WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

Hi Everyone,

I have an interesting problem. I'm trying to setup Synapse so that I can use
to add the appropriate WS-Security stuff to outbound requests going to
Amazon's services such as SimpleDB (most of their services accept SOAP with
WS-Security). I'm able to properly configure the policy file so that the
BinarySecurityToken is added to the outbound request. Problem I have now is
that WS-Security also adds a few WS-Addressing elements automatically (even
when enableAddressing is not specified). For example, it adds:

        <wsa:To>http://localhost:8086</wsa:To>

<wsa:MessageID>urn:uuid:CAB4C2774609414B961212810086922918001272489401</wsa:MessageID>
        <wsa:Action>CreateDomain</wsa:Action

This is a problem insofar as Amazon then returns a message: "WS-Addressing
is missing a required parameter (ReplyTo)".  Amazon does not require
WS-Addressing support, and when I remove those elements manually through
somethign like soapUI, I do get beyond this issue.

Any suggestions how I can get those WS-Addressing elements easily removed?
I'm wondering if I can put it through another sequence to remove it? I see
you can do some meta-data WS-Addressing stuff in WS-Policy, but I didn't see
a way of turning it off.

Thanks,

jeff

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Ruwan Linton <ru...@gmail.com>]

Hi Paul,

I agree, in this context yes. But just think of the following scenario;

Client sends a message to Synapse specifying a Reply-To header and the
Synapse admin wants to forward the response to the actual service asking it
to directly reply to the actual client without going through Synapse for the
response. This is possible if we (Synapse) can forward the Reply-To header
coming from the client to the actual server (provided that actual server
understands Addressing). Isn't this a valid scenario?

Thanks,
Ruwan

On Mon, Jun 9, 2008 at 12:05 AM, Paul Fremantle <pz...@gmail.com> wrote:

