You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by RonnieMJ <ro...@hotmail.com> on 2008/10/06 20:46:16 UTC
Rampart Username and signed certificate
I'm pretty new to WS, and especially the security piece, but I'm using
rampart 1.4 using policy files to try to function as a client to an existing
(external to my company) web service.
I know that I need to send both a usernameToken and sign the header with a
certificate. I've been able to do EITHER, but so far haven't been able to
do both.
I've tried it about 20 different ways, but my most recent attempt is:
<wsp:Policy wsu:Id="SigAndUName"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody/>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>user</ramp:user>
<ramp:encryptionUser>user</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:Policy>
I expect the final header output to be something like:
<SOAP-ENV:Header >
<wsse:Security >
<wsse:UsernameToken >
<wsse:Username >XXX</wsse:Username>
</wsse:UsernameToken>
<wsse:BinarySecurityToken >binaryTokenHere</wsse:BinarySecurityToken>
<ds:Signature >
<ds:SignedInfo >
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference >
<ds:Transforms >
<ds:Transform />
</ds:Transforms>
<ds:DigestMethod />
<ds:DigestValue </ds:DigestValue>
</ds:Reference>
<ds:Reference >
<ds:Transforms >
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue </ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue </ds:SignatureValue>
<ds:KeyInfo >
<wsse:SecurityTokenReference >
<wsse:Reference />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
I'm fairly sure I've just got the policy file slightly off. Any
suggestions? Thanks for any reply.
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19843845.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
RE: Rampart Username and signed certificate
Posted by Martin Gainty <mg...@hotmail.com>.
take a look at Rampart configuration parameters available at
http://ws.apache.org/rampart/rampartconfig-guide.html
specifically these 2 attributes need to be specified
user The user's name Set username of UsernameToken to be used
<user> bob</user>
userCertAlias The user's cert alias Set alias of the key to be used to sign
<userCertAlias> bob</userCertAlias>
//then create the java keystores
* If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or
later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and
the keystore itself.
keytool -certreq [-v] [-protected]
[-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providerName <name>]
[-providerClass <provider_class_name> [-providerArg <arg>]] ...
(you'll want to specify the csr_file)
this is a sample Receiver defined in axis2.xml notice the keystore filename and the keypassword
which you specifed above
<parameter name="keystore" locked="false">
<KeyStore>
<Location>identity.jks</Location>
<Type>JKS</Type>
<Password>password</Password>
<KeyPassword>password</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>trust.jks</Location>
<Type>JKS</Type>
<Password>password</Password>
</TrustStore>
</parameter>-->
HTH
Martin
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission.
> Date: Tue, 7 Oct 2008 06:48:56 +0530
> From: samisa.abeysinghe@gmail.com
> To: axis-user@ws.apache.org
> Subject: Re: Rampart Username and signed certificate
>
> What is the exception that you get?
>
> Samisa...
>
> RonnieMJ wrote:
> > I'm pretty new to WS, and especially the security piece, but I'm using
> > rampart 1.4 using policy files to try to function as a client to an existing
> > (external to my company) web service.
> >
> > I know that I need to send both a usernameToken and sign the header with a
> > certificate. I've been able to do EITHER, but so far haven't been able to
> > do both.
> >
> > I've tried it about 20 different ways, but my most recent attempt is:
> >
> >
> > <wsp:Policy wsu:Id="SigAndUName"
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > <wsp:All>
> > <sp:AsymmetricBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> > <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> > <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128Rsa15/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:OnlySignEntireHeadersAndBody/>
> > <sp:SupportingTokens>
> > <wsp:Policy>
> > <sp:UsernameToken
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> > />
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> >
> >
> > <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:MustSupportRefKeyIdentifier />
> > <sp:MustSupportRefIssuerSerial />
> > </wsp:Policy>
> > </sp:Wss10>
> >
> >
> > <sp:SignedParts
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <sp:Body/>
> > </sp:SignedParts>
> >
> > <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> > <ramp:user>user</ramp:user>
> > <ramp:encryptionUser>user</ramp:encryptionUser>
> >
> > <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
> >
> > <ramp:signatureCrypto>
> > <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
> > </ramp:crypto>
> > </ramp:signatureCrypto>
> > </ramp:RampartConfig>
> >
> > </wsp:All>
> > </wsp:Policy>
> >
> >
> >
> > I expect the final header output to be something like:
> > <SOAP-ENV:Header >
> > <wsse:Security >
> > <wsse:UsernameToken >
> > <wsse:Username >XXX</wsse:Username>
> > </wsse:UsernameToken>
> > <wsse:BinarySecurityToken >binaryTokenHere</wsse:BinarySecurityToken>
> > <ds:Signature >
> > <ds:SignedInfo >
> > <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > <ds:Reference >
> > <ds:Transforms >
> > <ds:Transform />
> > </ds:Transforms>
> > <ds:DigestMethod />
> > <ds:DigestValue </ds:DigestValue>
> > </ds:Reference>
> > <ds:Reference >
> > <ds:Transforms >
> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > </ds:Transforms>
> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > <ds:DigestValue </ds:DigestValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> > <ds:SignatureValue </ds:SignatureValue>
> > <ds:KeyInfo >
> > <wsse:SecurityTokenReference >
> > <wsse:Reference />
> > </wsse:SecurityTokenReference>
> > </ds:KeyInfo>
> > </ds:Signature>
> > </wsse:Security>
> > </SOAP-ENV:Header>
> >
> >
> > I'm fairly sure I've just got the policy file slightly off. Any
> > suggestions? Thanks for any reply.
> >
>
>
> --
> Samisa Abeysinghe
>
> http://people.apache.org/~samisa/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
_________________________________________________________________
Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
Re: Rampart Username and signed certificate
Posted by Samisa Abeysinghe <sa...@gmail.com>.
1. What is your server side?
2. Did you author this policy, or did you get it from the service?
3. What is the fault that you get?
Thanks,
Samisa...
RonnieMJ wrote:
> I don't actually get an exception (well I do get a soap fault for not having
> all of the right headers from their server).
>
> The message usually gets sent out simply without the username token. If I
> DO get the username token to go, it's as a signedsupportingtoken (which is
> not what they want).
>
>
>
> Samisa Abeysinghe-2 wrote:
>
>> What is the exception that you get?
>>
>> Samisa...
>>
>> RonnieMJ wrote:
>>
>>> I'm pretty new to WS, and especially the security piece, but I'm using
>>> rampart 1.4 using policy files to try to function as a client to an
>>> existing
>>> (external to my company) web service.
>>>
>>> I know that I need to send both a usernameToken and sign the header with
>>> a
>>> certificate. I've been able to do EITHER, but so far haven't been able
>>> to
>>> do both.
>>>
>>> I've tried it about 20 different ways, but my most recent attempt is:
>>>
>>>
>>> <wsp:Policy wsu:Id="SigAndUName"
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>> <wsp:All>
>>> <sp:AsymmetricBinding
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:InitiatorToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10/>
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:InitiatorToken>
>>> <sp:RecipientToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10/>
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:RecipientToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic128Rsa15/>
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Lax/>
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:OnlySignEntireHeadersAndBody/>
>>> <sp:SupportingTokens>
>>> <wsp:Policy>
>>> <sp:UsernameToken
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
>>> />
>>> </wsp:Policy>
>>> </sp:SupportingTokens>
>>> </wsp:Policy>
>>> </sp:AsymmetricBinding>
>>>
>>>
>>> <sp:Wss10
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:MustSupportRefKeyIdentifier />
>>> <sp:MustSupportRefIssuerSerial />
>>> </wsp:Policy>
>>> </sp:Wss10>
>>>
>>>
>>> <sp:SignedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body/>
>>> </sp:SignedParts>
>>>
>>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>> <ramp:user>user</ramp:user>
>>> <ramp:encryptionUser>user</ramp:encryptionUser>
>>>
>>> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>>>
>>> <ramp:signatureCrypto>
>>> <ramp:crypto
>>> provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>>> <ramp:property
>>> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
>>> <ramp:property
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
>>> </ramp:crypto>
>>> </ramp:signatureCrypto>
>>> </ramp:RampartConfig>
>>>
>>> </wsp:All>
>>> </wsp:Policy>
>>>
>>>
>>>
>>> I expect the final header output to be something like:
>>> <SOAP-ENV:Header >
>>> <wsse:Security >
>>> <wsse:UsernameToken >
>>> <wsse:Username >XXX</wsse:Username>
>>> </wsse:UsernameToken>
>>> <wsse:BinarySecurityToken >binaryTokenHere</wsse:BinarySecurityToken>
>>> <ds:Signature >
>>> <ds:SignedInfo >
>>> <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <ds:Reference >
>>> <ds:Transforms >
>>> <ds:Transform />
>>> </ds:Transforms>
>>> <ds:DigestMethod />
>>> <ds:DigestValue </ds:DigestValue>
>>> </ds:Reference>
>>> <ds:Reference >
>>> <ds:Transforms >
>>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> </ds:Transforms>
>>> <ds:DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <ds:DigestValue </ds:DigestValue>
>>> </ds:Reference>
>>> </ds:SignedInfo>
>>> <ds:SignatureValue </ds:SignatureValue>
>>> <ds:KeyInfo >
>>> <wsse:SecurityTokenReference >
>>> <wsse:Reference />
>>> </wsse:SecurityTokenReference>
>>> </ds:KeyInfo>
>>> </ds:Signature>
>>> </wsse:Security>
>>> </SOAP-ENV:Header>
>>>
>>>
>>> I'm fairly sure I've just got the policy file slightly off. Any
>>> suggestions? Thanks for any reply.
