You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Andrew Janke <ap...@gmail.com> on 2014/04/03 20:53:06 UTC

Rampart support for WS-SecurityPolicy 1.0

Hello, Axis2 and Rampart folks,

Does Rampart support security policies defined using the 
WS-SecurityPolicy 1.0 standard instead of 1.1 or 1.2?

I am getting errors when trying to use Rampart in a client with a 
security policy that uses elements defined in the 1.0 standard.

I am writing a client for a web service that defines a policy like the 
following. Note that the namespace 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext" which looks like 
it's referring to the WS-SecurityPolicy 1.0 standard.

<wsp:Policy wsu:Id="SecurityTokens" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SecurityToken xmlns:_ns1="http://www.actional.com" 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken>
</wsp:All>
<wsp:All>
<sp:SecurityToken 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All>
<wsp:All>
<sp:SecurityToken xmlns:_ns1="http://www.actional.com" 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken>
<sp:SecurityToken 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
  <wsp:Policy wsu:Id="SignedBody" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sp:Integrity xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext">
<sp:TokenInfo><sp:SecurityToken><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></sp:TokenInfo>
<sp:MessageParts>wsp:GetBody(.)</sp:MessageParts>
</sp:Integrity>
</wsp:Policy>


I have a client that I generated using wsdl2java with the -d ADB 
databinding, and then customized. When I call one of the SOAP methods 
using the generated stub after engaging Rampart, it throws this error.


java.lang.RuntimeException: Undefined 'Security policy namespace cannot 
be null.' resource property
	at org.apache.rampart.RampartException.getMessage(RampartException.java:81)
	at org.apache.rampart.RampartException.<init>(RampartException.java:41)
	at org.apache.rampart.RampartException.<init>(RampartException.java:57)
	at 
org.apache.rampart.RampartMessageData.setWSSecurityVersions(RampartMessageData.java:387)
	at 
org.apache.rampart.RampartMessageData.<init>(RampartMessageData.java:261)
	at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:61)
	at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
	at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
	at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
	at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
	at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)
	at 
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
	at 
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
	at 
org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
	at 
egcna.ercotawards.wsdisc.NodalServiceStubFromCodegen.marketInfo(NodalServiceStubFromCodegen.java:250)
	at 
egcna.ercotawards.wsdisc.NodalServiceTestClient.pingServiceStatus(NodalServiceTestClient.java:116)
	at 
egcna.ercotawards.wsdisc.NodalServiceTestClient.main(NodalServiceTestClient.java:42)


I spent some time tracking this down in the debugger, and it looks like 
the Neethi policy engine is not recognizing the elements in the "sp" 
namespace, and just wrapping them in XmlPrimitiveAssertion objects 
during the getPolicy() processing when the service is being initialized 
by the generated client stub. Then, when RampartPolicyBuilder.build() is 
initializing the RampartPolicyData for the RampartMessageData, it 
doesn't recognize the XmlPrimitiveAssertions and ignores them. (If the 
org.apache.rampart log level is set to DEBUG it outputs
"[DEBUG] Unknown top level PED found: 
org.apache.neethi.builders.xml.XmlPrimitiveAssertion" but is otherwise 
silent.)

I looked through the registeredBuilders in the 
AssertionBuilderFactoryImpl that the PolicyBuilder was using. There were 
entries for lots of names in the namespaces 
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy (for 
WS-SecurityPolicy 1.1) and 
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 (for 
WS-SecurityPolicy 1.2), both pointing to objects in the 
org.apache.ws.secpolicy11.builders and 
org.apache.ws.secpolicy12.builders packages respectively. But no entries 
for names in the http://schemas.xmlsoap.org/ws/2002/12/secext namespace. 
So the sp:SecurityToken element does not map to a registered builder, 
and the AssertionBuilderFactoryImpl uses the default builder, which 
wraps it in a plain XmlPrimitiveAssertion.

Is this expected behavior? Is Rampart supposed to support policies with 
elements in the WS-SecurityPolicy 1.0 namespace?

Cheers,
Andrew

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org