> Ruwan
>
> I think its enough to set the anonymous one as long as we send it.
> That might just fix everything.
>
> Paul
>
> On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <ru...@gmail.com>
> wrote:
> > Hi Jeff and Paul,
> >
> > I was able to reproduce the issue, basically whatever we specify as the
> > ReplyTo header Addressing module changes it to anonymous for the outbound
> > message and neglects sending it. So setting the ReplyTo header is not
> > effective for the moment. Jeff, could you please file a JIRA for this. At
> > the same time I had a look at what Paul proposed and it seems to work but
> > still it is just the anonymous address but not the one we set. You could
> use
> > the property mediator at the axis2-client scope to set this property as
> > follows to include the anonymous header;
> >
> > <syn:property name="includeOptionalHeaders" value="true"
> > scope="axis2-client"/>
> >
> > Or if you use separateListener attribute to true with the
> enableAddressing
> > tag then you can see the non anonymous ReplyTo header is being sent to
> the
> > service.
> >
> > I will look for a solution to this issue ASAP. Thanks Jeff for pointing
> this
> > out.
> >
> > Thanks,
> > Ruwan
> >
> > On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <pz...@gmail.com> wrote:
> >
> >> Jeff
> >>
> >> Thanks for the feedback. Please can you submit your code as a sample?
> >> We will definitely try to fix the bug. I agree rampart should not be
> >> causing addressing headers to appear. The reason that the anonymous
> >> header is being stripped out is because the WS-A spec says that no
> >> reply-to is equivalent to anonymous, so there is a bug in Amazon.
> >> However, there is a way in Axis2 to turn this behaviour off.
> >>
> >> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS,
> >> Boolean.TRUE);
> >>
> >> So another way to sort that out will be to set that property on the
> Axis2
> >> MC.
> >>
> >> Paul
> >>
> >> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com> wrote:
> >> > Turns out my work-around really didn't solve the problem (because
> >> > Axis/Rampart is anticipating a WS-Addressing reply, and since I've
> >> stripped
> >> > it out downstream, I'd have to add it back manually).
> >> >
> >> > The crux of the issue is that I cannot figure out how to added this:
> >> >
> >> > <wsa:ReplyTo><wsa:Address>
> http://www.w3.org/2005/08/addressing/anonymous
> >> > </wsa:Address></wsa:ReplyTo>
> >> >
> >> > To my WS-Addressing part of my SOAP header.
> >> >
> >> > I believe it ought to be present, but it's not, as I've confirmed
> through
> >> > TCPMon. I've tried everything I can think of to get it to appear, but
> >> thus
> >> > far have had no luck.
> >> >
> >> > Thanks,
> >> >
> >> > jeff
> >> >
> >> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com>
> wrote:
> >> >
> >> >> Maybe it's not a bug but a feature request :-).
> >> >>
> >> >> I see two issues:
> >> >>
> >> >> 1) WS-Security automatically adds undesirable WS-Addressing elements
> >> (IMO,
> >> >> this should only happen when enableAddressing is specified). I don't
> see
> >> >> anything in the WS-Security spec that indicates WS-Addressing is
> >> required. I
> >> >> don't see a way to turn this behavior off in Synapse, without
> resorting
> >> to a
> >> >> workaround such as I demonstrated (i.e., chaining together 2
> sequences,
> >> >> within one removing the undesirable WS-Addressing elements).
> >> >>
> >> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and
> >> it's
> >> >> child node Address) using the header mechanism (or property, for that
> >> >> matter). This was the crux of my issue, as, for some reason, Amazon
> >> expected
> >> >> a ReplyTo. I suspect this is probably easily possible, but just
> wasn't
> >> able
> >> >> to figure it out.
> >> >>
> >> >> Btw, I was able to successfully interact with Amazon's SimpleDB now!
> I
> >> hope
> >> >> to writeup a blog entry on my findings (I am actually also writing
> the
> >> book
> >> >> called Open Source SOA from Manning, and I am including a big chapter
> on
> >> >> Synapse, which I am a huge fan of).
> >> >>
> >> >> To be honest, a lot of this WS-Security stuff is rather new to me, so
> >> I'm
> >> >> feverishly trying to get a handle on it (the Manning book SOA
> Security
> >> has
> >> >> been a big help). I have used PasswordDigest mechanism a lot, but not
> >> that
> >> >> signing with x509 certs as much.
> >> >>
> >> >> jeff
> >> >>
> >> >>
> >> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <ruwan.linton@gmail.com
> >
> >> >> wrote:
> >> >>
> >> >>> Hi Jeff,
> >> >>>
> >> >>> What is the bug from your POV? I am sorry, I don't see a bug
> here.....
> >> >>>
> >> >>> Well you could go ahead and file a JIRA so that we can evaluate what
> is
> >> >>> the
> >> >>> issue that you have faced and see whether is there something wrong
> with
> >> >>> Synapse, but I assume this is rather a configuration error.
> >> >>>
> >> >>> Thanks,
> >> >>> Ruwan
> >> >>>
> >> >>>
> >> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com>
> wrote:
> >> >>>
> >> >>> > As a follow-up, I was running it through tcpmon, which is why it
> had
> >> the
> >> >>> > strange address.
> >> >>> >
> >> >>> > Yes, I am running the latest 1.2 build from the URL provided me
> last
> >> >>> > Thursday, I believe.
> >> >>> >
> >> >>> > Should I submit this is a bug?
> >> >>> >
> >> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <
> ruwan.linton@gmail.com
> >> >
> >> >>> > wrote:
> >> >>> >
> >> >>> > > Hi Jeff,
> >> >>> > >
> >> >>> > > If you enable addressing to the outbound message then synapse
> >> should
> >> >>> be
> >> >>> > > sending the ReplyTo header as appropriate. May be amazon is not
> >> >>> accepting
> >> >>> > > anonymous ReplyTo headers, so assuming that you are using the
> 1.2
> >> >>> build
> >> >>> > > here
> >> >>> > > is the proposed solution to this;
> >> >>> > >
> >> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >> >>> > >   <localEntry key="sec_policy"
> >> >>> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >> >>> > >
> >> >>> > >   <in>
> >> >>> > >        <send>
> >> >>> > >           <endpoint name="secure">
> >> >>> > >               <address uri="http://localhost:8086">
> >> >>> > >                   <enableSec policy="sec_policy"/>
> >> >>> > >                    <enableAddressing separateListener="true"/>
> >> >>> > >                </address>
