You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Dobri Kitipov <kd...@gmail.com> on 2007/10/11 16:58:47 UTC
Rampat, and X509 and Asymetric Binding using WS-Policy and WS-SecurityPolicy
Hi everybody,
We want to test the following scenario using Rampart SNAPSHOT. We have a
service that defines Asymetric binding (I am applying the WSDL and the
services.xml). What we want to achieve is not to store the clients' public
keys (PK) at server side. We do not want to spend memory resources to save
all clients' PK which can be of great amount. That's why we want to use X509
in order clients to exchange public PKs with the service. My understanding
is that in this case we do not need to specify the <ramp:encryptionUser>
into the services.xml, because the client provides the X509 sent with the
SOAP. The problem is that we receive the following exception when there is
no <ramp:encryptionUser> specified:
com.mycompany.wsstack.client.api.WSClientException:
org.apache.axis2.AxisFault: Encryption user not specified (The context is
created by the initiating party)
at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
WSStaxClientImpl.java:133)
at com.mycompany.wsstack.samples.SampleSymClient.invokeWebService(
SampleSymClient.java:67)
at com.mycompany.wsstack.samples.SampleSymClient.main(
SampleSymClient.java:29)
Caused by: org.apache.axis2.AxisFault: Encryption user not specified (The
context is created by the initiating party)
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(
Utils.java:486)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:343)
at org.apache.axis2.description.OutInAxisOperationClient.send(
OutInAxisOperation.java:389)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
OutInAxisOperation.java:211)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java
:163)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java
:528)
at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
WSStaxClientImpl.java:129)
... 2 more
The WSDL of the service is:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:mime="
http://schemas.xmlsoap.org/wsdl/mime/" xmlns:ns0="
http://pojo.wsstack.mycompany.com" xmlns:soap12="
http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="
http://schemas.xmlsoap.org/wsdl/http/" xmlns:ns1="
http://org.apache.axis2/xsd" xmlns:wsaw="
http://www.w3.org/2006/05/addressing/wsdl" xmlns:xs="
http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/wsdl/soap/" targetNamespace="
http://pojo.wsstack.mycompany.com">
<wsdl:documentation>HelloPojo</wsdl:documentation>
<wsdl:types>
<xs:schema xmlns:ns="http://pojo.wsstack.mycompany.com"
attributeFormDefault="qualified" elementFormDefault="qualified"
targetNamespace="http://pojo.wsstack.mycompany.com">
<xs:element name="sayHello">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="name"
nillable="true" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="sayHelloResponse">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="return"
nillable="true" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
</wsdl:types>
<wsdl:message name="sayHelloRequest">
<wsdl:part name="parameters" element="ns0:sayHello"/>
</wsdl:message>
<wsdl:message name="sayHelloResponse">
<wsdl:part name="parameters" element="ns0:sayHelloResponse"/>
</wsdl:message>
<wsdl:portType name="HelloPojoPortType">
<wsdl:operation name="sayHello">
<wsdl:input message="ns0:sayHelloRequest"
wsaw:Action="urn:sayHello"/>
<wsdl:output message="ns0:sayHelloResponse"
wsaw:Action="urn:sayHelloResponse"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="HelloPojoHttpBinding" type="ns0:HelloPojoPortType">
<http:binding verb="POST"/>
<wsdl:operation name="sayHello">
<http:operation location="HelloPojo/sayHello"/>
<wsdl:input>
<mime:content type="text/xml" part="sayHello"/>
</wsdl:input>
<wsdl:output>
<mime:content type="text/xml" part="sayHello"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="User defined">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
<sp:RequireDerivedKeys/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</sp:Policy>
</sp:Wss10>
<sp:SignedSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedElements xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedElements xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:service name="HelloPojo">
<wsdl:port name="HelloPojoSOAP11port_http"
binding="ns0:HelloPojoSOAP11Binding">
<soap:address location="
http://localhost:8082/wsstack/services/HelloPojo"/>
</wsdl:port>
<wsdl:port name="HelloPojoSOAP12port_http"
binding="ns0:HelloPojoSOAP12Binding">
<soap12:address location="
http://localhost:8082/wsstack/services/HelloPojo"/>
</wsdl:port>
<wsdl:port name="HelloPojoHttpport"
binding="ns0:HelloPojoHttpBinding">
<http:address location="
http://localhost:8082/wsstack/services/HelloPojo"/>
</wsdl:port>
</wsdl:service>
<wsdl:binding name="HelloPojoSOAP12Binding"
type="ns0:HelloPojoPortType">
<wsp:PolicyReference xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
<wsdl:operation name="sayHello">
<soap:operation soapAction="urn:sayHello" style="document"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:binding name="HelloPojoSOAP11Binding"
type="ns0:HelloPojoPortType">
<wsp:PolicyReference xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
<wsdl:operation name="sayHello">
<soap:operation soapAction="urn:sayHello" style="document"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
</wsdl:definitions>
The services.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<serviceGroup>
<service name="HelloPojoAsync">
<description>Web Service HelloPojoAsync</description>
<parameter name="ServiceClass">com.mycompany.wsstack.pojo.HelloPojoAsync
</parameter>
<messageReceivers>
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" mep="
http://www.w3.org/2004/08/wsdl/in-out"/>
</messageReceivers>
<operation name="sayHello"/>
<wsp:Policy wsu:Id="User defined"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</sp:Policy>
</sp:Wss10>
<sp:SignedSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:SignedSupportingTokens>
<sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedElements xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedElements xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy">
<ramp:user>service</ramp:user>
<ramp:encryptionUser/>
<ramp:passwordCallbackClass>
com.mycompany.wsstack.pwcb.ServerPWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="
org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.file
">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.password
">openssl</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="
org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.file
">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.password
">openssl</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<module ref="addressing"/>
<module ref="rampart"/>
</service>
</serviceGroup>
Thank you in advance!