>>>
>>>
>> --
>> Samisa Abeysinghe
>>
>> http://people.apache.org/~samisa/
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>>
>>
>
>
--
Samisa Abeysinghe
http://people.apache.org/~samisa/
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
Thanks Nandana,
No the most recent message wasn't accepted (ASSUMEDLY due to the username
token being encrypted). I'll check with the other side (other company) to
see if they have more detail as to why it wasn't accepted.
Nunny wrote:
>
> Hi,
>
> I've tried it with SignedSupportingTokens (or even just SupportingTokens)
>> below the binding (as a top level) a few times. It ends up making the
>> token
>> still embedded and encrypted (not a plain old Username token).
>
>
> Yes, when a username token is used as supporting token with symmetric
> binding or an asymmetric binding it is encrypted due security
> considerations. You can't control this using policy. If we want to control
> this we might need to introduce a custom flag in to Rampart configuration.
>
> Using just
>> "SupportingTokens" (without the Signed) removes it entirely.
>
>
> This should be a bug if it removes it completely. Please create a JIRA for
> this under Apache Rampart [1].
>
>
>> Here's my most recent message:
>
>
> Was this most recent message a successful one ? In that message, it seems
> the Username Token is encrypted.
>
> thanks,
> nandana
>
> [1] - http://issues.apache.org/jira/browse/Rampart
>
>
>
>> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
>> <ke...@gmail.com>wrote:
>>
>> >
>> >
>> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
>> > samisa.abeysinghe@gmail.com> wrote:
>> >
>> >> Nandana Mihindukulasooriya wrote:
>> >>
>> >>> Hi Ronnie,
>> >>> Please change the policy as given below.
>> >>>
>> >>
>> >> But should not this policy come from the service?
>> >
>> > Ideally yes. ;)
>> >
>>
>> I just assumed that the service doesn't have a policy and security
>> requirements are published out of band.
>>
>> " I know that I need to send both a usernameToken and sign the header
>> with
>> a
>> certificate. I'm fairly sure I've just got the policy file slightly off.
>> Any suggestions ? "
>>
>> But if the WSDL publishes the security requirements via policy, there is
>> no
>> need for us to manually create policies and attach them. If you are using
>> the Axis2 cord generator, it will do this for you. Please take a look at
>> this tutorial [1].
>>
>> thanks,
>> nandana
>>
>> [1] - http://wso2.org/library/3415
>>
>> Samisa...
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
>
>
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19872561.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
I finally figured it out. I needed to use TransportBinding with an Endorsing
Supporting token of an X509 certificate and a SignedSupportingToken of the
username. I didn't realize that it didn't need Asymmetric binding.
RonnieMJ wrote:
>
> Ok the vendor has gotten back to me indicating that they don't see the
> password. Funny, I don't quite see it either. I've tried setting
> passwordType, but it doesn't seem to do it (although it's deprecated on
> 1.4, which I'm using).
>
> I do see this in my own logs:
>
> 2008-10-08 14:09:47,014 [Timer-0 ] DEBUG EnvelopeIdResolver -
> enter engineResolve, look for: #UsernameToken-30587319
> 2008-10-08 14:09:47,015 [Timer-0 ] DEBUG StAXUtils -
> XMLStreamWriter is com.sun.xml.internal.stream.writers.XMLStreamWriterImpl
> 2008-10-08 14:09:47,019 [Timer-0 ] DEBUG EnvelopeIdResolver -
> exit engineResolve, result: XMLSignatureInput/Element/<wsse:UsernameToken
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="UsernameToken-30587319">
> <wsse:Username>userNameWasHere</wsse:Username>
> <wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">passwordWasHere</wsse:Password>
> </wsse:UsernameToken> exclude null comments:false/null
> 2008-10-08 14:09:47,020 [Timer-0 ] DEBUG ElementProxy -
> setElement("ds:Transform", "null")
>
>
> But I don't see it anything like that in the message. The username is
> encrypted (guessing)?
> IF the digestValue is the username:
> <ds:Reference URI="#UsernameToken-30587319">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>T2XSh+9LCbwfDzbPzw=</ds:DigestValue>
> </ds:Reference>
>
> I don't see the password...
>
>
>
>
>
> RonnieMJ wrote:
>>
>> It worked with SignedSupportingTokens or just SupportingTokens? Mine
>> works fine with SignedSupportingTokens, our end service just won't take
>> it.
>>
>>
>>
>> Mary Thompson wrote:
>>>
>>> Nandana,
>>> Your example works correctly in my tomcat/axis environment. Now I
>>> just have to figure out why mine doesn't. Maybe there is something
>>> missing in our service skeleton class.
>>>
>>> Mary
>>>
>>> Nandana Mihindukulasooriya wrote:
>>>> Hi,
>>>>
>>>> I've tried it with SignedSupportingTokens (or even just
>>>> SupportingTokens)
>>>> below the binding (as a top level) a few times. It ends up making
>>>> the token
>>>> still embedded and encrypted (not a plain old Username token).
>>>>
>>>>
>>>> Yes, when a username token is used as supporting token with symmetric
>>>> binding or an asymmetric binding it is encrypted due security
>>>> considerations. You can't control this using policy. If we want to
>>>> control this we might need to introduce a custom flag in to Rampart
>>>> configuration.
>>>>
>>>> Using just
>>>> "SupportingTokens" (without the Signed) removes it entirely.
>>>>
>>>>
>>>> This should be a bug if it removes it completely. Please create a JIRA
>>>> for this under Apache Rampart [1].
>>>>
>>>>
>>>> Here's my most recent message:
>>>>
>>>>
>>>> Was this most recent message a successful one ? In that message, it
>>>> seems the Username Token is encrypted.
>>>>
>>>> thanks,
>>>> nandana
>>>>
>>>> [1] - http://issues.apache.org/jira/browse/Rampart
>>>>
>>>>
>>>>
>>>> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
>>>> <keithgchapman@gmail.com <ma...@gmail.com>>wrote:
>>>>
>>>> >
>>>> >
>>>> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
>>>> > samisa.abeysinghe@gmail.com
>>>> <ma...@gmail.com>>
>>>> wrote:
>>>> >
>>>> >> Nandana Mihindukulasooriya wrote:
>>>> >>
>>>> >>> Hi Ronnie,
>>>> >>> Please change the policy as given below.
>>>> >>>
>>>> >>
>>>> >> But should not this policy come from the service?
>>>> >
>>>> > Ideally yes. ;)
>>>> >
>>>>
>>>> I just assumed that the service doesn't have a policy and security
>>>> requirements are published out of band.
>>>>
>>>> " I know that I need to send both a usernameToken and sign the
>>>> header with a
>>>> certificate. I'm fairly sure I've just got the policy file slightly
>>>> off.
>>>> Any suggestions ? "
>>>>
>>>> But if the WSDL publishes the security requirements via policy,
>>>> there is no
>>>> need for us to manually create policies and attach them. If you are
>>>> using
>>>> the Axis2 cord generator, it will do this for you. Please take a
>>>> look at
>>>> this tutorial [1].
>>>>
>>>> thanks,
>>>> nandana
>>>>
>>>> [1] - http://wso2.org/library/3415
>>>>
>>>> Samisa...
>>>>
>>>> --
>>>> View this message in context:
>>>>
>>>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
>>>> Sent from the Axis - User mailing list archive at Nabble.com.
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>>> <ma...@ws.apache.org>
>>>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>>> <ma...@ws.apache.org>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Nandana Mihindukulasooriya
>>>> WSO2 inc.
>>>>
>>>> http://nandana83.blogspot.com/
>>>> http://www.wso2.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>>
>>>
>>>
>>
>>
> http://www.nabble.com/file/p19885833/testWPassword.xml testWPassword.xml
>
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19908163.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
Ok the vendor has gotten back to me indicating that they don't see the
password. Funny, I don't quite see it either. I've tried setting
passwordType, but it doesn't seem to do it (although it's deprecated on 1.4,
which I'm using).
I do see this in my own logs:
2008-10-08 14:09:47,014 [Timer-0 ] DEBUG EnvelopeIdResolver -
enter engineResolve, look for: #UsernameToken-30587319
2008-10-08 14:09:47,015 [Timer-0 ] DEBUG StAXUtils -
XMLStreamWriter is com.sun.xml.internal.stream.writers.XMLStreamWriterImpl
2008-10-08 14:09:47,019 [Timer-0 ] DEBUG EnvelopeIdResolver - exit
engineResolve, result: XMLSignatureInput/Element/<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-30587319">
<wsse:Username>userNameWasHere</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">passwordWasHere</wsse:Password>
</wsse:UsernameToken> exclude null comments:false/null
2008-10-08 14:09:47,020 [Timer-0 ] DEBUG ElementProxy -
setElement("ds:Transform", "null")
But I don't see it anything like that in the message. The username is
encrypted (guessing)?