> >> >>> > >           </endpoint>
> >> >>> > >       </send>
> >> >>> > >   </in>
> >> >>> > >   <out>
> >> >>> > >        <header name="wsse:Security" action="remove" xmlns:wsse="
> >> >>> > > http://www.w3.org/2005/08/addressing"/>
> >> >>> > >        <send/>
> >> >>> > >   </out>
> >> >>> > > </definitions>
> >> >>> > >
> >> >>> > > The above configuration should work, but please note that you
> need
> >> to
> >> >>> > > change
> >> >>> > > the address uri of the endpoint in the above configuration from
> "
> >> >>> > > http://localhost:8086" to "AMAZON_URL"
> >> >>> > >
> >> >>> > > If this is not working could you please attach the TCPMon out
> put
> >> of
> >> >>> the
> >> >>> > > outbound message which is going to AMAZON (after changing
> important
> >> >>> > > information) and the message received from AMAZON. If you don't
> >> want
> >> >>> to
> >> >>> > > post
> >> >>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
> >> >>> ruwan@wso2.com
> >> >>> > >)
> >> >>> > >
> >> >>> > > Thanks,
> >> >>> > > Ruwan
> >> >>> > >
> >> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com>
> >> >>> wrote:
> >> >>> > >
> >> >>> > > > I did a little research, and I haven't seen anything in the
> >> standard
> >> >>> > that
> >> >>> > > > indicates WS-Security requires WS-Addressing.  Unfortunately,
> it
> >> >>> > doesn't
> >> >>> > > > appear as though setting the header has any impact (further,
> if
> >> it
> >> >>> did,
> >> >>> > > the
> >> >>> > > > ReplyTo has a child element for the Address, so not sure how
> that
> >> >>> would
> >> >>> > > be
> >> >>> > > > added). Here's my configuration:
> >> >>> > > >
> >> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >> >>> > > >    <localEntry key="sec_policy"
> >> >>> > > >
> src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >> >>> > > >
> >> >>> > > >    <in>
> >> >>> > > >        <header name="ReplyTo" action="set" value=""/>
> >> >>> > > >        <send>
> >> >>> > > >            <endpoint name="secure">
> >> >>> > > >                <address uri="http://localhost:8086">
> >> >>> > > >                    <enableSec policy="sec_policy"/>
> >> >>> > > >                    <enableAddressing/>
> >> >>> > > >                </address>
> >> >>> > > >            </endpoint>
> >> >>> > > >        </send>
> >> >>> > > >    </in>
> >> >>> > > >    <out>
> >> >>> > > >        <send/>
> >> >>> > > >    </out>
> >> >>> > > > </definitions>
> >> >>> > > >
> >> >>> > > > In lieu of the above header, I also tried:
> >> >>> > > >
> >> >>> > > > <header name="wsse:Security" action="remove"
> >> >>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> >> >>> > > >
> >> >>> > > > (I also tried removing the <enableAddressing/> node for each
> >> test).
> >> >>> > > >
> >> >>> > > > To recap my issue, it seems as though Amazon AWS (at least for
> >> >>> SimpleDB
> >> >>> > > > service) requires the ReplyTo WS-Addressing element, if
> >> >>> WS-Addressing
> >> >>> > is
> >> >>> > > > used. I haven't found a way to remove WS-Addressing generated
> >> >>> > > automatically
> >> >>> > > > by Synapse when WS-Security is used, and I haven't figure out
> how
> >> to
> >> >>> > add
> >> >>> > > > ReplyTo (and it's child Address node) to the outbound message.
> >> >>> > > >
> >> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining together
> >> some
> >> >>> > > things
> >> >>> > > > to see if I can devise something.
> >> >>> > > >
> >> >>> > > > Thanks,
> >> >>> > > >
> >> >>> > > > jeff
> >> >>> > > >
> >> >>> > > >
> >> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <
> >> asankha@wso2.com
> >> >>> >
> >> >>> > > > wrote:
> >> >>> > > >
> >> >>> > > > > Hi Jeff
> >> >>> > > > >
> >> >>> > > > >> To be honest, I'm not entirely certain how to add it in the
> >> >>> Header
> >> >>> > > > >> mediator,
> >> >>> > > > >> as you allude to. I did try various permutations of using
> the
> >> >>> > property
> >> >>> > > > and
> >> >>> > > > >> header nodes within the <in>, but nothing ever appeared.
> >> >>> > > > >>
> >> >>> > > > >>
> >> >>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to
> set
> >> the
> >> >>> > > > ReplyTo
> >> >>> > > > > header to something, you will use "<header name="ReplyTo"
> >> >>> > value="..."/>
> >> >>> > > > > format.. If you are familiar with using TCPMon, you can
> place
> >> it
> >> >>> > > between
> >> >>> > > > > your service and Amazon and route the message through it to
> get
> >> a
> >> >>> > trace
> >> >>> > > > of
> >> >>> > > > > the messages. This will help you and us to solve any
> problems.
> >> >>> > > > >
> >> >>> > > > >> Obviously, Amazon's service is not entirely compliant with
> the
> >> >>> > > > WS-Security
> >> >>> > > > >> standards. Even in their section under WS-Security SOAP,
> they
> >> >>> state
> >> >>> > > that
> >> >>> > > > >> "if
> >> >>> > > > >> you're using WS-Addressing, we recommend you also sign the
> >> Action
> >> >>> > and
> >> >>> > > To
> >> >>> > > > >> header elements" (I haven't figured out how to do that yet,
> >> but
> >> >>> I'll
> >> >>> > > dig
> >> >>> > > > >> into that).
> >> >>> > > > >>
> >> >>> > > > >>
> >> >>> > > > > If you are ok to share your configuration/scenario with us
> or
> >> let
> >> >>> us
> >> >>> > > try
> >> >>> > > > > some simple sample to reproduce the issue you are facing,
> one
> >> of
> >> >>> the
> >> >>> > > > > developers would be able to tell you exactly whats wrong,
> and
> >> what
> >> >>> > you
> >> >>> > > > could
> >> >>> > > > > do to get past the problem
> >> >>> > > > >
> >> >>> > > > > asankha
> >> >>> > > > >
> >> >>> > > >
> >> >>> > >
> >> >>> > >
> >> >>> > >
> >> >>> > > --
> >> >>> > > Ruwan Linton
> >> >>> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >> >>> > >
> >> >>> >
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Ruwan Linton
> >> >>> http://www.wso2.org - "Oxygenating the Web Services Platform"
> >> >>>
> >> >>
> >> >>
> >> >
> >>
> >>
> >>
> >> --
> >> Paul Fremantle
> >> Co-Founder and CTO, WSO2
> >> Apache Synapse PMC Chair
> >> OASIS WS-RX TC Co-chair
> >>
> >> blog: http://pzf.fremantle.org
> >> paul@wso2.com
> >>
> >> "Oxygenating the Web Service Platform", www.wso2.com
> >>
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
>
>
>
> --
> Paul Fremantle
> Co-Founder and CTO, WSO2
> Apache Synapse PMC Chair
> OASIS WS-RX TC Co-chair
>
> blog: http://pzf.fremantle.org
> paul@wso2.com
>
> "Oxygenating the Web Service Platform", www.wso2.com
>



