You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Steve Behrendt <st...@weg.com.br> on 2005/07/21 15:20:00 UTC
Add nonce and expiredate
All,
How can I add a nonce and a expire date for this configuration
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration >
<requestFlow >
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="UsernameToken"/>
<parameter name="passwordType" value="PasswordText"/>
</handler>
</requestFlow >
</globalConfiguration >
</deployment>
I have to transmit the password in plaintext!!!
Thanks to everyone!!!
STEVE
-----Mensagem original-----
De: Steve Behrendt
Enviada em: quinta-feira, 21 de julho de 2005 08:18
Para: Anne Thomas Manes
Cc: Dittmann, Werner; brian@sweetxml.org; Gürkan Vural; Granqvist, Hans;
fx-dev@ws.apache.org
Assunto: RES: RES: RES: AW: AW: order of sign and encr in .NET - .Net
interoperability
Anne,
I know it's the wrong forum to post that, but I think, we can talk
about the problems .NET have with the WS-Specs and the WS-I profile
for find a way to interoperate with them.
E.g. I yet found a deviations of .NET: [1]
- The problem with the InclusiveNamespaces child of the Transform element,
which was discussed not long ago.
Steve
[1] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#xmlSignatureAlgorithms
-----Mensagem original-----
De: Anne Thomas Manes [mailto:atmanes@gmail.com]
Enviada em: quarta-feira, 20 de julho de 2005 18:01
Para: Steve Behrendt
Cc: Dittmann, Werner; brian@sweetxml.org; Gürkan Vural; Granqvist, Hans;
fx-dev@ws.apache.org
Assunto: Re: RES: RES: AW: AW: order of sign and encr in .NET - .Net
interoperability
The WS-I Basic Security Profile is still a draft, so it's really not
appropriate to come down on anyone for not supporting it. What's more
appropriate is to talk about where WSE and/or Indigo deviates from the
WS-Security spec.
You can also talk about where .NET deviates from the WS-I Basic
Profile -- but note that Microsoft has already detailed all deviations
in excrutiating detail as part of the documentation on their web site.
See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsvcinter/html/WSI-BP_MSDN_LandingPage.asp
Anne
On 7/20/05, Steve Behrendt <st...@weg.com.br> wrote:
> Werner,
>
> I'm writing an articel about WSS4J, .NET and WS-I too.
>
> Do you have an example for that:
> - .Net does not yet support the WS-I specs with regard
> to security
>
> Thanks,
> STEVE
>
> -----Mensagem original-----
> De: Dittmann, Werner [mailto:werner.dittmann@siemens.com]
> Enviada em: quarta-feira, 13 de julho de 2005 03:05
> Para: Steve Behrendt
> Cc: brian@sweetxml.org; Gürkan Vural; Granqvist, Hans;
> fx-dev@ws.apache.org
> Assunto: AW: RES: AW: AW: order of sign and encr in .NET - .Net
> interoperability
>
>
> Steve,
>
> thanks for testing it. When we introduced the
> millisecond stuff I was pretty sure we will
> hit some interop problems with this :-).
>
> Thanks to Dims we can set it via deployment files
> now.
>
> Anyhow, currently we have 3 main issues with
> regard to .Net interoperability:
>
> - .Net does not yet support the WS-I specs with regard
> to security
> - .Net doesn't like the timestamps with the added
> millisecond precision
> - Need to set an Axis specific parameter
> (enableNamespacePrefixOptimization) to false
>
> > -----Ursprüngliche Nachricht-----
> > Von: Steve Behrendt [mailto:steve@weg.com.br]
> > Gesendet: Dienstag, 12. Juli 2005 18:53
> > An: Dittmann, Werner
> > Cc: brian@sweetxml.org; Gürkan Vural; Granqvist, Hans;
> > fx-dev@ws.apache.org
> > Betreff: RES: RES: AW: AW: order of sign and encr in .NET
> >
> >
> > Werner,
> >
> > I have found it. The attribute is in the WSConstants.java class.
> > I tried it with my .NET WS and it works fine.