IF the digestValue is the username:
<ds:Reference URI="#UsernameToken-30587319">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>T2XSh+9LCbwfDzbPzw=</ds:DigestValue>
</ds:Reference>
I don't see the password...
RonnieMJ wrote:
>
> It worked with SignedSupportingTokens or just SupportingTokens? Mine
> works fine with SignedSupportingTokens, our end service just won't take
> it.
>
>
>
> Mary Thompson wrote:
>>
>> Nandana,
>> Your example works correctly in my tomcat/axis environment. Now I
>> just have to figure out why mine doesn't. Maybe there is something
>> missing in our service skeleton class.
>>
>> Mary
>>
>> Nandana Mihindukulasooriya wrote:
>>> Hi,
>>>
>>> I've tried it with SignedSupportingTokens (or even just
>>> SupportingTokens)
>>> below the binding (as a top level) a few times. It ends up making
>>> the token
>>> still embedded and encrypted (not a plain old Username token).
>>>
>>>
>>> Yes, when a username token is used as supporting token with symmetric
>>> binding or an asymmetric binding it is encrypted due security
>>> considerations. You can't control this using policy. If we want to
>>> control this we might need to introduce a custom flag in to Rampart
>>> configuration.
>>>
>>> Using just
>>> "SupportingTokens" (without the Signed) removes it entirely.
>>>
>>>
>>> This should be a bug if it removes it completely. Please create a JIRA
>>> for this under Apache Rampart [1].
>>>
>>>
>>> Here's my most recent message:
>>>
>>>
>>> Was this most recent message a successful one ? In that message, it
>>> seems the Username Token is encrypted.
>>>
>>> thanks,
>>> nandana
>>>
>>> [1] - http://issues.apache.org/jira/browse/Rampart
>>>
>>>
>>>
>>> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
>>> <keithgchapman@gmail.com <ma...@gmail.com>>wrote:
>>>
>>> >
>>> >
>>> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
>>> > samisa.abeysinghe@gmail.com <ma...@gmail.com>>
>>> wrote:
>>> >
>>> >> Nandana Mihindukulasooriya wrote:
>>> >>
>>> >>> Hi Ronnie,
>>> >>> Please change the policy as given below.
>>> >>>
>>> >>
>>> >> But should not this policy come from the service?
>>> >
>>> > Ideally yes. ;)
>>> >
>>>
>>> I just assumed that the service doesn't have a policy and security
>>> requirements are published out of band.
>>>
>>> " I know that I need to send both a usernameToken and sign the
>>> header with a
>>> certificate. I'm fairly sure I've just got the policy file slightly
>>> off.
>>> Any suggestions ? "
>>>
>>> But if the WSDL publishes the security requirements via policy,
>>> there is no
>>> need for us to manually create policies and attach them. If you are
>>> using
>>> the Axis2 cord generator, it will do this for you. Please take a
>>> look at
>>> this tutorial [1].
>>>
>>> thanks,
>>> nandana
>>>
>>> [1] - http://wso2.org/library/3415
>>>
>>> Samisa...
>>>
>>> --
>>> View this message in context:
>>>
>>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
>>> Sent from the Axis - User mailing list archive at Nabble.com.
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> <ma...@ws.apache.org>
>>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>> <ma...@ws.apache.org>
>>>
>>>
>>>
>>>
>>> --
>>> Nandana Mihindukulasooriya
>>> WSO2 inc.
>>>
>>> http://nandana83.blogspot.com/
>>> http://www.wso2.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>>
>
>
http://www.nabble.com/file/p19885833/testWPassword.xml testWPassword.xml
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19885833.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
It worked with SignedSupportingTokens or just SupportingTokens? Mine works
fine with SignedSupportingTokens, our end service just won't take it.
Mary Thompson wrote:
>
> Nandana,
> Your example works correctly in my tomcat/axis environment. Now I
> just have to figure out why mine doesn't. Maybe there is something
> missing in our service skeleton class.
>
> Mary
>
> Nandana Mihindukulasooriya wrote:
>> Hi,
>>
>> I've tried it with SignedSupportingTokens (or even just
>> SupportingTokens)
>> below the binding (as a top level) a few times. It ends up making
>> the token
>> still embedded and encrypted (not a plain old Username token).
>>
>>
>> Yes, when a username token is used as supporting token with symmetric
>> binding or an asymmetric binding it is encrypted due security
>> considerations. You can't control this using policy. If we want to
>> control this we might need to introduce a custom flag in to Rampart
>> configuration.
>>
>> Using just
>> "SupportingTokens" (without the Signed) removes it entirely.
>>
>>
>> This should be a bug if it removes it completely. Please create a JIRA
>> for this under Apache Rampart [1].
>>
>>
>> Here's my most recent message:
>>
>>
>> Was this most recent message a successful one ? In that message, it
>> seems the Username Token is encrypted.
>>
>> thanks,
>> nandana
>>
>> [1] - http://issues.apache.org/jira/browse/Rampart
>>
>>
>>
>> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
>> <keithgchapman@gmail.com <ma...@gmail.com>>wrote:
>>
>> >
>> >
>> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
>> > samisa.abeysinghe@gmail.com <ma...@gmail.com>>
>> wrote:
>> >
>> >> Nandana Mihindukulasooriya wrote:
>> >>
>> >>> Hi Ronnie,
>> >>> Please change the policy as given below.
>> >>>
>> >>
>> >> But should not this policy come from the service?
>> >
>> > Ideally yes. ;)
>> >
>>
>> I just assumed that the service doesn't have a policy and security
>> requirements are published out of band.
>>
>> " I know that I need to send both a usernameToken and sign the
>> header with a
>> certificate. I'm fairly sure I've just got the policy file slightly
>> off.
>> Any suggestions ? "
>>
>> But if the WSDL publishes the security requirements via policy,
>> there is no
>> need for us to manually create policies and attach them. If you are
>> using
>> the Axis2 cord generator, it will do this for you. Please take a look
>> at
>> this tutorial [1].
>>
>> thanks,
>> nandana
>>
>> [1] - http://wso2.org/library/3415
>>
>> Samisa...
>>
>> --
>> View this message in context:
>>
>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> <ma...@ws.apache.org>
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>> <ma...@ws.apache.org>
>>
>>
>>
>>
>> --
>> Nandana Mihindukulasooriya
>> WSO2 inc.
>>
>> http://nandana83.blogspot.com/
>> http://www.wso2.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19879575.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by Mary Thompson <mr...@lbl.gov>.
Nandana,
Your example works correctly in my tomcat/axis environment. Now I
just have to figure out why mine doesn't. Maybe there is something
missing in our service skeleton class.
Mary
Nandana Mihindukulasooriya wrote:
> Hi,
>
> I've tried it with SignedSupportingTokens (or even just
> SupportingTokens)
> below the binding (as a top level) a few times. It ends up making
> the token
> still embedded and encrypted (not a plain old Username token).
>
>
> Yes, when a username token is used as supporting token with symmetric
> binding or an asymmetric binding it is encrypted due security
> considerations. You can't control this using policy. If we want to
> control this we might need to introduce a custom flag in to Rampart
> configuration.
>
> Using just
> "SupportingTokens" (without the Signed) removes it entirely.
>
>
> This should be a bug if it removes it completely. Please create a JIRA
> for this under Apache Rampart [1].
>
>
> Here's my most recent message:
>
>
> Was this most recent message a successful one ? In that message, it
> seems the Username Token is encrypted.
>
> thanks,
> nandana
>
> [1] - http://issues.apache.org/jira/browse/Rampart
>
>
>
> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
> <keithgchapman@gmail.com <ma...@gmail.com>>wrote:
>
> >
> >
> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
> > samisa.abeysinghe@gmail.com <ma...@gmail.com>>
> wrote:
> >
> >> Nandana Mihindukulasooriya wrote:
> >>
> >>> Hi Ronnie,
> >>> Please change the policy as given below.
> >>>
> >>
> >> But should not this policy come from the service?
> >
> > Ideally yes. ;)
> >
>
> I just assumed that the service doesn't have a policy and security
> requirements are published out of band.
>
> " I know that I need to send both a usernameToken and sign the
> header with a
> certificate. I'm fairly sure I've just got the policy file slightly off.
> Any suggestions ? "
>
> But if the WSDL publishes the security requirements via policy,
> there is no
> need for us to manually create policies and attach them. If you are
> using
> the Axis2 cord generator, it will do this for you. Please take a look at
> this tutorial [1].
>
> thanks,
> nandana
>
> [1] - http://wso2.org/library/3415
>
> Samisa...
>
> --
> View this message in context:
> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: axis-user-help@ws.apache.org
> <ma...@ws.apache.org>
>
>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
Shouldn't the password be viewable? I put it in as passwordText (although
I'm not sure this should work with 1.4), but it doesn't show. I'm guessing
the digest value is the username (encrypted). See other post for full XML.