-- 
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Ruwan Linton <ru...@gmail.com>]

Hi Jeff,

On Mon, Jun 9, 2008 at 8:05 AM, Jeff Davis <jd...@idalica.com> wrote:

> Thanks for another timely response!
>
> Sounds like the message level policies for endpoints is the best solution.
> I
> can hold off further work on this until that becomes available.


Can you please file a JIRA for this, so that I can start on this soon.


>
>
> If I need something sooner, I guess one approach would be to use a custom
> mediator to add the SOAP header, WS-Security stuff, and then not to
> enableSec when sending the message? That way, I don't presume Rampart would
> have any expectations about expecting wsse in the response.


Exactly correct. But from the point of time line for the message level
policy fix, it will take at most two more days with all the other work. If
we look at the 1.2.1 release it will take about 3 weeks.

Thanks,
Ruwan


>
>
> jeff
>
> On Sun, Jun 8, 2008 at 6:26 PM, Ruwan Linton <ru...@gmail.com>
> wrote:
>
> > Hi Jeff,
> >
> > Nice to hear that you got it to work :-) ; See my comments in-line...
> >
> > On Mon, Jun 9, 2008 at 3:59 AM, Jeff Davis <jd...@idalica.com> wrote:
> >
> > > I'm sure you guys are sick of hearing from me by now :-).
> > >
> > > That change you guys had suggested corrected the issue with the ReplyTo
> > > being generated. That's the good news! I do have one last issue (I am
> so
> > > close to getting everything entirely working). I believe this is also
> do
> > to
> > > a buggy Amazon WS implementation. That is, there response doesn't
> contain
> > > any WSSE security stuff in their response. Here's an example of what I
> > > receive from them:
> >
> >
> > Jeff, I guess this is accepted and known as *message level policies*, so
> > the
> > in-message contains a security policy and the out-message does not.
> >
> >
> > >
> > >
> > > <soapenv:Envelope xmlns:soapenv="
> > http://schemas.xmlsoap.org/soap/envelope/
> > > ">
> > >    <soapenv:Header>
> > >        <wsa:RelatesTo xmlns:wsa="http://www.w3.org/2005/08/addressing"
> > >
> > >
> >
> >urn:uuid:A25F54392EB2D8B86E1212962691230477001-1880534923</wsa:RelatesTo>
> > >        <wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
> > >            >http://www.w3.org/2005/08/addressing/anonymous</wsa:To>
> > >        <wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing
> > > ">ListDomains:Response</wsa:Action>
> > >        <wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
> > >
>  >urn:uuid:337570bf-2dd7-4e5d-a578-3a57800ec5e4</wsa:MessageID>
> > >    </soapenv:Header>
> > >    <soapenv:Body>
> > >        <ListDomainsResponse xmlns="
> > > http://sdb.amazonaws.com/doc/2007-11-07/
> > > ">
> > >            <ListDomainsResult>
> > >                <DomainName>test</DomainName>
> > >            </ListDomainsResult>
> > >            <ResponseMetadata>
> > >
> >  <RequestId>337570bf-2dd7-4e5d-a578-3a57800ec5e4</RequestId>
> > >                <BoxUsage>0.0000071759</BoxUsage>
> > >            </ResponseMetadata>
> > >        </ListDomainsResponse>
> > >    </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > >
> > > Apparently Rampart anticipates a WS-Security in the response, but as
> you
> > > can
> > > see, it's not present. I've tried identifying where in the WS-Policy
> > > configuration I can have that turned off, but I don't see anything.
> > >
> > > I could probably add it myself, but not sure how to do this without
> > > resorting to a custom mediator of some sort, since I don't believe XSTL
> > or
> > > Script mediators have access to the SOAP header in the response?
> >
> >
> > Actually both the Script mediator and the XSLT mediator has the access to
> > SOAP headers, but I don't see none of these to be fitting to your problem
> > because Rampart is going to throw an error upon receiving this message if
> > you engage security to the outbound message. By the way, what is your new
> > configuration. Are you forwarding the message from the client without
> > modifying the security headers? Or do you engage security on the outbound
> > message on the endpoint?
> >
> > If it is the former, we should be able to use a custom mediator, but if
> > that
> > is the later we need a small improvement on the Synapse side, which
> Asankha
> > has pointed. (Message level policies for the outbound messages on
> endpoint
> > level)
> >
> >
> > >
> > >
> > > Upon conclusion of this whole exercise, I will get something written up
> > for
> > > others who wish to use Synapse in conjunction with Amazon's web
> services.
> >
> >
> > This is perfect. I will help you through to get this working. If we need
> to
> > implement message level policies for endpoints I can work on that soon so
> > that we can include that on the point release that we are planing soon
> > after
> > the 1.2 with AXIOM improvements.
> >
> > Thanks,
> > Ruwan
> >
> >
> > > As
> > > you know, AWS is becoming very popular, especially EC2 and S3.  My hope
> > is
> > > to use Synapse as proxy/mediator that will receive outbound, non
> > > WS-Security
> > > calls to AWS add on the appropriate WS-Security, then forward to AWS.
> > >
> > > jeff
> > >
> > > On Sun, Jun 8, 2008 at 12:35 PM, Paul Fremantle <pz...@gmail.com>
> > wrote:
> > >
> > > > Ruwan
> > > >