> >
> > Is there a way to change the attribute in the WSConstants file without
> > change the file directly? Because that isn't a nice way to
> > configure the
> > client to work with a .net wse2.0 webserver in this way, I think.
> > E.g. for an interop scenario...
> >
> > Steve
> >
> >
> > -----Mensagem original-----
> > De: Steve Behrendt
> > Enviada em: terça-feira, 12 de julho de 2005 13:37
> > Para: 'Dittmann, Werner'
> > Cc: brian@sweetxml.org; Gürkan Vural; Granqvist, Hans;
> > fx-dev@ws.apache.org
> > Assunto: RES: RES: AW: AW: order of sign and encr in .NET
> >
> >
> > Werner,
> >
> > Sorry, but I can't find an atribute for that in the
> > WSSConfig.java file.
> > The only attributes are:
> > protected static WSSConfig defaultConfig = getNewInstance();
> > protected String wsse_ns = WSConstants.WSSE_NS_OASIS_1_0;
> > protected String wsu_ns = WSConstants.WSU_NS_OASIS_1_0;
> > protected boolean qualifyBSTAttributes = false;
> > protected boolean prefixBSTValues = false;
> > protected boolean targetIdQualified = true;
> > protected boolean wsiBSPCompliant = false;
> > protected boolean processNonCompliantMessages = true;
> > public static final int TIMESTAMP_IN_SECURITY_ELEMENT = 1;
> > public static final int TIMESTAMP_IN_HEADER_ELEMENT = 2;
> > protected int timestampLocation = TIMESTAMP_IN_SECURITY_ELEMENT;
> >
> > One of them is the correct one?
> >
> > Steve
> >
> > -----Mensagem original-----
> > De: Dittmann, Werner [mailto:werner.dittmann@siemens.com]
> > Enviada em: terça-feira, 12 de julho de 2005 03:16
> > Para: Steve Behrendt
> > Cc: brian@sweetxml.org; Gürkan Vural; Granqvist, Hans;
> > fx-dev@ws.apache.org
> > Assunto: AW: RES: AW: AW: order of sign and encr in .NET
> >
> >
> > Steve, all,
> >
> > about your first question: yes, that was the understanding
> > of a e-mail discussion we had some time ago: WSE does
> > not yet support WS-I (inclusivenamespace).
> >
> > Your other question: yes, there is a subtle difference
> > between the working request you sent last Friday. The
> > difference is in the Timestamp. The format of the date/time
> > of the new request now includes the milliseconds. We added
> > the milliseconds due to some other interop problems and
> > because the XML Schema requires the milliseconds AFAIK.
> >
> > But as usual you can switch off the milliseconds (in the
> > WSConfig file). Look for a boolean there.
> >
> > Regards,
> > Werner
> >
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Steve Behrendt [mailto:steve@weg.com.br]
> > > Gesendet: Montag, 11. Juli 2005 14:58
> > > An: Werner Dittmann
> > > Cc: brian@sweetxml.org; Dittmann, Werner; Gürkan Vural;
> > > Granqvist, Hans; fx-dev@ws.apache.org
> > > Betreff: RES: RES: AW: AW: order of sign and encr in .NET
> > >
> > >
> > > Werner,
> > >
> > > Thanks. "InclusiveNamespace" is stuff of the WS-I, but WSE
> > > doesn't support this stuff (inclusivenamespace), therefore
> > > the WSE dosn't accept the signature. Have I understand it right?
> > >
> > > I have tried it and found 2 problems. When I use the wss4j.jar file
> > > (the newest version) the "inclusivenamespace"-stuff is added,
> > > but when
> > > I use the "src" files of the project folder the
> > > "inclusivenamepsace" isn't
> > > added - without any changes on the wssconfig.java file.