Dobri Kitipov
Re: Rampat, and X509 and Asymetric Binding using WS-Policy and WS-SecurityPolicy
Posted by Dobri Kitipov <kd...@gmail.com>.
Thank you very much for the answer!
I have another question related to Symmetric Binding. I have some problems
in this area. I have read the Thread called: "DerivedKeys in
SymmetricBinding" but it partly touches the problem.
Because it could be of someone's interest I will open a new thread.
Regards,
Dobri
On 10/12/07, Nandana Mihindukulasooriya <na...@gmail.com> wrote:
>
> Hi Dobri,
>
> Comments are interleaved.
>
> so why you are
> > saying the following:
> >
> > "In your case, you don't have any signed parts or signed elements
> > defined. But
> > the policy states to include the time stamp and the time stamp will be
> > signed using
> > the clients certificate. As the policy states IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > in the recipient token , the binary token will be included in the soap
> > request."
> > Why I need to have something signed in order to transfer the X509 cert?
>
>
> You really don't need to sign anything to transfer the certificate. You
> can
> set
> the IncludeToken attribute correctly and send the security token. But in
> the
> server side
> when we look for encryption user, if the property is set to
> "useReqSigCert"
> what we look
> for is the certificate that is used to sign the request.
>
>
> Can you explain it more precisely. Where I can read about that (e.g.
> > articles etc I have not found any good resources about that).
>
>
>
> I got the point exactly when I was going through the code. In RampartUtil
> class
> in getReqSigCert().
>
> Vector wsSecEngineResults = rResult.getResults();
> /*
> * Scan the results for the first Signature action. Use the
> * certificate of this Signature to set the certificate for the
> * encryption action :-).
> */
> for (int j = 0; j < wsSecEngineResults.size(); j++) {
> WSSecurityEngineResult wser =
> (WSSecurityEngineResult) wsSecEngineResults.get
> (j);
> Integer actInt = (Integer)wser.get(
> WSSecurityEngineResult.TAG_ACTION);
> if (actInt.intValue() == WSConstants.SIGN) {
> return (X509Certificate)wser.get(
> WSSecurityEngineResult.TAG_X509_CERTIFICATE);
> }
> }
>
> As you can see, actInt.intValue() == WSConstants.SIGN, we look for the
> signed
> parts of the message and get the certificate used to sign.
>
> IMHO, I think this is logical as user has to sign something and he
> authenticate him self
> by signing it with his private key. If what you really need is to deal
> with
> anonymous
> clients , you can use a symmetric binding with derived keys so you don't
> need client
> certificate and still can use servers X509 certificate to derive keys and
> use those derived
> keys to sign and encrypt both the request and the response message.
>
> Regards,
> Nandana
>
Re: Rampat, and X509 and Asymetric Binding using WS-Policy and WS-SecurityPolicy
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Dobri,
Comments are interleaved.
so why you are
> saying the following:
>
> "In your case, you don't have any signed parts or signed elements
> defined. But
> the policy states to include the time stamp and the time stamp will be
> signed using
> the clients certificate. As the policy states IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> in the recipient token , the binary token will be included in the soap
> request."
> Why I need to have something signed in order to transfer the X509 cert?
You really don't need to sign anything to transfer the certificate. You can
set
the IncludeToken attribute correctly and send the security token. But in the
server side
when we look for encryption user, if the property is set to "useReqSigCert"
what we look
for is the certificate that is used to sign the request.
Can you explain it more precisely. Where I can read about that (e.g.
> articles etc I have not found any good resources about that).