> > > > I think its enough to set the anonymous one as long as we send it.
> > > > That might just fix everything.
> > > >
> > > > Paul
> > > >
> > > > On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <ruwan.linton@gmail.com
> >
> > > > wrote:
> > > > > Hi Jeff and Paul,
> > > > >
> > > > > I was able to reproduce the issue, basically whatever we specify as
> > the
> > > > > ReplyTo header Addressing module changes it to anonymous for the
> > > outbound
> > > > > message and neglects sending it. So setting the ReplyTo header is
> not
> > > > > effective for the moment. Jeff, could you please file a JIRA for
> > this.
> > > At
> > > > > the same time I had a look at what Paul proposed and it seems to
> work
> > > but
> > > > > still it is just the anonymous address but not the one we set. You
> > > could
> > > > use
> > > > > the property mediator at the axis2-client scope to set this
> property
> > as
> > > > > follows to include the anonymous header;
> > > > >
> > > > > <syn:property name="includeOptionalHeaders" value="true"
> > > > > scope="axis2-client"/>
> > > > >
> > > > > Or if you use separateListener attribute to true with the
> > > > enableAddressing
> > > > > tag then you can see the non anonymous ReplyTo header is being sent
> > to
> > > > the
> > > > > service.
> > > > >
> > > > > I will look for a solution to this issue ASAP. Thanks Jeff for
> > pointing
> > > > this
> > > > > out.
> > > > >
> > > > > Thanks,
> > > > > Ruwan
> > > > >
> > > > > On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <pz...@gmail.com>
> > > wrote:
> > > > >
> > > > >> Jeff
> > > > >>
> > > > >> Thanks for the feedback. Please can you submit your code as a
> > sample?
> > > > >> We will definitely try to fix the bug. I agree rampart should not
> be
> > > > >> causing addressing headers to appear. The reason that the
> anonymous
> > > > >> header is being stripped out is because the WS-A spec says that no
> > > > >> reply-to is equivalent to anonymous, so there is a bug in Amazon.
> > > > >> However, there is a way in Axis2 to turn this behaviour off.
> > > > >>
> > > > >> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS,
> > > > >> Boolean.TRUE);
> > > > >>
> > > > >> So another way to sort that out will be to set that property on
> the
> > > > Axis2
> > > > >> MC.
> > > > >>
> > > > >> Paul
> > > > >>
> > > > >> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com>
> > > wrote:
> > > > >> > Turns out my work-around really didn't solve the problem
> (because
> > > > >> > Axis/Rampart is anticipating a WS-Addressing reply, and since
> I've
> > > > >> stripped
> > > > >> > it out downstream, I'd have to add it back manually).
> > > > >> >
> > > > >> > The crux of the issue is that I cannot figure out how to added
> > this:
> > > > >> >
> > > > >> > <wsa:ReplyTo><wsa:Address>
> > > > http://www.w3.org/2005/08/addressing/anonymous
> > > > >> > </wsa:Address></wsa:ReplyTo>
> > > > >> >
> > > > >> > To my WS-Addressing part of my SOAP header.
> > > > >> >
> > > > >> > I believe it ought to be present, but it's not, as I've
> confirmed
> > > > through
> > > > >> > TCPMon. I've tried everything I can think of to get it to
> appear,
> > > but
> > > > >> thus
> > > > >> > far have had no luck.
> > > > >> >
> > > > >> > Thanks,
> > > > >> >
> > > > >> > jeff
> > > > >> >
> > > > >> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com>
> > > > wrote:
> > > > >> >
> > > > >> >> Maybe it's not a bug but a feature request :-).
> > > > >> >>
> > > > >> >> I see two issues:
> > > > >> >>
> > > > >> >> 1) WS-Security automatically adds undesirable WS-Addressing
> > > elements
> > > > >> (IMO,
> > > > >> >> this should only happen when enableAddressing is specified). I
> > > don't
> > > > see
> > > > >> >> anything in the WS-Security spec that indicates WS-Addressing
> is
> > > > >> required. I
> > > > >> >> don't see a way to turn this behavior off in Synapse, without
> > > > resorting
> > > > >> to a
> > > > >> >> workaround such as I demonstrated (i.e., chaining together 2
> > > > sequences,
> > > > >> >> within one removing the undesirable WS-Addressing elements).
> > > > >> >>
> > > > >> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing
> element
> > > (and
> > > > >> it's
> > > > >> >> child node Address) using the header mechanism (or property,
> for
> > > that
> > > > >> >> matter). This was the crux of my issue, as, for some reason,
> > Amazon
> > > > >> expected
> > > > >> >> a ReplyTo. I suspect this is probably easily possible, but just
> > > > wasn't
> > > > >> able
> > > > >> >> to figure it out.
> > > > >> >>
> > > > >> >> Btw, I was able to successfully interact with Amazon's SimpleDB
> > > now!
> > > > I
> > > > >> hope
> > > > >> >> to writeup a blog entry on my findings (I am actually also
> > writing
> > > > the
> > > > >> book
> > > > >> >> called Open Source SOA from Manning, and I am including a big
> > > chapter
> > > > on
> > > > >> >> Synapse, which I am a huge fan of).
> > > > >> >>
> > > > >> >> To be honest, a lot of this WS-Security stuff is rather new to
> > me,
> > > so
> > > > >> I'm
> > > > >> >> feverishly trying to get a handle on it (the Manning book SOA
> > > > Security
> > > > >> has
> > > > >> >> been a big help). I have used PasswordDigest mechanism a lot,
> but
> > > not
> > > > >> that