> > >
> > > Now the java-client send a soap-message without the
> > > "inclusivenamespace"=stuff,
> > > due to the WS-I, but the WSE still dowsn't accept the
> > > signature. The exception is
> > > still the same:
> > >
> > > AxisFault
> > > faultCode:
> > > {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> > > urity-secext-1.0.xsd}FailedCheck
> > > faultSubcode:
> > > faultString: Microsoft.Web.Services2.Security.SecurityFault:
> > > The signature or decryption was invalid
> > > at
> > >
> > Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)
> > > at
> > > Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMe
> > > ssage(SoapEnvelope envelope)
> > > at
> > > Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvel
> > > ope envelope)
> > > at
> > > Microsoft.Web.Services2.WebServicesExtension.BeforeDeserialize
> > > Server(SoapServerMessage message)
> > > faultActor: http://localhost/WebServiceGMC/webservicegmc.asmx
> > >
> > > The message is now:
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <soapenv:Envelope
> > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> > > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
> > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> > > <soapenv:Header>
> > > <wsse:Security
> > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> > > 1-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> > > <wsse:UsernameToken
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="usernameTokenId-5862378">
> > > <wsse:Username>usuario3</wsse:Username>
> > > <wsse:Password
> > > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> > > username-token-profile-1.0#PasswordText">senha3</wsse:Password>
> > > <wsu:Created>2005-07-11T12:43:38.552Z</wsu:Created>
> > > <wsse:Nonce>85DpuTBD4f14uJhdklt2hA==</wsse:Nonce>
> > > </wsse:UsernameToken>
> > > <ds:Signature
> > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> > > <ds:SignedInfo>
> > > <ds:CanonicalizationMethod
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canon
> > > icalizationMethod>
> > > <ds:SignatureMethod
> > > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></ds:S
> > > ignatureMethod>
> > > <ds:Reference URI="#id-8706595">
> > > <ds:Transforms>
> > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > </ds:Transforms>
> > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > >
> > > <ds:DigestValue>6m7QGOVJoQGzFpxEIHqFISlwvOg=</ds:DigestValue>
> > > </ds:Reference>
> > > <ds:Reference URI="#id-15606519">
> > > <ds:Transforms>
> > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > </ds:Transforms>
> > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > >
> > > <ds:DigestValue>OrbC+oWPDqjF8d22jSIM+Z7mUf0=</ds:DigestValue>
> > > </ds:Reference>
> > > <ds:Reference URI="#id-3779465">
> > > <ds:Transforms>
> > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > </ds:Transforms>
> > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > >
> > > <ds:DigestValue>lr2fB700eMiCriQD7hrukW13eLk=</ds:DigestValue>
> > > </ds:Reference>
> > > <ds:Reference URI="#id-2929821">
> > > <ds:Transforms>
> > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > </ds:Transforms>
> > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > >
> > > <ds:DigestValue>aX77bRqKYnP9W1LZnXYy42DNhDI=</ds:DigestValue>
> > > </ds:Reference>
> > > <ds:Reference URI="#id-17160330">
> > > <ds:Transforms>
> > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > </ds:Transforms>
> > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > >
> > > <ds:DigestValue>hyPLuTIjh/hATPYWwwHxqiqU8ko=</ds:DigestValue>
> > > </ds:Reference>
> > > <ds:Reference URI="#id-13328393">
> > > <ds:Transforms>
> > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > </ds:Transforms>
> > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > >
> > > <ds:DigestValue>FAiQvuh29IyJoZTvOZl7MbHwFgU=</ds:DigestValue>
> > > </ds:Reference>
> > > <ds:Reference URI="#id-927929">
> > > <ds:Transforms>
> > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > </ds:Transforms>
> > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > >
> > > <ds:DigestValue>zI1HezB6OwqrvwlhMDbvpKX3Bag=</ds:DigestValue>
> > > </ds:Reference>
> > > </ds:SignedInfo>
> > >
> > > <ds:SignatureValue>TplVnW4j2/FeIgZVI2PRctbAgHc=</ds:SignatureValue>
> > > <ds:KeyInfo Id="KeyId-2780950">
> > > <wsse:SecurityTokenReference
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-25197736">
> > > <wsse:Reference
> > > URI="#usernameTokenId-5862378"
> > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-username-token-profile-1.0#UsernameToken"></wsse:Reference>
> > > </wsse:SecurityTokenReference>
> > > </ds:KeyInfo>
> > > </ds:Signature>
> > > <wsu:Timestamp
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3779465">
> > > <wsu:Created>2005-07-11T12:43:38.536Z</wsu:Created>
> > > <wsu:Expires>2005-07-11T12:48:38.536Z</wsu:Expires>
> > > </wsu:Timestamp>
> > > </wsse:Security>
> > > <wsa:MessageID
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2929821"
> > > soapenv:mustUnderstand="0">uuid:672b03c0-f209-11d9-9218-cb301b
> > > 6f3efb</wsa:MessageID>
> > > <wsa:To
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-927929"
> > > soapenv:mustUnderstand="0">http://localhost:8080/WebServiceGMC
> > > /webservicegmc.asmx</wsa:To>
> > > <wsa:Action
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-15606519"
> > > soapenv:mustUnderstand="0">http://localhost/WebServiceGMC/webs
> > > ervicegmc.asmx?op=getClientes</wsa:Action>
> > > <wsa:From
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-13328393"
> > > soapenv:mustUnderstand="0">
> > >
> > > <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/
> > > role/anonymous</wsa:Address>
> > > </wsa:From>
> > > <wsa:ReplyTo
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-17160330"
> > > soapenv:mustUnderstand="0">
> > >
> > > <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/
> > > role/anonymous</wsa:Address>
> > > </wsa:ReplyTo>
> > > </soapenv:Header>
> > > <soapenv:Body
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-8706595">
> > > <anunciar xmlns="http://weg.net/service">
> > > <ns1:usuario
> > > xmlns:ns1="http://weg.net/service/">usuario1</ns1:usuario>
> > > </anunciar>
> > > </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > >
> > >
> > > Any body see a difference between the working message sent by
> > > the old wss4
> > > and this from the up-to-date wss4j?
> > >
> > > STEVE
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Mensagem original-----
> > > De: Werner Dittmann [mailto:Werner.Dittmann@t-online.de]
> > > Enviada em: sábado, 9 de julho de 2005 04:19
> > > Para: Steve Behrendt
> > > Cc: brian@sweetxml.org; Dittmann, Werner; Gürkan Vural;
> > > Granqvist, Hans;
> > > fx-dev@ws.apache.org
> > > Assunto: Re: RES: AW: AW: order of sign and encr in .NET
> > >
> > >
> > > Brian, Steve, all,
> > >
> > > looking at it I see the difference. Soemtime ago one of the
> > > contributers implemented some additons to be WS-I compliant.
> > > This "InclusiveNamespace" stuff is due to this, and as it turned
> > > out WSE is not yet ready to handle this. Due to this there is
> > > a boolean in WSSConfig.java (wsiBSPCompliant). If this boolean
> > > is true WSS4J works in BS-I compliant mode, setting it to false
> > > WSS4J works as before.
> > >
> > > Can you crosscheck and give it a try?
> > >
> > > Thanks,
> > > Werner
> > >
> > > Steve Behrendt schrieb:
> > > > Brian,
> > > >
> > > > You are right. I have tested the attached wss4j.jar file
> > > too and I had
> > > > success. My client now can produce a message that the .net
> > > client understand.
> > > > The signature should be right, because the .NET WebService
> > > now don't respond
> > > > with the Exception (Signature invalid).
> > > >
> > > > I have build 2 Messsages, one with the new and one with the
> > > "old" wss4j.jar
> > > > and attached.