I got the point exactly when I was going through the code. In RampartUtil
class
in getReqSigCert().
Vector wsSecEngineResults = rResult.getResults();
/*
* Scan the results for the first Signature action. Use the
* certificate of this Signature to set the certificate for the
* encryption action :-).
*/
for (int j = 0; j < wsSecEngineResults.size(); j++) {
WSSecurityEngineResult wser =
(WSSecurityEngineResult) wsSecEngineResults.get(j);
Integer actInt = (Integer)wser.get(
WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SIGN) {
return (X509Certificate)wser.get(
WSSecurityEngineResult.TAG_X509_CERTIFICATE);
}
}
As you can see, actInt.intValue() == WSConstants.SIGN, we look for the
signed
parts of the message and get the certificate used to sign.
IMHO, I think this is logical as user has to sign something and he
authenticate him self
by signing it with his private key. If what you really need is to deal with
anonymous
clients , you can use a symmetric binding with derived keys so you don't
need client
certificate and still can use servers X509 certificate to derive keys and
use those derived
keys to sign and encrypt both the request and the response message.
Regards,
Nandana
Re: Rampat, and X509 and Asymetric Binding using WS-Policy and WS-SecurityPolicy
Posted by Dobri Kitipov <kd...@gmail.com>.
Hi,
thank you! Now it works fine.
Yes you are right that the WSDL and the services.xml are different - it is
my fault. I will apply the write ones, but you are right that I mean the
services.xml.
Anyway I want to ask you about the following you have written:
"For this to work, the request must carry a signature signed using the
client's cert.
In your case, you don't have any signed parts or signed elements
defined. But
the policy states to include the time stamp and the time stamp will be
signed using
the clients certificate. As the policy states IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
in the recipient token , the binary token will be included in the soap
request."
About "For this to work, the request must carry a signature signed using the
client's cert." - I think this is the following observed into the client's
request header (clients X509):
<wsse:BinarySecurityToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-4672752">MIIDPjCCAqegAwIBAgIBATANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJCRzEOMAwGA1UECBMFU29maWExDjAMBgNVBAcTBVNvZmlhMRQwEgYDVQQKEwtTb2Z0d2FyZSBBRzEUMBIGA1UECxMLU29mdHdhcmUgQUcxEjAQBgNVBAMTCWRldmVsb3BlcjAeFw0wNzA5MTQwOTU5MDdaFw0wODA5MTMwOTU5MDdaMF0xCzAJBgNVBAYTAkJHMQ4wDAYDVQQIEwVTb2ZpYTEUMBIGA1UEChMLU29mdHdhcmUgQUcxFDASBgNVBAsTC1NvZnR3YXJlIEFHMRIwEAYDVQQDEwlkZXZlbG9wZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIoW2xLpLwTEpllTqxz+E3GNK5d5E+aUsr/7XdSFJEfl8Vh5WAPUXcLK1d3wDd5Ghu/ewv3B2FZjiUWyTXVdjVCu2uHU1HFcQZCd9k35kVvfQINao2FX9z7BW34cJp1LoKZkliukDMuYBqeHv0UFlT/b/ZL47CzkdeJaS0njFpPHAgMBAAGjgf0wgfowCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBzENd237MVXz49n+yKabdCQ997qMIGfBgNVHSMEgZcwgZSAFAntZG/62Z6U1xSAUkMI33N+77BloXGkbzBtMQswCQYDVQQGEwJCRzEOMAwGA1UECBMFU29maWExDjAMBgNVBAcTBVNvZmlhMRQwEgYDVQQKEwtTb2Z0d2FyZSBBRzEUMBIGA1UECxMLU29mdHdhcmUgQUcxEjAQBgNVBAMTCWRldmVsb3BlcoIJAPxRLIMzR6wcMA0GCSqGSIb3DQEBBAUAA4GBAIMzOMNE9c+D093mvu6now0GpkGJmKn5EpT/w2U7jQKJv6k0eN85GMmiu8aXarYO57gaN/WIAyZTKzUhSHbcSDw/ZvU57BAkRKko8qlTjESXzbom6M/KhoeSAqZEWQOrAxTkNNsRgn8s5ZyWT5fKq/XiBguvtwUfZtfxU8dgjnHL</wsse:BinarySecurityToken>
IMHO this is the signed X509 cert that should be used, so why you are
saying the following:
"In your case, you don't have any signed parts or signed elements
defined. But
the policy states to include the time stamp and the time stamp will be
signed using
the clients certificate. As the policy states IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
in the recipient token , the binary token will be included in the soap
request."
Why I need to have something signed in order to transfer the X509 cert?
Can you explain it more precisely. Where I can read about that (e.g.
articles etc I have not found any good resources about that).
