You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Andrew Janke <ap...@gmail.com> on 2014/04/03 20:53:06 UTC
Rampart support for WS-SecurityPolicy 1.0
Hello, Axis2 and Rampart folks,
Does Rampart support security policies defined using the
WS-SecurityPolicy 1.0 standard instead of 1.1 or 1.2?
I am getting errors when trying to use Rampart in a client with a
security policy that uses elements defined in the 1.0 standard.
I am writing a client for a web service that defines a policy like the
following. Note that the namespace
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext" which looks like
it's referring to the WS-SecurityPolicy 1.0 standard.
<wsp:Policy wsu:Id="SecurityTokens"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SecurityToken xmlns:_ns1="http://www.actional.com"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken>
</wsp:All>
<wsp:All>
<sp:SecurityToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All>
<wsp:All>
<sp:SecurityToken xmlns:_ns1="http://www.actional.com"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken>
<sp:SecurityToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="SignedBody"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sp:Integrity xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext">
<sp:TokenInfo><sp:SecurityToken><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></sp:TokenInfo>
<sp:MessageParts>wsp:GetBody(.)</sp:MessageParts>
</sp:Integrity>
</wsp:Policy>
I have a client that I generated using wsdl2java with the -d ADB
databinding, and then customized. When I call one of the SOAP methods
using the generated stub after engaging Rampart, it throws this error.
java.lang.RuntimeException: Undefined 'Security policy namespace cannot
be null.' resource property
at org.apache.rampart.RampartException.getMessage(RampartException.java:81)
at org.apache.rampart.RampartException.<init>(RampartException.java:41)
at org.apache.rampart.RampartException.<init>(RampartException.java:57)
at
org.apache.rampart.RampartMessageData.setWSSecurityVersions(RampartMessageData.java:387)
at
org.apache.rampart.RampartMessageData.<init>(RampartMessageData.java:261)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:61)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at
egcna.ercotawards.wsdisc.NodalServiceStubFromCodegen.marketInfo(NodalServiceStubFromCodegen.java:250)
at
egcna.ercotawards.wsdisc.NodalServiceTestClient.pingServiceStatus(NodalServiceTestClient.java:116)
at
egcna.ercotawards.wsdisc.NodalServiceTestClient.main(NodalServiceTestClient.java:42)
I spent some time tracking this down in the debugger, and it looks like
the Neethi policy engine is not recognizing the elements in the "sp"
namespace, and just wrapping them in XmlPrimitiveAssertion objects
during the getPolicy() processing when the service is being initialized
by the generated client stub. Then, when RampartPolicyBuilder.build() is
initializing the RampartPolicyData for the RampartMessageData, it
doesn't recognize the XmlPrimitiveAssertions and ignores them. (If the
org.apache.rampart log level is set to DEBUG it outputs
"[DEBUG] Unknown top level PED found:
org.apache.neethi.builders.xml.XmlPrimitiveAssertion" but is otherwise
silent.)
I looked through the registeredBuilders in the
AssertionBuilderFactoryImpl that the PolicyBuilder was using. There were
entries for lots of names in the namespaces
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy (for
WS-SecurityPolicy 1.1) and
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 (for
WS-SecurityPolicy 1.2), both pointing to objects in the
org.apache.ws.secpolicy11.builders and
org.apache.ws.secpolicy12.builders packages respectively. But no entries
for names in the http://schemas.xmlsoap.org/ws/2002/12/secext namespace.
So the sp:SecurityToken element does not map to a registered builder,
and the AssertionBuilderFactoryImpl uses the default builder, which
wraps it in a plain XmlPrimitiveAssertion.
Is this expected behavior? Is Rampart supposed to support policies with
elements in the WS-SecurityPolicy 1.0 namespace?
Cheers,
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org