You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@synapse.apache.org by "Paul Anderson (JIRA)" <ji...@apache.org> on 2007/10/25 12:20:50 UTC
[jira] Commented: (SYNAPSE-161) Can't persuade Rampart to send
certificate serial + issuer - only either BinaryToken or Identity
[ https://issues.apache.org/jira/browse/SYNAPSE-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12537560 ]
Paul Anderson commented on SYNAPSE-161:
---------------------------------------
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:encryptionKeyIdentifier value="IssuerSerial" />
..doesn't seem to help.
In the policy file:-
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss11>
If I don't put the above wss10/wss11, there's an error when I require anything to be signed. If I put it, it stops complaining. Now to try to get the required XML to be written:-
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"> or Never or whatever
<wsp:Policy>
<sp:RequireIssuerSerialReference/>
<!--<sp:RequireKeyIdentifierReference/>-->
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
Whatever support I have required inside Wss11 and Wss10, it doesn't seem to matter. Only RequireKeyIdentifierReference does what it is supposed to. RequireIssuerSerialReference has the same effect as RequireKeyIdentifierReference!
> Can't persuade Rampart to send certificate serial + issuer - only either BinaryToken or Identity
> ------------------------------------------------------------------------------------------------
>
> Key: SYNAPSE-161
> URL: https://issues.apache.org/jira/browse/SYNAPSE-161
> Project: Synapse
> Issue Type: Bug
> Environment: JDK6 on RHEL3
> Reporter: Paul Anderson
>
> I tried playing with WS-Policy to set InitiatorToken Never, and got Rampart to send the cert identity for WS-Security signing.
> But setting ws10 and ws11 to require serial/issuer TokenReference support, and setting the InitiatorToken to use it, didn't work - still, the identity was sent.
> It's a problem for me because on the recipient side I have to be specific about what form the cert will come in, and I have 2 WS clients. I don't want to deploy the service twice just for that.
> Maybe it's just the version of Rampart and it's been fixed since Synapse snapshot 17th Oct - I'll see with the next binary.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org