Nunny wrote:
>
> Hi,
>
> I've tried it with SignedSupportingTokens (or even just SupportingTokens)
>> below the binding (as a top level) a few times. It ends up making the
>> token
>> still embedded and encrypted (not a plain old Username token).
>
>
> Yes, when a username token is used as supporting token with symmetric
> binding or an asymmetric binding it is encrypted due security
> considerations. You can't control this using policy. If we want to control
> this we might need to introduce a custom flag in to Rampart configuration.
>
> Using just
>> "SupportingTokens" (without the Signed) removes it entirely.
>
>
> This should be a bug if it removes it completely. Please create a JIRA for
> this under Apache Rampart [1].
>
>
>> Here's my most recent message:
>
>
> Was this most recent message a successful one ? In that message, it seems
> the Username Token is encrypted.
>
> thanks,
> nandana
>
> [1] - http://issues.apache.org/jira/browse/Rampart
>
>
>
>> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
>> <ke...@gmail.com>wrote:
>>
>> >
>> >
>> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
>> > samisa.abeysinghe@gmail.com> wrote:
>> >
>> >> Nandana Mihindukulasooriya wrote:
>> >>
>> >>> Hi Ronnie,
>> >>> Please change the policy as given below.
>> >>>
>> >>
>> >> But should not this policy come from the service?
>> >
>> > Ideally yes. ;)
>> >
>>
>> I just assumed that the service doesn't have a policy and security
>> requirements are published out of band.
>>
>> " I know that I need to send both a usernameToken and sign the header
>> with
>> a
>> certificate. I'm fairly sure I've just got the policy file slightly off.
>> Any suggestions ? "
>>
>> But if the WSDL publishes the security requirements via policy, there is
>> no
>> need for us to manually create policies and attach them. If you are using
>> the Axis2 cord generator, it will do this for you. Please take a look at
>> this tutorial [1].
>>
>> thanks,
>> nandana
>>
>> [1] - http://wso2.org/library/3415
>>
>> Samisa...
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
>
>
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19899774.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
Nandana,
I don't think I processed your message fully last night. You're saying that
it shouldn't matter if you say "SignedSupportingTokens" or
"SupportingTokens" if we're using symmetric or asymmetric binding because it
SHOULD encrypt both?
That would mean that I don't really have the capability to create the
attached header (which is my goal)?
Nunny wrote:
>
> Hi,
>
> I've tried it with SignedSupportingTokens (or even just SupportingTokens)
>> below the binding (as a top level) a few times. It ends up making the
>> token
>> still embedded and encrypted (not a plain old Username token).
>
>
> Yes, when a username token is used as supporting token with symmetric
> binding or an asymmetric binding it is encrypted due security
> considerations. You can't control this using policy. If we want to control
> this we might need to introduce a custom flag in to Rampart configuration.
>
> Using just
>> "SupportingTokens" (without the Signed) removes it entirely.
>
>
> This should be a bug if it removes it completely. Please create a JIRA for
> this under Apache Rampart [1].
>
>
>> Here's my most recent message:
>
>
> Was this most recent message a successful one ? In that message, it seems
> the Username Token is encrypted.
>
> thanks,
> nandana
>
> [1] - http://issues.apache.org/jira/browse/Rampart
>
>
>
>> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
>> <ke...@gmail.com>wrote:
>>
>> >
>> >
>> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
>> > samisa.abeysinghe@gmail.com> wrote:
>> >
>> >> Nandana Mihindukulasooriya wrote:
>> >>
>> >>> Hi Ronnie,
>> >>> Please change the policy as given below.
>> >>>
>> >>
>> >> But should not this policy come from the service?
>> >
>> > Ideally yes. ;)
>> >
>>
>> I just assumed that the service doesn't have a policy and security
>> requirements are published out of band.
>>
>> " I know that I need to send both a usernameToken and sign the header
>> with
>> a
>> certificate. I'm fairly sure I've just got the policy file slightly off.
>> Any suggestions ? "
>>
>> But if the WSDL publishes the security requirements via policy, there is
>> no
>> need for us to manually create policies and attach them. If you are using
>> the Axis2 cord generator, it will do this for you. Please take a look at
>> this tutorial [1].
>>
>> thanks,
>> nandana
>>
>> [1] - http://wso2.org/library/3415
>>
>> Samisa...
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
>
>
http://www.nabble.com/file/p19879853/exampleHeader.xml exampleHeader.xml
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19879853.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi,
I've tried it with SignedSupportingTokens (or even just SupportingTokens)
> below the binding (as a top level) a few times. It ends up making the
> token
> still embedded and encrypted (not a plain old Username token).
Yes, when a username token is used as supporting token with symmetric
binding or an asymmetric binding it is encrypted due security
considerations. You can't control this using policy. If we want to control
this we might need to introduce a custom flag in to Rampart configuration.
Using just
> "SupportingTokens" (without the Signed) removes it entirely.
This should be a bug if it removes it completely. Please create a JIRA for
this under Apache Rampart [1].
> Here's my most recent message:
Was this most recent message a successful one ? In that message, it seems
the Username Token is encrypted.
thanks,
nandana
[1] - http://issues.apache.org/jira/browse/Rampart
> On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
> <ke...@gmail.com>wrote:
>
> >
> >
> > On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
> > samisa.abeysinghe@gmail.com> wrote:
> >
> >> Nandana Mihindukulasooriya wrote:
> >>
> >>> Hi Ronnie,
> >>> Please change the policy as given below.
> >>>
> >>
> >> But should not this policy come from the service?
> >
> > Ideally yes. ;)
> >
>
> I just assumed that the service doesn't have a policy and security
> requirements are published out of band.
>
> " I know that I need to send both a usernameToken and sign the header with
> a
> certificate. I'm fairly sure I've just got the policy file slightly off.
> Any suggestions ? "
>
> But if the WSDL publishes the security requirements via policy, there is no
> need for us to manually create policies and attach them. If you are using
> the Axis2 cord generator, it will do this for you. Please take a look at
> this tutorial [1].
>
> thanks,
> nandana
>
> [1] - http://wso2.org/library/3415
>
> Samisa...
>
> --
> View this message in context:
> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
Unfortunately the WSDL does not have ANY security considerations in it. I
don't have control over that WSDL either.
I've tried it with SignedSupportingTokens (or even just SupportingTokens)
below the binding (as a top level) a few times. It ends up making the token
still embedded and encrypted (not a plain old Username token). Using just
"SupportingTokens" (without the Signed) removes it entirely. I'm trying to
just put Usernametoken as the original example. The error I receive from
them is:
<soap:Fault><faultcode>soap:Server.75612</faultcode><faultstring>An error
has occurred authenticating based on Credentials</faultstring></soap:Fault>
I am flying a little blind in that the WSDL doesn't indicate what should be
there security wise, but I do have some examples to guide me (examples that
were sent to the service that were successful).
Here's my most recent message:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
<xenc:EncryptedKey
Id="EncKeyId-urn:uuid:747FA3881E25F93A8112233899930882">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">7WzTz2ucSMRogbHUMQuxv7uOMHU=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>qRTX199B2f/nYZH072qnHpbNk9CaELavKRFIEC08FeJPBHMxT4MP8TUuBOF07GAbSCmV+x7R3fKKrXFlzsFogEkHMMN5MGIHm703TqgE01N6qXBkNCOgW66lll5lXIOjailqYcA4X+o9dKUL4GbazpXMSZ001zHMcZzDMYtxf/g=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-32644176"></xenc:DataReference>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData Id="EncDataId-32644176"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#EncKeyId-urn:uuid:747FA3881E25F93A8112233899930882"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>bhhmBf6B2eYvFKBWJWB6MtSo5IKw9z6KwDPV4XKU6UCchMBkNFlWJcSRK+I/h2MhTlLHRpK4cUII
R8DxFshi</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-18314596">MIIERDCCAm1jXj9w==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-30702379">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#Id-4519815">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>jwNsqR/y1GbSLbp/B8a9GCXLVLw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-27184512">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>NyG+Wk5lnuvnO23ZYsfWeJFZWCY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ZJj1RorLDpEmZ8CHi8xaAuyt3XEo16ZZmUkylPJS4rWA71WpFPenuzfr+KfIFTW0Nlnwlo3lQh31
pzYDi4ydyVXJAt24c6s=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-25849454">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-3841429">
<wsse:Reference URI="#CertId-18314596"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-4519815">
</soapenv:Body>
</soapenv:Envelope>
On Tue, Oct 7, 2008 at 9:34 AM, keith chapman
<ke...@gmail.com>wrote:
>
>
> On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
> samisa.abeysinghe@gmail.com> wrote:
>
>> Nandana Mihindukulasooriya wrote:
>>
>>> Hi Ronnie,
>>> Please change the policy as given below.
>>>
>>
>> But should not this policy come from the service?
>
> Ideally yes. ;)
>
I just assumed that the service doesn't have a policy and security
requirements are published out of band.
" I know that I need to send both a usernameToken and sign the header with a
certificate. I'm fairly sure I've just got the policy file slightly off.