> > > > >> >> signing with x509 certs as much.
> > > > >> >>
> > > > >> >> jeff
> > > > >> >>
> > > > >> >>
> > > > >> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <
> > > ruwan.linton@gmail.com
> > > > >
> > > > >> >> wrote:
> > > > >> >>
> > > > >> >>> Hi Jeff,
> > > > >> >>>
> > > > >> >>> What is the bug from your POV? I am sorry, I don't see a bug
> > > > here.....
> > > > >> >>>
> > > > >> >>> Well you could go ahead and file a JIRA so that we can
> evaluate
> > > what
> > > > is
> > > > >> >>> the
> > > > >> >>> issue that you have faced and see whether is there something
> > wrong
> > > > with
> > > > >> >>> Synapse, but I assume this is rather a configuration error.
> > > > >> >>>
> > > > >> >>> Thanks,
> > > > >> >>> Ruwan
> > > > >> >>>
> > > > >> >>>
> > > > >> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <
> jdavis@idalica.com>
> > > > wrote:
> > > > >> >>>
> > > > >> >>> > As a follow-up, I was running it through tcpmon, which is
> why
> > it
> > > > had
> > > > >> the
> > > > >> >>> > strange address.
> > > > >> >>> >
> > > > >> >>> > Yes, I am running the latest 1.2 build from the URL provided
> > me
> > > > last
> > > > >> >>> > Thursday, I believe.
> > > > >> >>> >
> > > > >> >>> > Should I submit this is a bug?
> > > > >> >>> >
> > > > >> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <
> > > > ruwan.linton@gmail.com
> > > > >> >
> > > > >> >>> > wrote:
> > > > >> >>> >
> > > > >> >>> > > Hi Jeff,
> > > > >> >>> > >
> > > > >> >>> > > If you enable addressing to the outbound message then
> > synapse
> > > > >> should
> > > > >> >>> be
> > > > >> >>> > > sending the ReplyTo header as appropriate. May be amazon
> is
> > > not
> > > > >> >>> accepting
> > > > >> >>> > > anonymous ReplyTo headers, so assuming that you are using
> > the
> > > > 1.2
> > > > >> >>> build
> > > > >> >>> > > here
> > > > >> >>> > > is the proposed solution to this;
> > > > >> >>> > >
> > > > >> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > > > >> >>> > >   <localEntry key="sec_policy"
> > > > >> >>> > >
> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > > > >> >>> > >
> > > > >> >>> > >   <in>
> > > > >> >>> > >        <send>
> > > > >> >>> > >           <endpoint name="secure">
> > > > >> >>> > >               <address uri="http://localhost:8086">
> > > > >> >>> > >                   <enableSec policy="sec_policy"/>
> > > > >> >>> > >                    <enableAddressing
> > separateListener="true"/>
> > > > >> >>> > >                </address>
> > > > >> >>> > >           </endpoint>
> > > > >> >>> > >       </send>
> > > > >> >>> > >   </in>
> > > > >> >>> > >   <out>
> > > > >> >>> > >        <header name="wsse:Security" action="remove"
> > > xmlns:wsse="
> > > > >> >>> > > http://www.w3.org/2005/08/addressing"/>
> > > > >> >>> > >        <send/>
> > > > >> >>> > >   </out>
> > > > >> >>> > > </definitions>
> > > > >> >>> > >
> > > > >> >>> > > The above configuration should work, but please note that
> > you
> > > > need
> > > > >> to
> > > > >> >>> > > change
> > > > >> >>> > > the address uri of the endpoint in the above configuration
> > > from
> > > > "
> > > > >> >>> > > http://localhost:8086" to "AMAZON_URL"
> > > > >> >>> > >
> > > > >> >>> > > If this is not working could you please attach the TCPMon
> > out
> > > > put
> > > > >> of
> > > > >> >>> the
> > > > >> >>> > > outbound message which is going to AMAZON (after changing
> > > > important
> > > > >> >>> > > information) and the message received from AMAZON. If you
> > > don't
> > > > >> want
> > > > >> >>> to
> > > > >> >>> > > post
> > > > >> >>> > > it publicly you may send it to me (mailto:ruwan@wso2.com<
> > > > >> >>> ruwan@wso2.com
> > > > >> >>> > >)
> > > > >> >>> > >
> > > > >> >>> > > Thanks,
> > > > >> >>> > > Ruwan
> > > > >> >>> > >
> > > > >> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <
> > > jdavis@idalica.com>
> > > > >> >>> wrote:
> > > > >> >>> > >
> > > > >> >>> > > > I did a little research, and I haven't seen anything in
> > the
> > > > >> standard
> > > > >> >>> > that
> > > > >> >>> > > > indicates WS-Security requires WS-Addressing.
> > >  Unfortunately,
> > > > it
> > > > >> >>> > doesn't
> > > > >> >>> > > > appear as though setting the header has any impact
> > (further,
> > > > if
> > > > >> it
> > > > >> >>> did,
> > > > >> >>> > > the
> > > > >> >>> > > > ReplyTo has a child element for the Address, so not sure
> > how
> > > > that
> > > > >> >>> would
> > > > >> >>> > > be
> > > > >> >>> > > > added). Here's my configuration:
> > > > >> >>> > > >
> > > > >> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > > > >> >>> > > >    <localEntry key="sec_policy"
> > > > >> >>> > > >
> > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > > > >> >>> > > >
> > > > >> >>> > > >    <in>
> > > > >> >>> > > >        <header name="ReplyTo" action="set" value=""/>
> > > > >> >>> > > >        <send>
> > > > >> >>> > > >            <endpoint name="secure">
> > > > >> >>> > > >                <address uri="http://localhost:8086">
> > > > >> >>> > > >                    <enableSec policy="sec_policy"/>
> > > > >> >>> > > >                    <enableAddressing/>
> > > > >> >>> > > >                </address>
> > > > >> >>> > > >            </endpoint>
> > > > >> >>> > > >        </send>