> > > >
> > > > The old one, which don't works:
> > > >
> > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > <soapenv:Envelope
> > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> > > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
> > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> > > > <soapenv:Header>
> > > > <wsse:Security
> > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> > > 1-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> > > > <wsse:UsernameToken
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="usernameTokenId-12455463">
> > > > <wsse:Username>usuario3</wsse:Username>
> > > > <wsse:Password
> > > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> > > username-token-profile-1.0#PasswordText">senha3</wsse:Password>
> > > > <wsu:Created>2005-07-05T14:10:26Z</wsu:Created>
> > > > <wsse:Nonce>yOBObBQ+sbevlt2XM0Xukg==</wsse:Nonce>
> > > > </wsse:UsernameToken>
> > > > <ds:Signature
> > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> > > > <ds:SignedInfo>
> > > > <ds:CanonicalizationMethod
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> > > > <ec:InclusiveNamespaces
> > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> > > PrefixList="soapenv wsa xsd xsi"></ec:InclusiveNamespaces>
> > > > </ds:CanonicalizationMethod>
> > > > <ds:SignatureMethod
> > > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></ds:S
> > > ignatureMethod>
> > > > <ds:Reference URI="#id-7866553">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> > > > <ec:InclusiveNamespaces
> > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> > > PrefixList="wsa xsd xsi"></ec:InclusiveNamespaces>
> > > > </ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>PmQSgFYbhiZciP5F6CRT5MZOPPk=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-3874052">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> > > > <ec:InclusiveNamespaces
> > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> > > PrefixList="soapenv wsa wsse xsd xsi"></ec:InclusiveNamespaces>
> > > > </ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>jcRns/iJ1hxPJZEqUt1DIG0iDdo=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-15606519">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> > > > <ec:InclusiveNamespaces
> > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> > > PrefixList="xsd xsi"></ec:InclusiveNamespaces>
> > > > </ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>TB1t5JzPv1WQ4uMX05qKqIl2s9o=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-3779465">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> > > > <ec:InclusiveNamespaces
> > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> > > PrefixList="xsd xsi"></ec:InclusiveNamespaces>
> > > > </ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>erDZuYXo9WJn29GSh6Kood6guzw=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-2929821">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> > > > <ec:InclusiveNamespaces
> > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> > > PrefixList="xsd xsi"></ec:InclusiveNamespaces>
> > > > </ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>QbIGZGq03FxN6tA2aE9d11/hvh0=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-17160330">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> > > > <ec:InclusiveNamespaces
> > > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> > > PrefixList="xsd xsi"></ec:InclusiveNamespaces>
> > > > </ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>Y4vVT5KZ9FKbXLumKcaqvHaWhHM=</ds:DigestValue>
> > > > </ds:Reference>
> > > > </ds:SignedInfo>
> > > >
> > > <ds:SignatureValue>aLSM1mbqLMfNLKPVoi7dRqeVMT4=</ds:SignatureValue>
> > > > <ds:KeyInfo Id="KeyId-26956311">
> > > > <wsse:SecurityTokenReference
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-9734221">
> > > > <wsse:Reference
> > > URI="#usernameTokenId-12455463"
> > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-username-token-profile-1.0#UsernameToken"></wsse:Reference>
> > > > </wsse:SecurityTokenReference>
> > > > </ds:KeyInfo>
> > > > </ds:Signature>
> > > > <wsu:Timestamp
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3874052">
> > > > <wsu:Created>2005-07-05T14:10:26Z</wsu:Created>
> > > > <wsu:Expires>2005-07-05T14:15:26Z</wsu:Expires>
> > > > </wsu:Timestamp>
> > > > </wsse:Security>
> > > > <wsa:MessageID
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3779465"
> > > soapenv:mustUnderstand="0">uuid:8912a6f0-ed5e-11d9-8c80-a1e409
> > > 7e4740</wsa:MessageID>
> > > > <wsa:To
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-17160330"
> > > soapenv:mustUnderstand="0">http://localhost:8080/WebServiceGMC
> > > /webservicegmc.asmx</wsa:To>
> > > > <wsa:Action
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-15606519"
> > > soapenv:mustUnderstand="0">http://localhost/WebServiceGMC/webs
> > > ervicegmc.asmx?op=getClientes</wsa:Action>
> > > > <wsa:From
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2929821"
> > > soapenv:mustUnderstand="0">
> > > >
> > > <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/
> > > role/anonymous</wsa:Address>
> > > > </wsa:From>
> > > > </soapenv:Header>
> > > > <soapenv:Body