Any suggestions ? "
But if the WSDL publishes the security requirements via policy, there is no
need for us to manually create policies and attach them. If you are using
the Axis2 cord generator, it will do this for you. Please take a look at
this tutorial [1].
thanks,
nandana
[1] - http://wso2.org/library/3415
Samisa...
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
On Tue, Oct 7, 2008 at 9:34 AM, keith chapman <ke...@gmail.com>wrote:
>
>
> On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
> samisa.abeysinghe@gmail.com> wrote:
>
>> Nandana Mihindukulasooriya wrote:
>>
>>> Hi Ronnie,
>>> Please change the policy as given below.
>>>
>>
>> But should not this policy come from the service?
>
> Ideally yes. ;)
>
I just assumed that the service doesn't have a policy and security
requirements are published out of band.
" I know that I need to send both a usernameToken and sign the header with a
certificate. I'm fairly sure I've just got the policy file slightly off.
Any suggestions ? "
But if the WSDL publishes the security requirements via policy, there is no
need for us to manually create policies and attach them. If you are using
the Axis2 cord generator, it will do this for you. Please take a look at
this tutorial [1].
thanks,
nandana
[1] - http://wso2.org/library/3415
Samisa...
>
>>
>>
>>> <wsp:Policy ...>
>>> <sp:AsymmetricBinding>
>>> ...
>>> </sp:AsymmetricBinding>
>>> <sp:SupportingTokens>
>>> <wsp:Policy>
>>> <sp:UsernameToken/>
>>> </sp:SupportingTokens>
>>> <sp:Wss10 .../>
>>> <sp:SignedParts .../>
>>> <ramp:RampartConfig/>
>>> </wsp:Policy>
>>>
>>> Just the structure is shown above. The Supporting token assertion should
>>> be a top level assetion. In you case, you have it as a nested assertion
>>> within Asymmetric Binding assertion.
>>>
>>> And if your username and private key alias is different, you need to use
>>> both "user" and "userCertAlias" parameters in the RampartConfig as mentioned
>>> by Martin. But if both of them are the same, you can just have the "user"
>>> parameter [1].
>>>
>>> And I don't understand why you have both user and encryptionUser set to
>>> "user".
>>> <ramp:user>user</ramp:user>
>>> <ramp:encryptionUser>user</ramp:encryptionUser>
>>>
>>> thanks,
>>> nandana
>>>
>>> [1] - http://wso2.org/library/3733
>>>
>>>
>>> On Tue, Oct 7, 2008 at 8:40 AM, RonnieMJ <ronniemjohns@hotmail.com<mailto:
>>> ronniemjohns@hotmail.com>> wrote:
>>>
>>>
>>> I don't actually get an exception (well I do get a soap fault for
>>> not having
>>> all of the right headers from their server).
>>>
>>> The message usually gets sent out simply without the username
>>> token. If I
>>> DO get the username token to go, it's as a signedsupportingtoken
>>> (which is
>>> not what they want).
>>>
>>>
>>>
>>> Samisa Abeysinghe-2 wrote:
>>> >
>>> > What is the exception that you get?
>>> >
>>> > Samisa...
>>> >
>>> > RonnieMJ wrote:
>>> >> I'm pretty new to WS, and especially the security piece, but
>>> I'm using
>>> >> rampart 1.4 using policy files to try to function as a client to an
>>> >> existing
>>> >> (external to my company) web service.
>>> >>
>>> >> I know that I need to send both a usernameToken and sign the
>>> header with
>>> >> a
>>> >> certificate. I've been able to do EITHER, but so far haven't
>>> been able
>>> >> to
>>> >> do both.
>>> >>
>>> >> I've tried it about 20 different ways, but my most recent
>>> attempt is:
>>> >>
>>> >>
>>> >> <wsp:Policy wsu:Id="SigAndUName"
>>> >>
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> "
>>> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>> >> <wsp:All>
>>> >> <sp:AsymmetricBinding
>>> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> >> <wsp:Policy>
>>> >> <sp:InitiatorToken>
>>> >> <wsp:Policy>
>>> >> <sp:X509Token
>>> >>
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>>> ">
>>> >> <wsp:Policy>
>>> >>
>>> <sp:WssX509V3Token10/>
>>> >> </wsp:Policy>
>>> >> </sp:X509Token>
>>> >> </wsp:Policy>
>>> >> </sp:InitiatorToken>
>>> >> <sp:RecipientToken>
>>> >> <wsp:Policy>
>>> >> <sp:X509Token
>>> >>
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
>>> ">
>>> >> <wsp:Policy>
>>> >>
>>> <sp:WssX509V3Token10/>
>>> >> </wsp:Policy>
>>> >> </sp:X509Token>
>>> >> </wsp:Policy>
>>> >> </sp:RecipientToken>
>>> >> <sp:AlgorithmSuite>
>>> >> <wsp:Policy>
>>> >> <sp:Basic128Rsa15/>
>>> >> </wsp:Policy>
>>> >> </sp:AlgorithmSuite>
>>> >> <sp:Layout>
>>> >> <wsp:Policy>
>>> >> <sp:Lax/>
>>> >> </wsp:Policy>
>>> >> </sp:Layout>
>>> >> <sp:OnlySignEntireHeadersAndBody/>
>>> >> <sp:SupportingTokens>
>>> >> <wsp:Policy>
>>> >> <sp:UsernameToken
>>> >>
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>>> "
>>> >> />
>>> >> </wsp:Policy>
>>> >> </sp:SupportingTokens>
>>> >> </wsp:Policy>
>>> >> </sp:AsymmetricBinding>
>>> >>
>>> >>
>>> >> <sp:Wss10
>>> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> >> <wsp:Policy>
>>> >> <sp:MustSupportRefKeyIdentifier />
>>> >> <sp:MustSupportRefIssuerSerial />
>>> >> </wsp:Policy>
>>> >> </sp:Wss10>
>>> >>
>>> >>
>>> >> <sp:SignedParts
>>> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> >> <sp:Body/>
>>> >> </sp:SignedParts>
>>> >>
>>> >> <ramp:RampartConfig
>>> xmlns:ramp="http://ws.apache.org/rampart/policy">
>>> >> <ramp:user>user</ramp:user>
>>> >>
>>> <ramp:encryptionUser>user</ramp:encryptionUser>
>>> >>
>>> >>
>>>
>>> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>>> >>
>>> >> <ramp:signatureCrypto>
>>> >> <ramp:crypto
>>> >> provider="org.apache.ws.security.components.crypto.Merlin">
>>> >> <ramp:property
>>> >>
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> >> <ramp:property
>>> >>
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>>> >> <ramp:property
>>> >>
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
>>> >> <ramp:property
>>> >>
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
>>> >> </ramp:crypto>
>>> >> </ramp:signatureCrypto>
>>> >> </ramp:RampartConfig>
>>> >>
>>> >> </wsp:All>
>>> >> </wsp:Policy>
>>> >>
>>> >>
>>> >>
>>> >> I expect the final header output to be something like:
>>> >> <SOAP-ENV:Header >
>>> >> <wsse:Security >
>>> >> <wsse:UsernameToken >
>>> >> <wsse:Username >XXX</wsse:Username>
>>> >> </wsse:UsernameToken>
>>> >> <wsse:BinarySecurityToken
>>> >binaryTokenHere</wsse:BinarySecurityToken>
>>> >> <ds:Signature >
>>> >> <ds:SignedInfo >
>>> >> <ds:CanonicalizationMethod
>>> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> >> <ds:SignatureMethod
>>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> >> <ds:Reference >
>>> >> <ds:Transforms >
>>> >> <ds:Transform />
>>> >> </ds:Transforms>
>>> >> <ds:DigestMethod />
>>> >> <ds:DigestValue
>>> </ds:DigestValue>
>>> >> </ds:Reference>
>>> >> <ds:Reference >
>>> >> <ds:Transforms >
>>> >> <ds:Transform
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> >> </ds:Transforms>
>>> >> <ds:DigestMethod
>>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> >> <ds:DigestValue
>>> </ds:DigestValue>
>>> >> </ds:Reference>
>>> >> </ds:SignedInfo>
>>> >> <ds:SignatureValue </ds:SignatureValue>
>>> >> <ds:KeyInfo >
>>> >> <wsse:SecurityTokenReference >
>>> >> <wsse:Reference />
>>> >> </wsse:SecurityTokenReference>
>>> >> </ds:KeyInfo>
>>> >> </ds:Signature>
>>> >> </wsse:Security>
>>> >> </SOAP-ENV:Header>
>>> >>
>>> >>
>>> >> I'm fairly sure I've just got the policy file slightly off. Any
>>> >> suggestions? Thanks for any reply.
>>> >>
>>> >
>>> >
>>> > --
>>> > Samisa Abeysinghe
>>> >
>>> > http://people.apache.org/~samisa/<http://people.apache.org/%7Esamisa/>
>>> <http://people.apache.org/%7Esamisa/>
>>> >
>>> >
>>> >
>>> ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> <ma...@ws.apache.org>
>>> > For additional commands, e-mail: axis-user-help@ws.apache.org
>>> <ma...@ws.apache.org>
>>> >
>>> >
>>> >
>>>
>>> --
>>> View this message in context:
>>>
>>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
>>> Sent from the Axis - User mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>>> <ma...@ws.apache.org>
>>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>> <ma...@ws.apache.org>
>>>
>>>
>>>
>>>
>>> --
>>> Nandana Mihindukulasooriya WSO2 inc.