Here I am appling the right WSDL. The services.xml is ok as you know :)
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" xmlns:ns0="
http://pojo.wsstack.softwareag.com" xmlns:soap12="
http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="
http://schemas.xmlsoap.org/wsdl/http/" xmlns:ns1="
http://org.apache.axis2/xsd" xmlns:wsaw="
http://www.w3.org/2006/05/addressing/wsdl" xmlns:xs="
http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/wsdl/soap/" targetNamespace="
http://pojo.wsstack.softwareag.com">
<wsdl:documentation>HelloPojoAsync</wsdl:documentation>
<wsdl:types>
<xs:schema xmlns:ns="http://pojo.wsstack.softwareag.com"
attributeFormDefault="qualified" elementFormDefault="qualified"
targetNamespace="http://pojo.wsstack.softwareag.com">
<xs:element name="sayHello">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="name" nillable="true"
type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="sayHelloResponse">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="return" nillable="true"
type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
</wsdl:types>
<wsdl:message name="sayHelloRequest">
<wsdl:part name="parameters" element="ns0:sayHello"/>
</wsdl:message>
<wsdl:message name="sayHelloResponse">
<wsdl:part name="parameters" element="ns0:sayHelloResponse"/>
</wsdl:message>
<wsdl:portType name="HelloPojoAsyncPortType">
<wsdl:operation name="sayHello">
<wsdl:input message="ns0:sayHelloRequest"
wsaw:Action="urn:sayHello"/>
<wsdl:output message="ns0:sayHelloResponse"
wsaw:Action="urn:sayHelloResponse"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="HelloPojoAsyncHttpBinding"
type="ns0:HelloPojoAsyncPortType">
<http:binding verb="POST"/>
<wsdl:operation name="sayHello">
<http:operation location="HelloPojoAsync/sayHello"/>
<wsdl:input>
<mime:content type="text/xml" part="sayHello"/>
</wsdl:input>
<wsdl:output>
<mime:content type="text/xml" part="sayHello"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="User defined">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</sp:Policy>
</sp:Wss10>
<sp:SignedSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"/>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:service name="HelloPojoAsync">
<wsdl:port name="HelloPojoAsyncSOAP11port_http"
binding="ns0:HelloPojoAsyncSOAP11Binding">
<soap:address location="
http://127.0.0.1:8082/wsstack/services/HelloPojoAsync"/>
</wsdl:port>
<wsdl:port name="HelloPojoAsyncSOAP12port_http"
binding="ns0:HelloPojoAsyncSOAP12Binding">
<soap12:address location="
http://127.0.0.1:8082/wsstack/services/HelloPojoAsync"/>
</wsdl:port>
<wsdl:port name="HelloPojoAsyncHttpport"
binding="ns0:HelloPojoAsyncHttpBinding">
<http:address location="
http://127.0.0.1:8082/wsstack/services/HelloPojoAsync"/>
</wsdl:port>
</wsdl:service>
<wsdl:binding name="HelloPojoAsyncSOAP12Binding"
type="ns0:HelloPojoAsyncPortType">
<wsp:PolicyReference xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
<wsdl:operation name="sayHello">
<soap:operation soapAction="urn:sayHello"
style="document"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:binding name="HelloPojoAsyncSOAP11Binding"
type="ns0:HelloPojoAsyncPortType">
<wsp:PolicyReference xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
<wsdl:operation name="sayHello">
<soap:operation soapAction="urn:sayHello"
style="document"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
</wsdl:definitions>
Regards,
Dobri
On 10/12/07, Nandana Mihindukulasooriya <na...@gmail.com> wrote:
>
> Hi,
> IMHO, in Rampart when we want to use the certificate which was used to
> sign
> the request ( the client's X509 certificate in your case ) to do the
> encryption in
> the response, we specify the <ramp:encryptionUser> parameter as
>
> <encryptionUser>useReqSigCert</encryptionUser>.
>
> For this to work, the request must carry a signature signed using the
> client's cert.
> In your case, you don't have any signed parts or signed elements
> defined. But
> the policy states to include the time stamp and the time stamp will be
> signed using
> the clients certificate. As the policy states
> IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> in the recipient token , the binary token will be included in the soap
> request.
> So I think your scenario should work when encryptionUser is set to
> useReqSigCert.
>
> Btw, two policies in the WSDL and the services.xml are quite different.
> WSDL
> contains
> a policy which is applied to two bindings and which is a symmetric
> binding.
> It also
> requires a UsernameToken as a signed supporting token.
>
> The policy defined in the services.xml is Asymmetric binding with no
> supporting tokens.
> Anyway I think you are talking about the policy in the services.xml.