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-7866553">
> > > > <anunciar xmlns="http://weg.net/service">
> > > > <ns1:usuario
> > > xmlns:ns1="http://weg.net/service/">1234</ns1:usuario>
> > > > </anunciar>
> > > > </soapenv:Body>
> > > > </soapenv:Envelope>
> > > >
> > > > ------------------------------------------------------
> > > >
> > > > and the new one working:
> > > >
> > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > <soapenv:Envelope
> > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> > > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
> > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> > > > <soapenv:Header>
> > > > <wsse:Security
> > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-20040
> > > 1-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> > > > <wsse:UsernameToken
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="usernameTokenId-32956236">
> > > > <wsse:Username>usuario3</wsse:Username>
> > > > <wsse:Password
> > > Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> > > username-token-profile-1.0#PasswordText">senha3</wsse:Password>
> > > > <wsu:Created>2005-07-08T18:21:20Z</wsu:Created>
> > > > <wsse:Nonce>RKPwh5ELWCBqUa0FhZtP9A==</wsse:Nonce>
> > > > </wsse:UsernameToken>
> > > > <ds:Signature
> > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> > > > <ds:SignedInfo>
> > > > <ds:CanonicalizationMethod
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Canon
> > > icalizationMethod>
> > > > <ds:SignatureMethod
> > > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></ds:S
> > > ignatureMethod>
> > > > <ds:Reference URI="#id-9734221">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>FaQ7O3MS6a3e82I/jsfOhoDL+2M=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-867695">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>HinR+8MaMcU59CYiC25On0mv67U=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-20727434">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>YmbgnQ/0F+mxw9s3NrOibFvRj8w=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-3874052">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>iGemJhTiJd71u03JJWG22tLwfQ4=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-15606519">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>3m17MdDRPyAuUKi93W08Xdh2XQg=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-3779465">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>4Tb0yMaDPpAwiQXVpXdfJYWmvR0=</ds:DigestValue>
> > > > </ds:Reference>
> > > > <ds:Reference URI="#id-2929821">
> > > > <ds:Transforms>
> > > > <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> > > > </ds:Transforms>
> > > > <ds:DigestMethod
> > >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> > > >
> > > <ds:DigestValue>t0XvlW4iqR3Qo2SirI+6sqkG4gk=</ds:DigestValue>
> > > > </ds:Reference>
> > > > </ds:SignedInfo>
> > > >
> > > <ds:SignatureValue>Q1NqxNLzcBL4wIjc6UToVyJ6+Kc=</ds:SignatureValue>
> > > > <ds:KeyInfo Id="KeyId-19583390">
> > > > <wsse:SecurityTokenReference
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-2780950">
> > > > <wsse:Reference
> > > URI="#usernameTokenId-32956236"
> > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-username-token-profile-1.0#UsernameToken"></wsse:Reference>
> > > > </wsse:SecurityTokenReference>
> > > > </ds:KeyInfo>
> > > > </ds:Signature>
> > > > <wsu:Timestamp
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-20727434">
> > > > <wsu:Created>2005-07-08T18:21:20Z</wsu:Created>
> > > > <wsu:Expires>2005-07-08T18:26:20Z</wsu:Expires>
> > > > </wsu:Timestamp>
> > > > </wsse:Security>
> > > > <wsa:MessageID
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3874052"
> > > soapenv:mustUnderstand="0">uuid:14e28260-efdd-11d9-a841-a743b9
> > > d3b3f7</wsa:MessageID>
> > > > <wsa:To
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2929821"
> > > soapenv:mustUnderstand="0">http://localhost:8080/WebServiceGMC
> > > /webservicegmc.asmx</wsa:To>
> > > > <wsa:Action
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-867695"
> > > soapenv:mustUnderstand="0">http://localhost/WebServiceGMC/webs
> > > ervicegmc.asmx?op=getClientes</wsa:Action>
> > > > <wsa:From
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3779465"
> > > soapenv:mustUnderstand="0">
> > > >
> > > <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/
> > > role/anonymous</wsa:Address>
> > > > </wsa:From>
> > > > <wsa:ReplyTo
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-15606519"
> > > soapenv:mustUnderstand="0">
> > > >
> > > <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/
> > > role/anonymous</wsa:Address>
> > > > </wsa:ReplyTo>
> > > > </soapenv:Header>
> > > > <soapenv:Body
> > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > > -wss-wssecurity-utility-1.0.xsd" wsu:Id="id-9734221">
> > > > <anunciar xmlns="http://weg.net/service">
> > > > <ns1:usuario
> > > xmlns:ns1="http://weg.net/service/">1234</ns1:usuario>
> > > > </anunciar>
> > > > </soapenv:Body>
> > > > </soapenv:Envelope>
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ---------
> > > >
> > > > Now we have an example to work on it. I have already
> > > compared each other.
