You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-c-dev@ws.apache.org by "Dave Meier (JIRA)" <ji...@apache.org> on 2008/02/29 00:11:55 UTC
[jira] Created: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
--------------------------------------------------------------------------------------------------------------------------------
Key: RAMPARTC-76
URL: https://issues.apache.org/jira/browse/RAMPARTC-76
Project: Rampart/C
Issue Type: Bug
Components: Rampart-core
Affects Versions: Current
Environment: Windows XP
Reporter: Dave Meier
Assignee: Ruchith Udayanga Fernando
Priority: Critical
Attachments: rampart_sec_header_processor_diff.txt
I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
The following is how I specify UsernameToken in my services.xml file:
<sp:UsernameToken/>
I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
Here is the full policy I have defined in services.xml:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
</sp:RequestSecurityTokenTemplate>
</sp:IssuedToken>
<sp:UsernameToken/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
<rampc:TimeToLive>360</rampc:TimeToLive>
<rampc:PasswordType>plainText</rampc:PasswordType>
<rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
</rampc:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Posted by "Dave Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dave Meier closed RAMPARTC-76.
------------------------------
Resolution: Fixed
Fix Version/s: Current
Original problem was incorrect. I opened AXIS2C-1024 to describe the spec supported behaviour that does not currently work.
-Dave.
> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPARTC-76
> URL: https://issues.apache.org/jira/browse/RAMPARTC-76
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Affects Versions: Current
> Environment: Windows XP
> Reporter: Dave Meier
> Assignee: S.Uthaiyashankar
> Priority: Critical
> Fix For: Current
>
> Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:TimeToLive>360</rampc:TimeToLive>
> <rampc:PasswordType>plainText</rampc:PasswordType>
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
> </rampc:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Posted by "Dave Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573534#action_12573534 ]
Dave Meier commented on RAMPARTC-76:
------------------------------------
According to the spec, if IncludeToken is not provided it should default to Always, so I'm wrong about that.
The spec also shows how to OR things together in the policy, but when I tried that it in rampart/c it didn't work. Here's what I tried (showing just the SignedSupportingTokens:
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<wsp:ExactlyOne>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
<sp:SamlToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:SignedSupportingTokens>
This should accept either UsernameToken or SamlToken.
Thanks,
-Dave.
> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPARTC-76
> URL: https://issues.apache.org/jira/browse/RAMPARTC-76
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Affects Versions: Current
> Environment: Windows XP
> Reporter: Dave Meier
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:TimeToLive>360</rampc:TimeToLive>
> <rampc:PasswordType>plainText</rampc:PasswordType>
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
> </rampc:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Posted by "Dave Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dave Meier updated RAMPARTC-76:
-------------------------------
Attachment: ut_c_diff.txt
Diff files for c\src\util\rampart_sec_header_processor.c (rampart/c project) and c\neethi\src\secpolicy\model\ut.c (axis2/c project) are attached. With these changes UsernameToken is optional when no IncludeToken attribute is specified on UsernameToken in the policy.
> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPARTC-76
> URL: https://issues.apache.org/jira/browse/RAMPARTC-76
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Affects Versions: Current
> Environment: Windows XP
> Reporter: Dave Meier
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:TimeToLive>360</rampc:TimeToLive>
> <rampc:PasswordType>plainText</rampc:PasswordType>
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
> </rampc:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Posted by "Dave Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573535#action_12573535 ]
Dave Meier commented on RAMPARTC-76:
------------------------------------
Also tried the following without success:
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<wsp:All>
<wsp:ExactlyOne>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
<sp:SamlToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:ExactlyOne>
</wsp:All>
</wsp:Policy>
</sp:SignedSupportingTokens>
The spec I'm looking at is http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf in section 4.1.1.
-Dave.
> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPARTC-76
> URL: https://issues.apache.org/jira/browse/RAMPARTC-76
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Affects Versions: Current
> Environment: Windows XP
> Reporter: Dave Meier
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:TimeToLive>360</rampc:TimeToLive>
> <rampc:PasswordType>plainText</rampc:PasswordType>
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
> </rampc:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Posted by "Dave Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dave Meier updated RAMPARTC-76:
-------------------------------
Attachment: rampart_sec_header_processor_diff.txt
> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPARTC-76
> URL: https://issues.apache.org/jira/browse/RAMPARTC-76
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Affects Versions: Current
> Environment: Windows XP
> Reporter: Dave Meier
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: rampart_sec_header_processor_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:TimeToLive>360</rampc:TimeToLive>
> <rampc:PasswordType>plainText</rampc:PasswordType>
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
> </rampc:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Posted by "Manjula Peiris (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573593#action_12573593 ]
Manjula Peiris commented on RAMPARTC-76:
----------------------------------------
Currently Neethi/C security policy extension does not support this. Please put a Jira issue regarding this.
> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPARTC-76
> URL: https://issues.apache.org/jira/browse/RAMPARTC-76
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Affects Versions: Current
> Environment: Windows XP
> Reporter: Dave Meier
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:TimeToLive>360</rampc:TimeToLive>
> <rampc:PasswordType>plainText</rampc:PasswordType>
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
> </rampc:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (RAMPARTC-76) Username token should default
inclusion to empty string, and treat an empty IncludeToken attribute to
mean the token is optional
Posted by "S.Uthaiyashankar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
S.Uthaiyashankar reassigned RAMPARTC-76:
----------------------------------------
Assignee: S.Uthaiyashankar (was: Ruchith Udayanga Fernando)
> Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPARTC-76
> URL: https://issues.apache.org/jira/browse/RAMPARTC-76
> Project: Rampart/C
> Issue Type: Bug
> Components: Rampart-core
> Affects Versions: Current
> Environment: Windows XP
> Reporter: Dave Meier
> Assignee: S.Uthaiyashankar
> Priority: Critical
> Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute. Since IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional. I have a use case where I want either a saml assertion or a username token, so I have to handle the case where Username token is not there. Rampart does not complain when I leave out the saml assertion and put in the username token, but it does complain when I have only the saml assertion and no username token.
> Here is the full policy I have defined in services.xml:
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> <sp:UsernameToken/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:TimeToLive>360</rampc:TimeToLive>
> <rampc:PasswordType>plainText</rampc:PasswordType>
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
> </rampc:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.