypolicy">
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
>
> <sp:Wss10>
> <wsp:Policy>
> <sp:MustSupportRefEmbeddedToken />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
>
> <sp:SignedParts>
> <sp:Body />
> </sp:SignedParts>
>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
>
> <RampartConfig xmlns="http://ws.apache.org/rampart/policy">
> <user>s1</user>
> <encryptionUser>useReqSigCert</encryptionUser>
> <passwordCallbackClass>
> ca.....webservice.server.search.PasswordCallbackHandler
> </passwordCallbackClass>
>
> <signatureCrypto>
> <crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.type"> JKS </property>
> <property
> name="org.apache.ws.security.crypto.merlin.file"> keystore.ks
> </property>
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.password"> ....
> </property>
> </crypto>
> </signatureCrypto>
>
> <encryptionCrypto>
> <crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS
> </property>
> <property
> name="org.apache.ws.security.crypto.merlin.file"> keystore.ks </property>
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.password">....</property>
>
> </crypto>
> </encryptionCrypto>
> </RampartConfig>
>
> </wsp:Policy>
>
> </service>
> </serviceGroup>
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org