> > > > >> >>> > > >    </in>
> > > > >> >>> > > >    <out>
> > > > >> >>> > > >        <send/>
> > > > >> >>> > > >    </out>
> > > > >> >>> > > > </definitions>
> > > > >> >>> > > >
> > > > >> >>> > > > In lieu of the above header, I also tried:
> > > > >> >>> > > >
> > > > >> >>> > > > <header name="wsse:Security" action="remove"
> > > > >> >>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing
> "/>
> > > > >> >>> > > >
> > > > >> >>> > > > (I also tried removing the <enableAddressing/> node for
> > each
> > > > >> test).
> > > > >> >>> > > >
> > > > >> >>> > > > To recap my issue, it seems as though Amazon AWS (at
> least
> > > for
> > > > >> >>> SimpleDB
> > > > >> >>> > > > service) requires the ReplyTo WS-Addressing element, if
> > > > >> >>> WS-Addressing
> > > > >> >>> > is
> > > > >> >>> > > > used. I haven't found a way to remove WS-Addressing
> > > generated
> > > > >> >>> > > automatically
> > > > >> >>> > > > by Synapse when WS-Security is used, and I haven't
> figure
> > > out
> > > > how
> > > > >> to
> > > > >> >>> > add
> > > > >> >>> > > > ReplyTo (and it's child Address node) to the outbound
> > > message.
> > > > >> >>> > > >
> > > > >> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining
> > > together
> > > > >> some
> > > > >> >>> > > things
> > > > >> >>> > > > to see if I can devise something.
> > > > >> >>> > > >
> > > > >> >>> > > > Thanks,
> > > > >> >>> > > >
> > > > >> >>> > > > jeff
> > > > >> >>> > > >
> > > > >> >>> > > >
> > > > >> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <
> > > > >> asankha@wso2.com
> > > > >> >>> >
> > > > >> >>> > > > wrote:
> > > > >> >>> > > >
> > > > >> >>> > > > > Hi Jeff
> > > > >> >>> > > > >
> > > > >> >>> > > > >> To be honest, I'm not entirely certain how to add it
> in
> > > the
> > > > >> >>> Header
> > > > >> >>> > > > >> mediator,
> > > > >> >>> > > > >> as you allude to. I did try various permutations of
> > using
> > > > the
> > > > >> >>> > property
> > > > >> >>> > > > and
> > > > >> >>> > > > >> header nodes within the <in>, but nothing ever
> > appeared.
> > > > >> >>> > > > >>
> > > > >> >>> > > > >>
> > > > >> >>> > > > > I am sorry.. I had made a mistake in my reply
> earlier..
> > to
> > > > set
> > > > >> the
> > > > >> >>> > > > ReplyTo
> > > > >> >>> > > > > header to something, you will use "<header
> > name="ReplyTo"
> > > > >> >>> > value="..."/>
> > > > >> >>> > > > > format.. If you are familiar with using TCPMon, you
> can
> > > > place
> > > > >> it
> > > > >> >>> > > between
> > > > >> >>> > > > > your service and Amazon and route the message through
> it
> > > to
> > > > get
> > > > >> a
> > > > >> >>> > trace
> > > > >> >>> > > > of
> > > > >> >>> > > > > the messages. This will help you and us to solve any
> > > > problems.
> > > > >> >>> > > > >
> > > > >> >>> > > > >> Obviously, Amazon's service is not entirely compliant
> > > with
> > > > the
> > > > >> >>> > > > WS-Security
> > > > >> >>> > > > >> standards. Even in their section under WS-Security
> > SOAP,
> > > > they
> > > > >> >>> state
> > > > >> >>> > > that
> > > > >> >>> > > > >> "if
> > > > >> >>> > > > >> you're using WS-Addressing, we recommend you also
> sign
> > > the
> > > > >> Action
> > > > >> >>> > and
> > > > >> >>> > > To
> > > > >> >>> > > > >> header elements" (I haven't figured out how to do
> that
> > > yet,
> > > > >> but
> > > > >> >>> I'll
> > > > >> >>> > > dig
> > > > >> >>> > > > >> into that).
> > > > >> >>> > > > >>
> > > > >> >>> > > > >>
> > > > >> >>> > > > > If you are ok to share your configuration/scenario
> with
> > us
> > > > or
> > > > >> let
> > > > >> >>> us
> > > > >> >>> > > try
> > > > >> >>> > > > > some simple sample to reproduce the issue you are
> > facing,
> > > > one
> > > > >> of
> > > > >> >>> the
> > > > >> >>> > > > > developers would be able to tell you exactly whats
> > wrong,
> > > > and
> > > > >> what
> > > > >> >>> > you
> > > > >> >>> > > > could
> > > > >> >>> > > > > do to get past the problem
> > > > >> >>> > > > >
> > > > >> >>> > > > > asankha
> > > > >> >>> > > > >
> > > > >> >>> > > >
> > > > >> >>> > >
> > > > >> >>> > >
> > > > >> >>> > >
> > > > >> >>> > > --
> > > > >> >>> > > Ruwan Linton
> > > > >> >>> > > http://www.wso2.org - "Oxygenating the Web Services
> > Platform"
> > > > >> >>> > >
> > > > >> >>> >
> > > > >> >>>
> > > > >> >>>
> > > > >> >>>
> > > > >> >>> --
> > > > >> >>> Ruwan Linton
> > > > >> >>> http://www.wso2.org - "Oxygenating the Web Services Platform"
> > > > >> >>>
> > > > >> >>
> > > > >> >>
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Paul Fremantle
> > > > >> Co-Founder and CTO, WSO2
> > > > >> Apache Synapse PMC Chair
> > > > >> OASIS WS-RX TC Co-chair
> > > > >>
> > > > >> blog: http://pzf.fremantle.org
> > > > >> paul@wso2.com
> > > > >>
> > > > >> "Oxygenating the Web Service Platform", www.wso2.com
> > > > >>
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Ruwan Linton
> > > > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Paul Fremantle
> > > > Co-Founder and CTO, WSO2
> > > > Apache Synapse PMC Chair
> > > > OASIS WS-RX TC Co-chair
> > > >
> > > > blog: http://pzf.fremantle.org
> > > > paul@wso2.com
> > > >
> > > > "Oxygenating the Web Service Platform", www.wso2.com
> > > >
> > >
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
>