>
> Regards,
> Nandana
>
>
> On 10/11/07, Dobri Kitipov <kd...@gmail.com> wrote:
> >
> > Hi everybody,
> > We want to test the following scenario using Rampart SNAPSHOT. We have a
> > service that defines Asymetric binding (I am applying the WSDL and the
> > services.xml). What we want to achieve is not to store the clients'
> public
> > keys (PK) at server side. We do not want to spend memory resources to
> save
> > all clients' PK which can be of great amount. That's why we want to use
> > X509
> > in order clients to exchange public PKs with the service. My
> understanding
> > is that in this case we do not need to specify the <ramp:encryptionUser>
> > into the services.xml, because the client provides the X509 sent with
> the
> > SOAP. The problem is that we receive the following exception when there
> is
> > no <ramp:encryptionUser> specified:
> >
> > com.mycompany.wsstack.client.api.WSClientException:
> > org.apache.axis2.AxisFault: Encryption user not specified (The context
> is
> > created by the initiating party)
> > at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
> > WSStaxClientImpl.java:133)
> > at com.mycompany.wsstack.samples.SampleSymClient.invokeWebService(
> > SampleSymClient.java:67)
> > at com.mycompany.wsstack.samples.SampleSymClient.main(
> > SampleSymClient.java:29)
> > Caused by: org.apache.axis2.AxisFault: Encryption user not specified
> (The
> > context is created by the initiating party)
> > at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(
> > Utils.java:486)
> > at
> > org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
> > OutInAxisOperation.java:343)
> > at org.apache.axis2.description.OutInAxisOperationClient.send(
> > OutInAxisOperation.java:389)
> > at org.apache.axis2.description.OutInAxisOperationClient.executeImpl
> (
> > OutInAxisOperation.java:211)
> > at org.apache.axis2.client.OperationClient.execute(
> > OperationClient.java
> > :163)
> > at org.apache.axis2.client.ServiceClient.sendReceive(
> > ServiceClient.java
> > :528)
> > at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
> > WSStaxClientImpl.java:129)
> > ... 2 more
> >
> > The WSDL of the service is:
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> > xmlns:mime="
> > http://schemas.xmlsoap.org/wsdl/mime/" xmlns:ns0="
> > http://pojo.wsstack.mycompany.com" xmlns:soap12="
> > http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="
> > http://schemas.xmlsoap.org/wsdl/http/" xmlns:ns1="
> > http://org.apache.axis2/xsd" xmlns:wsaw="
> > http://www.w3.org/2006/05/addressing/wsdl" xmlns:xs="
> > http://www.w3.org/2001/XMLSchema" xmlns:soap="
> > http://schemas.xmlsoap.org/wsdl/soap/" targetNamespace="
> > http://pojo.wsstack.mycompany.com">
> > <wsdl:documentation>HelloPojo</wsdl:documentation>
> > <wsdl:types>
> > <xs:schema xmlns:ns="http://pojo.wsstack.mycompany.com"
> > attributeFormDefault="qualified" elementFormDefault="qualified"
> > targetNamespace="http://pojo.wsstack.mycompany.com">
> > <xs:element name="sayHello">
> > <xs:complexType>
> > <xs:sequence>
> > <xs:element minOccurs="0" name="name"
> > nillable="true" type="xs:string"/>
> > </xs:sequence>
> > </xs:complexType>
> > </xs:element>
> > <xs:element name="sayHelloResponse">
> > <xs:complexType>
> > <xs:sequence>
> > <xs:element minOccurs="0" name="return"
> > nillable="true" type="xs:string"/>
> > </xs:sequence>
> > </xs:complexType>
> > </xs:element>
> > </xs:schema>
> > </wsdl:types>
> > <wsdl:message name="sayHelloRequest">
> > <wsdl:part name="parameters" element="ns0:sayHello"/>
> > </wsdl:message>
> > <wsdl:message name="sayHelloResponse">
> > <wsdl:part name="parameters" element="ns0:sayHelloResponse"/>
> > </wsdl:message>
> > <wsdl:portType name="HelloPojoPortType">
> > <wsdl:operation name="sayHello">
> > <wsdl:input message="ns0:sayHelloRequest"
> > wsaw:Action="urn:sayHello"/>
> > <wsdl:output message="ns0:sayHelloResponse"
> > wsaw:Action="urn:sayHelloResponse"/>
> > </wsdl:operation>
> > </wsdl:portType>
> > <wsdl:binding name="HelloPojoHttpBinding"
> > type="ns0:HelloPojoPortType">
> > <http:binding verb="POST"/>
> > <wsdl:operation name="sayHello">
> > <http:operation location="HelloPojo/sayHello"/>
> > <wsdl:input>
> > <mime:content type="text/xml" part="sayHello"/>
> > </wsdl:input>
> > <wsdl:output>
> > <mime:content type="text/xml" part="sayHello"/>
> > </wsdl:output>
> > </wsdl:operation>
> > </wsdl:binding>
> > <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > wsu:Id="User defined">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SymmetricBinding xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:ProtectionToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> ">
> > <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > <sp:RequireDerivedKeys/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:ProtectionToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Strict/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > </wsp:Policy>
> > </sp:SymmetricBinding>
> > <sp:Wss10 xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <sp:Policy>
> > <sp:MustSupportRefKeyIdentifier/>
> > <sp:MustSupportRefIssuerSerial/>
> > </sp:Policy>
> > </sp:Wss10>