> > > > The main difference I had found was the
> > > "CanonicalizationMethod" - Tag and the
> > > > "Transform" Tag of the "Transforms" tags.
> > > > Perhaps there are the problems?!?!?
> > > >
> > > > Steve
> > > >
> > > >
> > > > -----Mensagem original-----
> > > > De: brian@sweetxml.org [mailto:brian@sweetxml.org]
> > > > Enviada em: sexta-feira, 8 de julho de 2005 07:59
> > > > Para: Dittmann, Werner; Steve Behrendt
> > > > Cc: Gürkan Vural; Granqvist, Hans; fx-dev@ws.apache.org
> > > > Assunto: Re: AW: AW: order of sign and encr in .NET
> > > >
> > > >
> > > > Werner, Gürkan and David,
> > > >
> > > > Since Steve's post to the list concerning his problems
> > > using wss4j with
> > > > UsernameToken Signature I've look at it again. My personal
> > > conclusion is
> > > > that it once worked, but that in the meantime it's become
> > > broken. At the
> > > > present time I can't say when exactly. I've tried various
> > version of
> > > > wss4j, axis and bouncycastle and the only way I can get it
> > > working is by
> > > > using an older version of wss4j that I build. I've attached
> > > it, so you can
> > > > try it out and hopefully have a request come through.
> > > >
> > > > Regards Brian
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >>Gürkan,
> > > >>
> > > >>is this a real log of the request? If I save the file and try
> > > >>to open it with an XML editor it fails because of non-well
> > > >>formed document. Looking at it with emacs I see some linebreaks
> > > >>at unusual points, e.g. in the middle of an element name.
> > > >>
> > > >>I'm not sure if this is due to e-mail transport or similar.
> > > >>But because you sent it as an attachement I would suspect that is
> > > >>not the case.
> > > >>
> > > >>Can you verify this?
> > > >>
> > > >>Regards,
> > > >>Werner
> > > >>
> > > >>
> > > >>>-----Ursprüngliche Nachricht-----
> > > >>>Von: Gürkan Vural [mailto:gurkan.vural@tcmb.gov.tr]
> > > >>>Gesendet: Freitag, 8. Juli 2005 11:06
> > > >>>An: Dittmann, Werner
> > > >>>Cc: Granqvist, Hans; fx-dev@ws.apache.org
> > > >>>Betreff: Re: AW: order of sign and encr in .NET
> > > >>>
> > > >>>
> > > >>>sorry wss4j can verify all elements but not final
> > > signature value. it
> > > >>>processes all elements in the correct order. I am
> > trying to verify
> > > >>>username token signature with
> > > >>>http://www.w3.org/2000/09/xmldsig#hmac-sha1 algorithm. I can
> > > >>>verify what
> > > >>>i send to biztalk but not from biztalk. In the attachment
> > > there is a
> > > >>>sample soap message. Can anyone try to verify this?
> > > >>>
> > > >>>--
> > > >>>gurkan
> > > >>>
> > > >>>Dittmann, Werner wrote:
> > > >>>
> > > >>>
> > > >>>>Gürkan,
> > > >>>>
> > > >>>>to me it seems a problem of BizTalk and/or the .Net WSE
> > > >>>>implementation. According to the OASIS WSS specification,
> > > >>>>chapter 5:
> > > >>>>
> > > >>>><quote>
> > > >>>>As elements are added to a <wsse:Security> header block,
> > > >>>>they SHOULD be prepended to the existing elements. As such,
> > > >>>>the <wsse:Security> header block represents the signing and
> > > >>>>encryption steps the message producer took to create
> > the message.