>>>
>>> http://nandana83.blogspot.com/
>>> http://www.wso2.org
>>>
>>
>>
>> --
>> Samisa Abeysinghe
>>
>> http://people.apache.org/~samisa/ <http://people.apache.org/%7Esamisa/>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>
>
> --
> Keith Chapman
> Senior Software Engineer
> WSO2 Inc.
> Oxygenating the Web Service Platform.
> http://wso2.org/
>
> blog: http://www.keith-chapman.org
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
Re: Rampart Username and signed certificate
Posted by keith chapman <ke...@gmail.com>.
On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe <
samisa.abeysinghe@gmail.com> wrote:
> Nandana Mihindukulasooriya wrote:
>
>> Hi Ronnie,
>> Please change the policy as given below.
>>
>
> But should not this policy come from the service?
Ideally yes. ;)
Thanks,
Keith.
>
>
> Samisa...
>
>
>> <wsp:Policy ...>
>> <sp:AsymmetricBinding>
>> ...
>> </sp:AsymmetricBinding>
>> <sp:SupportingTokens>
>> <wsp:Policy>
>> <sp:UsernameToken/>
>> </sp:SupportingTokens>
>> <sp:Wss10 .../>
>> <sp:SignedParts .../>
>> <ramp:RampartConfig/>
>> </wsp:Policy>
>>
>> Just the structure is shown above. The Supporting token assertion should
>> be a top level assetion. In you case, you have it as a nested assertion
>> within Asymmetric Binding assertion.
>>
>> And if your username and private key alias is different, you need to use
>> both "user" and "userCertAlias" parameters in the RampartConfig as mentioned
>> by Martin. But if both of them are the same, you can just have the "user"
>> parameter [1].
>>
>> And I don't understand why you have both user and encryptionUser set to
>> "user".
>> <ramp:user>user</ramp:user>
>> <ramp:encryptionUser>user</ramp:encryptionUser>
>>
>> thanks,
>> nandana
>>
>> [1] - http://wso2.org/library/3733
>>
>>
>> On Tue, Oct 7, 2008 at 8:40 AM, RonnieMJ <ronniemjohns@hotmail.com<mailto:
>> ronniemjohns@hotmail.com>> wrote:
>>
>>
>> I don't actually get an exception (well I do get a soap fault for
>> not having
>> all of the right headers from their server).
>>
>> The message usually gets sent out simply without the username
>> token. If I
>> DO get the username token to go, it's as a signedsupportingtoken
>> (which is
>> not what they want).
>>
>>
>>
>> Samisa Abeysinghe-2 wrote:
>> >
>> > What is the exception that you get?
>> >
>> > Samisa...
>> >
>> > RonnieMJ wrote:
>> >> I'm pretty new to WS, and especially the security piece, but
>> I'm using
>> >> rampart 1.4 using policy files to try to function as a client to an
>> >> existing
>> >> (external to my company) web service.
>> >>
>> >> I know that I need to send both a usernameToken and sign the
>> header with
>> >> a
>> >> certificate. I've been able to do EITHER, but so far haven't
>> been able
>> >> to
>> >> do both.
>> >>
>> >> I've tried it about 20 different ways, but my most recent
>> attempt is:
>> >>
>> >>
>> >> <wsp:Policy wsu:Id="SigAndUName"
>> >>
>> xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> "
>> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>> >> <wsp:All>
>> >> <sp:AsymmetricBinding
>> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >> <wsp:Policy>
>> >> <sp:InitiatorToken>
>> >> <wsp:Policy>
>> >> <sp:X509Token
>> >>
>> sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>> ">
>> >> <wsp:Policy>
>> >>
>> <sp:WssX509V3Token10/>
>> >> </wsp:Policy>
>> >> </sp:X509Token>
>> >> </wsp:Policy>
>> >> </sp:InitiatorToken>
>> >> <sp:RecipientToken>
>> >> <wsp:Policy>
>> >> <sp:X509Token
>> >>
>> sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>> >> <wsp:Policy>
>> >>
>> <sp:WssX509V3Token10/>
>> >> </wsp:Policy>
>> >> </sp:X509Token>
>> >> </wsp:Policy>
>> >> </sp:RecipientToken>
>> >> <sp:AlgorithmSuite>
>> >> <wsp:Policy>
>> >> <sp:Basic128Rsa15/>
>> >> </wsp:Policy>
>> >> </sp:AlgorithmSuite>
>> >> <sp:Layout>
>> >> <wsp:Policy>
>> >> <sp:Lax/>
>> >> </wsp:Policy>
>> >> </sp:Layout>
>> >> <sp:OnlySignEntireHeadersAndBody/>
>> >> <sp:SupportingTokens>
>> >> <wsp:Policy>
>> >> <sp:UsernameToken
>> >>
>> sp:IncludeToken="
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>> "
>> >> />
>> >> </wsp:Policy>
>> >> </sp:SupportingTokens>
>> >> </wsp:Policy>
>> >> </sp:AsymmetricBinding>
>> >>
>> >>
>> >> <sp:Wss10
>> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >> <wsp:Policy>
>> >> <sp:MustSupportRefKeyIdentifier />
>> >> <sp:MustSupportRefIssuerSerial />
>> >> </wsp:Policy>
>> >> </sp:Wss10>
>> >>
>> >>
>> >> <sp:SignedParts
>> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >> <sp:Body/>
>> >> </sp:SignedParts>
>> >>
>> >> <ramp:RampartConfig
>> xmlns:ramp="http://ws.apache.org/rampart/policy">
>> >> <ramp:user>user</ramp:user>
>> >>
>> <ramp:encryptionUser>user</ramp:encryptionUser>
>> >>
>> >>
>>
>> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>> >>
>> >> <ramp:signatureCrypto>
>> >> <ramp:crypto
>> >> provider="org.apache.ws.security.components.crypto.Merlin">
>> >> <ramp:property
>> >>
>>
>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> >> <ramp:property
>> >>
>>
>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>> >> <ramp:property
>> >>
>>
>> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
>> >> <ramp:property
>> >>
>>
>> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
>> >> </ramp:crypto>
>> >> </ramp:signatureCrypto>
>> >> </ramp:RampartConfig>
>> >>
>> >> </wsp:All>
>> >> </wsp:Policy>
>> >>
>> >>
>> >>
>> >> I expect the final header output to be something like:
>> >> <SOAP-ENV:Header >
>> >> <wsse:Security >
>> >> <wsse:UsernameToken >
>> >> <wsse:Username >XXX</wsse:Username>
>> >> </wsse:UsernameToken>
>> >> <wsse:BinarySecurityToken
>> >binaryTokenHere</wsse:BinarySecurityToken>
>> >> <ds:Signature >
>> >> <ds:SignedInfo >
>> >> <ds:CanonicalizationMethod
>> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> >> <ds:SignatureMethod
>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> >> <ds:Reference >
>> >> <ds:Transforms >
>> >> <ds:Transform />
>> >> </ds:Transforms>
>> >> <ds:DigestMethod />
>> >> <ds:DigestValue
>> </ds:DigestValue>
>> >> </ds:Reference>
>> >> <ds:Reference >
>> >> <ds:Transforms >
>> >> <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> >> </ds:Transforms>
>> >> <ds:DigestMethod
>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> >> <ds:DigestValue
>> </ds:DigestValue>
>> >> </ds:Reference>
>> >> </ds:SignedInfo>
>> >> <ds:SignatureValue </ds:SignatureValue>
>> >> <ds:KeyInfo >
>> >> <wsse:SecurityTokenReference >
>> >> <wsse:Reference />
>> >> </wsse:SecurityTokenReference>
>> >> </ds:KeyInfo>
>> >> </ds:Signature>
>> >> </wsse:Security>
>> >> </SOAP-ENV:Header>
>> >>
>> >>
>> >> I'm fairly sure I've just got the policy file slightly off. Any
>> >> suggestions? Thanks for any reply.
>> >>
>> >
>> >
>> > --
>> > Samisa Abeysinghe
>> >
>> > http://people.apache.org/~samisa/<http://people.apache.org/%7Esamisa/>
>> <http://people.apache.org/%7Esamisa/>
>> >
>> >
>> >
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> <ma...@ws.apache.org>
>> > For additional commands, e-mail: axis-user-help@ws.apache.org
>> <ma...@ws.apache.org>
>> >
>> >
>> >
>>
>> --
>> View this message in context:
>>
>> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> <ma...@ws.apache.org>
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>> <ma...@ws.apache.org>
>>
>>
>>
>>
>> --
>> Nandana Mihindukulasooriya WSO2 inc.
>>
>> http://nandana83.blogspot.com/
>> http://www.wso2.org
>>
>
>
> --
> Samisa Abeysinghe
>
> http://people.apache.org/~samisa/ <http://people.apache.org/%7Esamisa/>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
Keith Chapman
Senior Software Engineer
WSO2 Inc.