> > <sp:SignedSupportingTokens xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:UsernameToken sp:IncludeToken="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
> > "/>
> > </wsp:Policy>
> > </sp:SignedSupportingTokens>
> > <sp:SignedParts xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> > <sp:EncryptedParts xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <sp:Body/>
> > </sp:EncryptedParts>
> > <sp:SignedElements xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> > <sp:EncryptedElements xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> > <wsdl:service name="HelloPojo">
> > <wsdl:port name="HelloPojoSOAP11port_http"
> > binding="ns0:HelloPojoSOAP11Binding">
> > <soap:address location="
> > http://localhost:8082/wsstack/services/HelloPojo"/>
> > </wsdl:port>
> > <wsdl:port name="HelloPojoSOAP12port_http"
> > binding="ns0:HelloPojoSOAP12Binding">
> > <soap12:address location="
> > http://localhost:8082/wsstack/services/HelloPojo"/>
> > </wsdl:port>
> > <wsdl:port name="HelloPojoHttpport"
> > binding="ns0:HelloPojoHttpBinding">
> > <http:address location="
> > http://localhost:8082/wsstack/services/HelloPojo"/>
> > </wsdl:port>
> > </wsdl:service>
> > <wsdl:binding name="HelloPojoSOAP12Binding"
> > type="ns0:HelloPojoPortType">
> > <wsp:PolicyReference xmlns:wsp="
> > http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
> > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
> > style="document"/>
> > <wsdl:operation name="sayHello">
> > <soap:operation soapAction="urn:sayHello" style="document"/>
> > <wsdl:input>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > </wsdl:binding>
> > <wsdl:binding name="HelloPojoSOAP11Binding"
> > type="ns0:HelloPojoPortType">
> > <wsp:PolicyReference xmlns:wsp="
> > http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
> > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
> > style="document"/>
> > <wsdl:operation name="sayHello">
> > <soap:operation soapAction="urn:sayHello" style="document"/>
> > <wsdl:input>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > </wsdl:binding>
> > </wsdl:definitions>
> >
> >
> > The services.xml is:
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <serviceGroup>
> > <service name="HelloPojoAsync">
> > <description>Web Service HelloPojoAsync</description>
> > <parameter name="ServiceClass">
> > com.mycompany.wsstack.pojo.HelloPojoAsync
> > </parameter>
> > <messageReceivers>
> > <messageReceiver
> > class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" mep="
> > http://www.w3.org/2004/08/wsdl/in-out"/>
> > </messageReceivers>
> > <operation name="sayHello"/>
> > <wsp:Policy wsu:Id="User defined"
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > ">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:AsymmetricBinding xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> ">
> > <wsp:Policy>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:TripleDesRsa15/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Strict/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > <sp:OnlySignEntireHeadersAndBody/>
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> > <sp:Wss10 xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <sp:Policy>
> > <sp:MustSupportRefKeyIdentifier/>
> > <sp:MustSupportRefIssuerSerial/>
> > </sp:Policy>
> > </sp:Wss10>
> > <sp:SignedSupportingTokens xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy/>
> > </sp:SignedSupportingTokens>
> > <sp:SignedParts xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> > <sp:EncryptedParts xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <sp:Body/>
> > </sp:EncryptedParts>
> > <sp:SignedElements xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> > <sp:EncryptedElements xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> > <ramp:RampartConfig xmlns:ramp="
> > http://ws.apache.org/rampart/policy">
> > <ramp:user>service</ramp:user>
> > <ramp:encryptionUser/>
> > <ramp:passwordCallbackClass>
> > com.mycompany.wsstack.pwcb.ServerPWCBHandler
> </ramp:passwordCallbackClass>
> > <ramp:signatureCrypto>
> > <ramp:crypto provider="
> > org.apache.ws.security.components.crypto.Merlin">
> > <ramp:property name="
> > org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > <ramp:property name="
> > org.apache.ws.security.crypto.merlin.file
> > ">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property>
> > <ramp:property name="
> > org.apache.ws.security.crypto.merlin.keystore.password
> > ">openssl</ramp:property>
> > </ramp:crypto>
> > </ramp:signatureCrypto>
> > <ramp:encryptionCypto>
> > <ramp:crypto provider="
> > org.apache.ws.security.components.crypto.Merlin">
> > <ramp:property name="
> > org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > <ramp:property name="
> > org.apache.ws.security.crypto.merlin.file
> > ">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property>
> > <ramp:property name="
> > org.apache.ws.security.crypto.merlin.keystore.password
> > ">openssl</ramp:property>
> > </ramp:crypto>
> > </ramp:encryptionCypto>
> > </ramp:RampartConfig>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> > <module ref="addressing"/>
> > <module ref="rampart"/>
> > </service>
> > </serviceGroup>
> >
> >
> > Thank you in advance!
