You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by shams jawaid <sh...@hotmail.com> on 2007/09/14 04:26:12 UTC
[RAMPART / WSF PHP ]
Hi ,
i am curenlty trying to encrypt and sign messages from my php client using
WSF PHP extension and the rampart policy assertion, but get no output at all
.. if anyone can identify flaws in my policy.xml linked into my php client
and the services.xml file in my axis2/java webservice META-INF folder please
let me know:
services.xml:
<service name="HealthCareServiceTest1" scope="application">
<description>
Health Care Service test
</description>
<messageReceivers>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-out"
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-only"
class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-out"
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</messageReceivers>
<parameter name="ServiceClass" locked="false">org.health</parameter>
<module ref="rampart" />
<module ref="addressing" />
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptBeforeSigning/>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>service</ramp:user>
<ramp:encryptionUser>client</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
policy.xml:
<wsp:Policy xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptBeforeSigning />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:EncryptedParts
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
with this setting i get no output at all..
however, if i remove the
<sp:EncryptedParts
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body/>
</sp:SignedParts>
part in the policy.xml, i get output, with a timestamp but no encryption or
signature..
and the timestamp has the error:
WSSecurityEngine: Invalid timestamp The security semantics of message have
expired
<wsu:Created>2007-09-14T03:16:30.046Z</wsu:Created>
<wsu:Expires>2007-09-14T03:16:30.046Z</wsu:Expires>
WSSecurityEngine: Invalid timestamp The security semantics of message have
expired
the time 3:16 is the same as my windows clock, although i had to uncheck the
"autoamcically adjust the clock for daylight saving changes" setting in the
windows time settings. if that was on, my windows time would always be one
hour ahead of the timestamp created. i am using a php client, so just
thought id mention that, if i use the php date and time functions,
echo date();
it always gives me the time one hour ahead.. i know a mismatch in time in
the client and server can cause an invalid timestamp error, but for now my
windows time does match the time stated in the timestamp soap messages. is
there any idea why im getting this error? or is there any faults in my
services/policy.xml files?
please help!
thanks alot!
_________________________________________________________________
Can you see your house from the sky? Try Live Search Maps
http://maps.live.com
Re: [RAMPART / WSF PHP ]
Posted by Kaushalye Kapuruge <ka...@wso2.com>.
Hi Shams,
Could you please send us followings, we will try to run it in our end
see if there are errors. 'Coz sometimes the information you are giving
is not sufficient to locate the error.
1. PHP Client
2. Client's private key and the certificate
3. Server's keystore+aliases+passwords, certificate(exported)
4. Client's policy file
5. Server's service.xml file
6. Log files and the SOAP message trace of your last attempt(when you
enable encryption and signing).
Cheers,
Kaushalye
shams jawaid wrote:
> Hi ,
>
> i am curenlty trying to encrypt and sign messages from my php client
> using WSF PHP extension and the rampart policy assertion, but get no
> output at all .. if anyone can identify flaws in my policy.xml linked
> into my php client and the services.xml file in my axis2/java
> webservice META-INF folder please let me know:
>
> services.xml:
>
> <service name="HealthCareServiceTest1" scope="application">
> <description>
> Health Care Service test
> </description>
>
>
>
> <messageReceivers>
> <messageReceiver
> mep="http://www.w3.org/2004/08/wsdl/in-out"
> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
>
>
> <messageReceiver
> mep="http://www.w3.org/2004/08/wsdl/in-only"
> class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
>
>
>
> <messageReceiver
> mep="http://www.w3.org/2004/08/wsdl/in-out"
> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
> </messageReceivers>
>
> <parameter name="ServiceClass" locked="false">org.health</parameter>
>
>
> <module ref="rampart" />
> <module ref="addressing" />
> <wsp:Policy wsu:Id="SigEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:EncryptBeforeSigning/>
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>service</ramp:user>
>
> <ramp:encryptionUser>client</ramp:encryptionUser>
> <ramp:passwordCallbackClass>org.PWCBHandler</ramp:passwordCallbackClass>
> <ramp:signatureCrypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </service>
>
> policy.xml:
>
> <wsp:Policy xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Rsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:EncryptBeforeSigning />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
> <sp:EncryptedParts
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SignedParts
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
>
> with this setting i get no output at all..
> however, if i remove the
>
> <sp:EncryptedParts
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SignedParts
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <sp:Body/>
> </sp:SignedParts>
>
> part in the policy.xml, i get output, with a timestamp but no
> encryption or signature..
> and the timestamp has the error:
>
> WSSecurityEngine: Invalid timestamp The security semantics of message
> have expired
>
> <wsu:Created>2007-09-14T03:16:30.046Z</wsu:Created>
> <wsu:Expires>2007-09-14T03:16:30.046Z</wsu:Expires>
>
> WSSecurityEngine: Invalid timestamp The security semantics of message
> have expired
>
> the time 3:16 is the same as my windows clock, although i had to
> uncheck the "autoamcically adjust the clock for daylight saving
> changes" setting in the windows time settings. if that was on, my
> windows time would always be one hour ahead of the timestamp created.
> i am using a php client, so just thought id mention that, if i use the
> php date and time functions,
>
> echo date();
>
> it always gives me the time one hour ahead.. i know a mismatch in time
> in the client and server can cause an invalid timestamp error, but for
> now my windows time does match the time stated in the timestamp soap
> messages. is there any idea why im getting this error? or is there any
> faults in my services/policy.xml files?
>
> please help!
>
> thanks alot!
>
> _________________________________________________________________
> Can you see your house from the sky? Try Live Search Maps
> http://maps.live.com
>
>
--
http://kaushalye.blogspot.com/
http://wso2.org/