Oxygenating the Web Service Platform.
http://wso2.org/
blog: http://www.keith-chapman.org
Re: Rampart Username and signed certificate
Posted by Samisa Abeysinghe <sa...@gmail.com>.
Nandana Mihindukulasooriya wrote:
> Hi Ronnie,
> Please change the policy as given below.
But should not this policy come from the service?
Samisa...
>
> <wsp:Policy ...>
> <sp:AsymmetricBinding>
> ...
> </sp:AsymmetricBinding>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken/>
> </sp:SupportingTokens>
> <sp:Wss10 .../>
> <sp:SignedParts .../>
> <ramp:RampartConfig/>
> </wsp:Policy>
>
> Just the structure is shown above. The Supporting token assertion
> should be a top level assetion. In you case, you have it as a nested
> assertion within Asymmetric Binding assertion.
>
> And if your username and private key alias is different, you need to
> use both "user" and "userCertAlias" parameters in the RampartConfig as
> mentioned by Martin. But if both of them are the same, you can just
> have the "user" parameter [1].
>
> And I don't understand why you have both user and encryptionUser set
> to "user".
> <ramp:user>user</ramp:user>
> <ramp:encryptionUser>user</ramp:encryptionUser>
>
> thanks,
> nandana
>
> [1] - http://wso2.org/library/3733
>
>
> On Tue, Oct 7, 2008 at 8:40 AM, RonnieMJ <ronniemjohns@hotmail.com
> <ma...@hotmail.com>> wrote:
>
>
> I don't actually get an exception (well I do get a soap fault for
> not having
> all of the right headers from their server).
>
> The message usually gets sent out simply without the username
> token. If I
> DO get the username token to go, it's as a signedsupportingtoken
> (which is
> not what they want).
>
>
>
> Samisa Abeysinghe-2 wrote:
> >
> > What is the exception that you get?
> >
> > Samisa...
> >
> > RonnieMJ wrote:
> >> I'm pretty new to WS, and especially the security piece, but
> I'm using
> >> rampart 1.4 using policy files to try to function as a client to an
> >> existing
> >> (external to my company) web service.
> >>
> >> I know that I need to send both a usernameToken and sign the
> header with
> >> a
> >> certificate. I've been able to do EITHER, but so far haven't
> been able
> >> to
> >> do both.
> >>
> >> I've tried it about 20 different ways, but my most recent
> attempt is:
> >>
> >>
> >> <wsp:Policy wsu:Id="SigAndUName"
> >>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> >> <wsp:All>
> >> <sp:AsymmetricBinding
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >> <wsp:Policy>
> >> <sp:InitiatorToken>
> >> <wsp:Policy>
> >> <sp:X509Token
> >>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> >> <wsp:Policy>
> >>
> <sp:WssX509V3Token10/>
> >> </wsp:Policy>
> >> </sp:X509Token>
> >> </wsp:Policy>
> >> </sp:InitiatorToken>
> >> <sp:RecipientToken>
> >> <wsp:Policy>
> >> <sp:X509Token
> >>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> >> <wsp:Policy>
> >>
> <sp:WssX509V3Token10/>
> >> </wsp:Policy>
> >> </sp:X509Token>
> >> </wsp:Policy>
> >> </sp:RecipientToken>
> >> <sp:AlgorithmSuite>
> >> <wsp:Policy>
> >> <sp:Basic128Rsa15/>
> >> </wsp:Policy>
> >> </sp:AlgorithmSuite>
> >> <sp:Layout>
> >> <wsp:Policy>
> >> <sp:Lax/>
> >> </wsp:Policy>
> >> </sp:Layout>
> >> <sp:OnlySignEntireHeadersAndBody/>
> >> <sp:SupportingTokens>
> >> <wsp:Policy>
> >> <sp:UsernameToken
> >>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> >> />
> >> </wsp:Policy>
> >> </sp:SupportingTokens>
> >> </wsp:Policy>
> >> </sp:AsymmetricBinding>
> >>
> >>
> >> <sp:Wss10
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >> <wsp:Policy>
> >> <sp:MustSupportRefKeyIdentifier />
> >> <sp:MustSupportRefIssuerSerial />
> >> </wsp:Policy>
> >> </sp:Wss10>
> >>
> >>
> >> <sp:SignedParts
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >> <sp:Body/>
> >> </sp:SignedParts>
> >>
> >> <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy">
> >> <ramp:user>user</ramp:user>
> >>
> <ramp:encryptionUser>user</ramp:encryptionUser>
> >>
> >>
> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
> >>
> >> <ramp:signatureCrypto>
> >> <ramp:crypto
> >> provider="org.apache.ws.security.components.crypto.Merlin">
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
> >> </ramp:crypto>
> >> </ramp:signatureCrypto>
> >> </ramp:RampartConfig>
> >>
> >> </wsp:All>
> >> </wsp:Policy>
> >>
> >>
> >>
> >> I expect the final header output to be something like:
> >> <SOAP-ENV:Header >
> >> <wsse:Security >
> >> <wsse:UsernameToken >
> >> <wsse:Username >XXX</wsse:Username>
> >> </wsse:UsernameToken>
> >> <wsse:BinarySecurityToken
> >binaryTokenHere</wsse:BinarySecurityToken>
> >> <ds:Signature >
> >> <ds:SignedInfo >
> >> <ds:CanonicalizationMethod
> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >> <ds:SignatureMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >> <ds:Reference >
> >> <ds:Transforms >
> >> <ds:Transform />
> >> </ds:Transforms>
> >> <ds:DigestMethod />
> >> <ds:DigestValue
> </ds:DigestValue>
> >> </ds:Reference>
> >> <ds:Reference >
> >> <ds:Transforms >
> >> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >> </ds:Transforms>
> >> <ds:DigestMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >> <ds:DigestValue
> </ds:DigestValue>
> >> </ds:Reference>
> >> </ds:SignedInfo>
> >> <ds:SignatureValue </ds:SignatureValue>
> >> <ds:KeyInfo >
> >> <wsse:SecurityTokenReference >
> >> <wsse:Reference />
> >> </wsse:SecurityTokenReference>
> >> </ds:KeyInfo>
> >> </ds:Signature>
> >> </wsse:Security>
> >> </SOAP-ENV:Header>
> >>
> >>
> >> I'm fairly sure I've just got the policy file slightly off. Any
> >> suggestions? Thanks for any reply.
> >>
> >
> >
> > --
> > Samisa Abeysinghe
> >
> > http://people.apache.org/~samisa/
> <http://people.apache.org/%7Esamisa/>
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> <ma...@ws.apache.org>
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: axis-user-help@ws.apache.org
> <ma...@ws.apache.org>
>
>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
--
Samisa Abeysinghe
http://people.apache.org/~samisa/
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Ronnie,
Please change the policy as given below.
<wsp:Policy ...>
<sp:AsymmetricBinding>
...
</sp:AsymmetricBinding>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken/>
</sp:SupportingTokens>
<sp:Wss10 .../>
<sp:SignedParts .../>
<ramp:RampartConfig/>
</wsp:Policy>
Just the structure is shown above. The Supporting token assertion should be
a top level assetion. In you case, you have it as a nested assertion within
Asymmetric Binding assertion.
And if your username and private key alias is different, you need to use
both "user" and "userCertAlias" parameters in the RampartConfig as mentioned
by Martin. But if both of them are the same, you can just have the "user"
parameter [1].
And I don't understand why you have both user and encryptionUser set to
"user".
<ramp:user>user</ramp:user>
<ramp:encryptionUser>user</ramp:encryptionUser>
thanks,
nandana
[1] - http://wso2.org/library/3733
On Tue, Oct 7, 2008 at 8:40 AM, RonnieMJ <ro...@hotmail.com> wrote:
>
> I don't actually get an exception (well I do get a soap fault for not
> having
> all of the right headers from their server).
>
> The message usually gets sent out simply without the username token. If I
> DO get the username token to go, it's as a signedsupportingtoken (which is
> not what they want).
>
>
>
> Samisa Abeysinghe-2 wrote:
> >
> > What is the exception that you get?
> >
> > Samisa...
> >
> > RonnieMJ wrote:
> >> I'm pretty new to WS, and especially the security piece, but I'm using
> >> rampart 1.4 using policy files to try to function as a client to an
> >> existing
> >> (external to my company) web service.
> >>
> >> I know that I need to send both a usernameToken and sign the header with
> >> a
> >> certificate. I've been able to do EITHER, but so far haven't been able
> >> to
> >> do both.