> > Dobri Kitipov
> >
>
Re: Rampat, and X509 and Asymetric Binding using WS-Policy and WS-SecurityPolicy
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi,
IMHO, in Rampart when we want to use the certificate which was used to
sign
the request ( the client's X509 certificate in your case ) to do the
encryption in
the response, we specify the <ramp:encryptionUser> parameter as
<encryptionUser>useReqSigCert</encryptionUser>.
For this to work, the request must carry a signature signed using the
client's cert.
In your case, you don't have any signed parts or signed elements
defined. But
the policy states to include the time stamp and the time stamp will be
signed using
the clients certificate. As the policy states
IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
in the recipient token , the binary token will be included in the soap
request.
So I think your scenario should work when encryptionUser is set to
useReqSigCert.
Btw, two policies in the WSDL and the services.xml are quite different. WSDL
contains
a policy which is applied to two bindings and which is a symmetric binding.
It also
requires a UsernameToken as a signed supporting token.
The policy defined in the services.xml is Asymmetric binding with no
supporting tokens.
Anyway I think you are talking about the policy in the services.xml.
Regards,
Nandana
On 10/11/07, Dobri Kitipov <kd...@gmail.com> wrote:
>
> Hi everybody,
> We want to test the following scenario using Rampart SNAPSHOT. We have a
> service that defines Asymetric binding (I am applying the WSDL and the
> services.xml). What we want to achieve is not to store the clients' public
> keys (PK) at server side. We do not want to spend memory resources to save
> all clients' PK which can be of great amount. That's why we want to use
> X509
> in order clients to exchange public PKs with the service. My understanding
> is that in this case we do not need to specify the <ramp:encryptionUser>
> into the services.xml, because the client provides the X509 sent with the
> SOAP. The problem is that we receive the following exception when there is
> no <ramp:encryptionUser> specified:
>
> com.mycompany.wsstack.client.api.WSClientException:
> org.apache.axis2.AxisFault: Encryption user not specified (The context is
> created by the initiating party)
> at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
> WSStaxClientImpl.java:133)
> at com.mycompany.wsstack.samples.SampleSymClient.invokeWebService(
> SampleSymClient.java:67)
> at com.mycompany.wsstack.samples.SampleSymClient.main(
> SampleSymClient.java:29)
> Caused by: org.apache.axis2.AxisFault: Encryption user not specified (The
> context is created by the initiating party)
> at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(
> Utils.java:486)
> at
> org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
> OutInAxisOperation.java:343)
> at org.apache.axis2.description.OutInAxisOperationClient.send(
> OutInAxisOperation.java:389)
> at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
> OutInAxisOperation.java:211)
> at org.apache.axis2.client.OperationClient.execute(
> OperationClient.java
> :163)
> at org.apache.axis2.client.ServiceClient.sendReceive(
> ServiceClient.java
> :528)
> at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
> WSStaxClientImpl.java:129)
> ... 2 more
>
> The WSDL of the service is:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:mime="
> http://schemas.xmlsoap.org/wsdl/mime/" xmlns:ns0="
> http://pojo.wsstack.mycompany.com" xmlns:soap12="
> http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="
> http://schemas.xmlsoap.org/wsdl/http/" xmlns:ns1="
> http://org.apache.axis2/xsd" xmlns:wsaw="
> http://www.w3.org/2006/05/addressing/wsdl" xmlns:xs="
> http://www.w3.org/2001/XMLSchema" xmlns:soap="
> http://schemas.xmlsoap.org/wsdl/soap/" targetNamespace="
> http://pojo.wsstack.mycompany.com">
> <wsdl:documentation>HelloPojo</wsdl:documentation>
> <wsdl:types>
> <xs:schema xmlns:ns="http://pojo.wsstack.mycompany.com"
> attributeFormDefault="qualified" elementFormDefault="qualified"
> targetNamespace="http://pojo.wsstack.mycompany.com">
> <xs:element name="sayHello">
> <xs:complexType>
> <xs:sequence>
> <xs:element minOccurs="0" name="name"
> nillable="true" type="xs:string"/>
> </xs:sequence>
> </xs:complexType>
> </xs:element>
> <xs:element name="sayHelloResponse">
> <xs:complexType>
> <xs:sequence>
> <xs:element minOccurs="0" name="return"
> nillable="true" type="xs:string"/>
> </xs:sequence>
> </xs:complexType>
> </xs:element>
> </xs:schema>
> </wsdl:types>
> <wsdl:message name="sayHelloRequest">
> <wsdl:part name="parameters" element="ns0:sayHello"/>
