You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Bryan Field-Elliot <br...@nextalarm.com> on 2009/09/02 21:41:07 UTC
Turning off signature checking with WS-SecureConversation
Using Rampart 1.5, we have implemented a client which communicates
with a server using WS-SecureConversation. The transport layer is
https (SSL), and thus is protected. The messages received from the web
service, are not signed. Rampart is complaining that the message is
not signed (AxisFault: Message is not signed). I am told that we
should be able to relax this requirement in Rampart (since the
transport layer is encrypted), but I cannot find the option to do so.
Can someone please direct me?
I am frankly not sure if this should be addressed at the Axis2 level
or the Rampart level.
Thank you,
Bryan
Re: Turning off signature checking with WS-SecureConversation
Posted by Bryan Field-Elliot <br...@nextalarm.com>.
Thank you Nandana,
I am pasting the policy below. The web service provider (who is
using .Net) is telling me to refer to section 5.1.1 of the WS-
SecurityPolicy spec (July 2005), where it says "The SignedParts
assertion ... can be satisfied using WSS:SOAP Message Security, or by
mechanisms out of scope of SOAP message security, for example by
sending the message over a secure transport protocol like HTTPS". They
are implying that since we are already over HTTPS, our client
(Rampart) should relax the SignedParts assertion. They believe that
our implementation (Rampart) should already know that we are over
HTTPS and therefore should not be enforcing the SignedParts policy.
So it seems to be a valid question, is there a way to have Rampart not
check for signatures via some configuration option? i.e.
stub._getServiceClient().getOptions.setProperty(... some option
related to message signature checking ...)?
Now, below is the complete policy as you asked, from their WSDL:
<wsp:Policy wsu:Id="WSHttpBinding_IServices_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing
"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing
"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing
"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
On Sep 2, 2009, at 1:34 PM, Nandana Mihindukulasooriya wrote:
Bryan,
Whether the message should be signed or not is defined in the
policy. All
security requirements are defined in the policy. Can you please post the
security policy of your service ? By modifying the policy, you can
remove
the requirement for signature.
regards,
Nandana
On Wed, Sep 2, 2009 at 9:41 PM, Bryan Field-Elliot
<br...@nextalarm.com>wrote:
> Using Rampart 1.5, we have implemented a client which communicates
> with a
> server using WS-SecureConversation. The transport layer is https
> (SSL), and
> thus is protected. The messages received from the web service, are not
> signed. Rampart is complaining that the message is not signed
> (AxisFault:
> Message is not signed). I am told that we should be able to relax this
> requirement in Rampart (since the transport layer is encrypted), but I
> cannot find the option to do so. Can someone please direct me?
>
> I am frankly not sure if this should be addressed at the Axis2 level
> or the
> Rampart level.
>
> Thank you,
>
> Bryan
>
>
>
>
Re: Turning off signature checking with WS-SecureConversation
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Bryan,
Whether the message should be signed or not is defined in the policy. All
security requirements are defined in the policy. Can you please post the
security policy of your service ? By modifying the policy, you can remove
the requirement for signature.
regards,
Nandana
On Wed, Sep 2, 2009 at 9:41 PM, Bryan Field-Elliot <br...@nextalarm.com>wrote:
> Using Rampart 1.5, we have implemented a client which communicates with a
> server using WS-SecureConversation. The transport layer is https (SSL), and
> thus is protected. The messages received from the web service, are not
> signed. Rampart is complaining that the message is not signed (AxisFault:
> Message is not signed). I am told that we should be able to relax this
> requirement in Rampart (since the transport layer is encrypted), but I
> cannot find the option to do so. Can someone please direct me?
>
> I am frankly not sure if this should be addressed at the Axis2 level or the
> Rampart level.
>
> Thank you,
>
> Bryan
>
>
>
>
Turning off signature checking with WS-SecureConversation
Posted by Bryan Field-Elliot <br...@nextalarm.com>.
Using Rampart 1.5, we have implemented a client which communicates
with a server using WS-SecureConversation. The transport layer is
https (SSL), and thus is protected. The messages received from the web
service, are not signed. Rampart is complaining that the message is
not signed (AxisFault: Message is not signed). I am told that we
should be able to relax this requirement in Rampart (since the
transport layer is encrypted), but I cannot find the option to do so.
Can someone please direct me?
I am frankly not sure if this should be addressed at the Axis2 level
or the Rampart level.
Thank you,
Bryan