> > > >>>>This prepending rule ensures that the receiving application can
> > > >>>>process sub-elements in the order they appear in the
> > > >>>><wsse:Security> header block, because there will be no forward
> > > >>>>dependency among the sub-elements. Note that this specification
> > > >>>>does not impose any specific order of processing the
> > > >>>>sub-elements. The receiving application can use whatever order
> > > >>>>is required.
> > > >>>></quote>
> > > >>>>
> > > >>>>This means, if the receiver sees an encryption sub-element
> > > >>>>before a Signature sub-element if processes encryption first.
> > > >>>>The ordering of elements is the _only_ information about the
> > > >>>>processing sequence. How could the receiver otherweise
> > > >>>>determine that it should first check Signature, then decrypt?
> > > >>>>
> > > >>>>Maybe you may crosscheck with the MS folks to clarfiy that?
> > > >>>>Are there known problems with BizTalk / .Net WSE? In general
> > > >>>>we tested interop with .Net WSE.
> > > >>>>
> > > >>>>Regards,
> > > >>>>Werner
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>>-----Ursprüngliche Nachricht-----
> > > >>>>>Von: Gürkan Vural [mailto:gurkan.vural@tcmb.gov.tr]
> > > >>>>>Gesendet: Freitag, 8. Juli 2005 07:59
> > > >>>>>An: Granqvist, Hans
> > > >>>>>Cc: fx-dev@ws.apache.org
> > > >>>>>Betreff: Re: order of sign and encr in .NET
> > > >>>>>
> > > >>>>>
> > > >>>>>Granqvist, Hans wrote:
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>>>... biztalk outputs
> > > >>>>>>>DataReference above Signature element and this causes
> > > >>>>>>>decryption before signature and sign validation fails because
> > > >>>>>>>decryption changes the value of body element.
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>
> > > >>>>>>Is it you or biztalk that implies processing order from
> > > >>>>>>the element order?
> > > >>>>>>
> > > >>>>>>Hans
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>>Whatever order I send data to Biztalk it processes correctly.
> > > >>>>>Because my
> > > >>>>>java client (wss4j) puts the headers of last operation above
> > > >>>>>the others.
> > > >>>>>However Biztalk always sends DataReference above Signature
> > > >>>
> > > >>>element and
> > > >>>
> > > >>>>>my java client (wss4j) first processes the encrypted body
> > > >>>
> > > >>>so signature
> > > >>>
> > > >>>>>validation fails.
> > > >>>>>
> > > >>>>>--
> > > >>>>>gurkan
> > > >>>>>
> > > >>>>>==========================================================-
> > > >>>>>Bu e-posta sadece yukarida isimleri belirtilen kisiler
> > > >>>>>arasinda özel haberlesme amacini tasimaktadir. Size
> > > >>>>>yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz
> > > >>>>>ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez
> > > >>>>>Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir
> > > >>>>>hukuksal sorumlulugu kabul etmez.
> > > >>>>>
> > > >>>>>This e-mail communication is intended for the private use of
> > > >>>>>the people named above. If you received this message in
> > > >>>>>error, please immediately notify the sender and delete it
> > > >>>>
> > > >>>>>from your system. The Central Bank of The Republic of Turkey
> > > >>>>
> > > >>>>>does not accept legal responsibility for the contents of
> > > >>>
> > > >>>this message.
> > > >>>
> > > >>>>>
> > > >>>>>
> > > >>>
> > > >>>
> > > >>>==========================================================-
> > > >>>Bu e-posta sadece yukarida isimleri belirtilen kisiler
> > > >>>arasinda özel haberlesme amacini tasimaktadir. Size
> > > >>>yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz
> > > >>>ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez
> > > >>>Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir
> > > >>>hukuksal sorumlulugu kabul etmez.
> > > >>>
> > > >>>This e-mail communication is intended for the private use of
> > > >>>the people named above. If you received this message in
> > > >>>error, please immediately notify the sender and delete it
> > > >>>from your system. The Central Bank of The Republic of Turkey
> > > >>>does not accept legal responsibility for the contents of
> > > this message.
> > > >>>
> > > >>
> > > >
> > >
> > >
> >
>