> </wsdl:message>
> <wsdl:message name="sayHelloResponse">
> <wsdl:part name="parameters" element="ns0:sayHelloResponse"/>
> </wsdl:message>
> <wsdl:portType name="HelloPojoPortType">
> <wsdl:operation name="sayHello">
> <wsdl:input message="ns0:sayHelloRequest"
> wsaw:Action="urn:sayHello"/>
> <wsdl:output message="ns0:sayHelloResponse"
> wsaw:Action="urn:sayHelloResponse"/>
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="HelloPojoHttpBinding"
> type="ns0:HelloPojoPortType">
> <http:binding verb="POST"/>
> <wsdl:operation name="sayHello">
> <http:operation location="HelloPojo/sayHello"/>
> <wsdl:input>
> <mime:content type="text/xml" part="sayHello"/>
> </wsdl:input>
> <wsdl:output>
> <mime:content type="text/xml" part="sayHello"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="User defined">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> <sp:RequireDerivedKeys/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </sp:Policy>
> </sp:Wss10>
> <sp:SignedSupportingTokens xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
> "/>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> <sp:EncryptedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SignedElements xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> <sp:EncryptedElements xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsdl:service name="HelloPojo">
> <wsdl:port name="HelloPojoSOAP11port_http"
> binding="ns0:HelloPojoSOAP11Binding">
> <soap:address location="
> http://localhost:8082/wsstack/services/HelloPojo"/>
> </wsdl:port>
> <wsdl:port name="HelloPojoSOAP12port_http"
> binding="ns0:HelloPojoSOAP12Binding">
> <soap12:address location="
> http://localhost:8082/wsstack/services/HelloPojo"/>
> </wsdl:port>
> <wsdl:port name="HelloPojoHttpport"
> binding="ns0:HelloPojoHttpBinding">
> <http:address location="
> http://localhost:8082/wsstack/services/HelloPojo"/>
> </wsdl:port>
> </wsdl:service>
> <wsdl:binding name="HelloPojoSOAP12Binding"
> type="ns0:HelloPojoPortType">
> <wsp:PolicyReference xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
> style="document"/>
> <wsdl:operation name="sayHello">
> <soap:operation soapAction="urn:sayHello" style="document"/>
> <wsdl:input>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:binding name="HelloPojoSOAP11Binding"
> type="ns0:HelloPojoPortType">
> <wsp:PolicyReference xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#User defined"/>
> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
> style="document"/>
> <wsdl:operation name="sayHello">
> <soap:operation soapAction="urn:sayHello" style="document"/>
> <wsdl:input>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> </wsdl:definitions>
>
>
> The services.xml is:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <serviceGroup>
> <service name="HelloPojoAsync">
> <description>Web Service HelloPojoAsync</description>
> <parameter name="ServiceClass">
> com.mycompany.wsstack.pojo.HelloPojoAsync
> </parameter>
> <messageReceivers>
> <messageReceiver
> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" mep="
> http://www.w3.org/2004/08/wsdl/in-out"/>
> </messageReceivers>
> <operation name="sayHello"/>
> <wsp:Policy wsu:Id="User defined"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </sp:Policy>
> </sp:Wss10>
> <sp:SignedSupportingTokens xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy/>
> </sp:SignedSupportingTokens>
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> <sp:EncryptedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SignedElements xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> <sp:EncryptedElements xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> <ramp:user>service</ramp:user>
> <ramp:encryptionUser/>
> <ramp:passwordCallbackClass>
> com.mycompany.wsstack.pwcb.ServerPWCBHandler</ramp:passwordCallbackClass>
> <ramp:signatureCrypto>
> <ramp:crypto provider="
> org.apache.ws.security.components.crypto.Merlin">
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.file
> ">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property>
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.keystore.password
> ">openssl</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto provider="
> org.apache.ws.security.components.crypto.Merlin">
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.file
> ">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property>
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.keystore.password
> ">openssl</ramp:property>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <module ref="addressing"/>
> <module ref="rampart"/>
> </service>
> </serviceGroup>
>
>
> Thank you in advance!
> Dobri Kitipov
>