> >>
> >> I've tried it about 20 different ways, but my most recent attempt is:
> >>
> >>
> >> <wsp:Policy wsu:Id="SigAndUName"
> >> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> >> <wsp:All>
> >> <sp:AsymmetricBinding
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >> <wsp:Policy>
> >> <sp:InitiatorToken>
> >> <wsp:Policy>
> >> <sp:X509Token
> >> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> >> <wsp:Policy>
> >>
> <sp:WssX509V3Token10/>
> >> </wsp:Policy>
> >> </sp:X509Token>
> >> </wsp:Policy>
> >> </sp:InitiatorToken>
> >> <sp:RecipientToken>
> >> <wsp:Policy>
> >> <sp:X509Token
> >> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> >> <wsp:Policy>
> >>
> <sp:WssX509V3Token10/>
> >> </wsp:Policy>
> >> </sp:X509Token>
> >> </wsp:Policy>
> >> </sp:RecipientToken>
> >> <sp:AlgorithmSuite>
> >> <wsp:Policy>
> >> <sp:Basic128Rsa15/>
> >> </wsp:Policy>
> >> </sp:AlgorithmSuite>
> >> <sp:Layout>
> >> <wsp:Policy>
> >> <sp:Lax/>
> >> </wsp:Policy>
> >> </sp:Layout>
> >> <sp:OnlySignEntireHeadersAndBody/>
> >> <sp:SupportingTokens>
> >> <wsp:Policy>
> >> <sp:UsernameToken
> >> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> "
> >> />
> >> </wsp:Policy>
> >> </sp:SupportingTokens>
> >> </wsp:Policy>
> >> </sp:AsymmetricBinding>
> >>
> >>
> >> <sp:Wss10
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >> <wsp:Policy>
> >> <sp:MustSupportRefKeyIdentifier />
> >> <sp:MustSupportRefIssuerSerial />
> >> </wsp:Policy>
> >> </sp:Wss10>
> >>
> >>
> >> <sp:SignedParts
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >> <sp:Body/>
> >> </sp:SignedParts>
> >>
> >> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> >> <ramp:user>user</ramp:user>
> >> <ramp:encryptionUser>user</ramp:encryptionUser>
> >>
> >>
> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
> >>
> >> <ramp:signatureCrypto>
> >> <ramp:crypto
> >> provider="org.apache.ws.security.components.crypto.Merlin">
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
> >> </ramp:crypto>
> >> </ramp:signatureCrypto>
> >> </ramp:RampartConfig>
> >>
> >> </wsp:All>
> >> </wsp:Policy>
> >>
> >>
> >>
> >> I expect the final header output to be something like:
> >> <SOAP-ENV:Header >
> >> <wsse:Security >
> >> <wsse:UsernameToken >
> >> <wsse:Username >XXX</wsse:Username>
> >> </wsse:UsernameToken>
> >> <wsse:BinarySecurityToken
> >binaryTokenHere</wsse:BinarySecurityToken>
> >> <ds:Signature >
> >> <ds:SignedInfo >
> >> <ds:CanonicalizationMethod
> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >> <ds:SignatureMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >> <ds:Reference >
> >> <ds:Transforms >
> >> <ds:Transform />
> >> </ds:Transforms>
> >> <ds:DigestMethod />
> >> <ds:DigestValue </ds:DigestValue>
> >> </ds:Reference>
> >> <ds:Reference >
> >> <ds:Transforms >
> >> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >> </ds:Transforms>
> >> <ds:DigestMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >> <ds:DigestValue </ds:DigestValue>
> >> </ds:Reference>
> >> </ds:SignedInfo>
> >> <ds:SignatureValue </ds:SignatureValue>
> >> <ds:KeyInfo >
> >> <wsse:SecurityTokenReference >
> >> <wsse:Reference />
> >> </wsse:SecurityTokenReference>
> >> </ds:KeyInfo>
> >> </ds:Signature>
> >> </wsse:Security>
> >> </SOAP-ENV:Header>
> >>
> >>
> >> I'm fairly sure I've just got the policy file slightly off. Any
> >> suggestions? Thanks for any reply.
> >>
> >
> >
> > --
> > Samisa Abeysinghe
> >
> > http://people.apache.org/~samisa/ <http://people.apache.org/%7Esamisa/>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
Re: Rampart Username and signed certificate
Posted by RonnieMJ <ro...@hotmail.com>.
I don't actually get an exception (well I do get a soap fault for not having
all of the right headers from their server).
The message usually gets sent out simply without the username token. If I
DO get the username token to go, it's as a signedsupportingtoken (which is
not what they want).
Samisa Abeysinghe-2 wrote:
>
> What is the exception that you get?
>
> Samisa...
>
> RonnieMJ wrote:
>> I'm pretty new to WS, and especially the security piece, but I'm using
>> rampart 1.4 using policy files to try to function as a client to an
>> existing
>> (external to my company) web service.
>>
>> I know that I need to send both a usernameToken and sign the header with
>> a
>> certificate. I've been able to do EITHER, but so far haven't been able
>> to
>> do both.
>>
>> I've tried it about 20 different ways, but my most recent attempt is:
>>
>>
>> <wsp:Policy wsu:Id="SigAndUName"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>> <wsp:All>
>> <sp:AsymmetricBinding
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:InitiatorToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>> <wsp:Policy>
>> <sp:WssX509V3Token10/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:InitiatorToken>
>> <sp:RecipientToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>> <wsp:Policy>
>> <sp:WssX509V3Token10/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:RecipientToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic128Rsa15/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Lax/>
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:OnlySignEntireHeadersAndBody/>
>> <sp:SupportingTokens>
>> <wsp:Policy>
>> <sp:UsernameToken
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
>> />
>> </wsp:Policy>
>> </sp:SupportingTokens>
>> </wsp:Policy>
>> </sp:AsymmetricBinding>
>>
>>
>> <sp:Wss10
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:MustSupportRefKeyIdentifier />
>> <sp:MustSupportRefIssuerSerial />
>> </wsp:Policy>
>> </sp:Wss10>
>>
>>
>> <sp:SignedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <sp:Body/>
>> </sp:SignedParts>
>>
>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>> <ramp:user>user</ramp:user>
>> <ramp:encryptionUser>user</ramp:encryptionUser>
>>
>> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>>
>> <ramp:signatureCrypto>
>> <ramp:crypto
>> provider="org.apache.ws.security.components.crypto.Merlin">
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
>> </ramp:crypto>
>> </ramp:signatureCrypto>
>> </ramp:RampartConfig>
>>
>> </wsp:All>
>> </wsp:Policy>
>>
>>
>>
>> I expect the final header output to be something like:
>> <SOAP-ENV:Header >
>> <wsse:Security >
>> <wsse:UsernameToken >
>> <wsse:Username >XXX</wsse:Username>
>> </wsse:UsernameToken>
>> <wsse:BinarySecurityToken >binaryTokenHere</wsse:BinarySecurityToken>
>> <ds:Signature >
>> <ds:SignedInfo >
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference >
>> <ds:Transforms >
>> <ds:Transform />
>> </ds:Transforms>
>> <ds:DigestMethod />
>> <ds:DigestValue </ds:DigestValue>
>> </ds:Reference>
>> <ds:Reference >
>> <ds:Transforms >
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue </ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue </ds:SignatureValue>
>> <ds:KeyInfo >
>> <wsse:SecurityTokenReference >
>> <wsse:Reference />
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </wsse:Security>
>> </SOAP-ENV:Header>
>>
>>
>> I'm fairly sure I've just got the policy file slightly off. Any
>> suggestions? Thanks for any reply.
>>
>
>
> --
> Samisa Abeysinghe
>
> http://people.apache.org/~samisa/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Rampart Username and signed certificate
Posted by Samisa Abeysinghe <sa...@gmail.com>.
What is the exception that you get?
Samisa...
RonnieMJ wrote:
> I'm pretty new to WS, and especially the security piece, but I'm using
> rampart 1.4 using policy files to try to function as a client to an existing
> (external to my company) web service.
>
> I know that I need to send both a usernameToken and sign the header with a
> certificate. I've been able to do EITHER, but so far haven't been able to
> do both.
>
> I've tried it about 20 different ways, but my most recent attempt is:
>
>
> <wsp:Policy wsu:Id="SigAndUName"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:OnlySignEntireHeadersAndBody/>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> />
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> </sp:AsymmetricBinding>
>
>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
>
>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>user</ramp:user>
> <ramp:encryptionUser>user</ramp:encryptionUser>
>
> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>
> <ramp:signatureCrypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> </ramp:RampartConfig>
>
> </wsp:All>
> </wsp:Policy>
>
>
>
> I expect the final header output to be something like:
> <SOAP-ENV:Header >
> <wsse:Security >
> <wsse:UsernameToken >
> <wsse:Username >XXX</wsse:Username>
> </wsse:UsernameToken>
> <wsse:BinarySecurityToken >binaryTokenHere</wsse:BinarySecurityToken>
> <ds:Signature >
> <ds:SignedInfo >
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference >
> <ds:Transforms >
> <ds:Transform />
> </ds:Transforms>
> <ds:DigestMethod />
> <ds:DigestValue </ds:DigestValue>
> </ds:Reference>
> <ds:Reference >
> <ds:Transforms >
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue </ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue </ds:SignatureValue>
> <ds:KeyInfo >
> <wsse:SecurityTokenReference >
> <wsse:Reference />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </SOAP-ENV:Header>
>
>
> I'm fairly sure I've just got the policy file slightly off. Any
> suggestions? Thanks for any reply.
>
--
Samisa Abeysinghe
http://people.apache.org/~samisa/
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org