-- 
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

Thanks for another timely response!

Sounds like the message level policies for endpoints is the best solution. I
can hold off further work on this until that becomes available.

If I need something sooner, I guess one approach would be to use a custom
mediator to add the SOAP header, WS-Security stuff, and then not to
enableSec when sending the message? That way, I don't presume Rampart would
have any expectations about expecting wsse in the response.

jeff

On Sun, Jun 8, 2008 at 6:26 PM, Ruwan Linton <ru...@gmail.com> wrote:

> Hi Jeff,
>
> Nice to hear that you got it to work :-) ; See my comments in-line...
>
> On Mon, Jun 9, 2008 at 3:59 AM, Jeff Davis <jd...@idalica.com> wrote:
>
> > I'm sure you guys are sick of hearing from me by now :-).
> >
> > That change you guys had suggested corrected the issue with the ReplyTo
> > being generated. That's the good news! I do have one last issue (I am so
> > close to getting everything entirely working). I believe this is also do
> to
> > a buggy Amazon WS implementation. That is, there response doesn't contain
> > any WSSE security stuff in their response. Here's an example of what I
> > receive from them:
>
>
> Jeff, I guess this is accepted and known as *message level policies*, so
> the
> in-message contains a security policy and the out-message does not.
>
>
> >
> >
> > <soapenv:Envelope xmlns:soapenv="
> http://schemas.xmlsoap.org/soap/envelope/
> > ">
> >    <soapenv:Header>
> >        <wsa:RelatesTo xmlns:wsa="http://www.w3.org/2005/08/addressing"
> >
> >
> >urn:uuid:A25F54392EB2D8B86E1212962691230477001-1880534923</wsa:RelatesTo>
> >        <wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
> >            >http://www.w3.org/2005/08/addressing/anonymous</wsa:To>
> >        <wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing
> > ">ListDomains:Response</wsa:Action>
> >        <wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
> >            >urn:uuid:337570bf-2dd7-4e5d-a578-3a57800ec5e4</wsa:MessageID>
> >    </soapenv:Header>
> >    <soapenv:Body>
> >        <ListDomainsResponse xmlns="
> > http://sdb.amazonaws.com/doc/2007-11-07/
> > ">
> >            <ListDomainsResult>
> >                <DomainName>test</DomainName>
> >            </ListDomainsResult>
> >            <ResponseMetadata>
> >
>  <RequestId>337570bf-2dd7-4e5d-a578-3a57800ec5e4</RequestId>
> >                <BoxUsage>0.0000071759</BoxUsage>
> >            </ResponseMetadata>
> >        </ListDomainsResponse>
> >    </soapenv:Body>
> > </soapenv:Envelope>
> >
> >
> > Apparently Rampart anticipates a WS-Security in the response, but as you
> > can
> > see, it's not present. I've tried identifying where in the WS-Policy
> > configuration I can have that turned off, but I don't see anything.
> >
> > I could probably add it myself, but not sure how to do this without
> > resorting to a custom mediator of some sort, since I don't believe XSTL
> or
> > Script mediators have access to the SOAP header in the response?
>
>
> Actually both the Script mediator and the XSLT mediator has the access to
> SOAP headers, but I don't see none of these to be fitting to your problem
> because Rampart is going to throw an error upon receiving this message if
> you engage security to the outbound message. By the way, what is your new
> configuration. Are you forwarding the message from the client without
> modifying the security headers? Or do you engage security on the outbound
> message on the endpoint?
>
> If it is the former, we should be able to use a custom mediator, but if
> that
> is the later we need a small improvement on the Synapse side, which Asankha
> has pointed. (Message level policies for the outbound messages on endpoint
> level)
>
>
> >
> >
> > Upon conclusion of this whole exercise, I will get something written up
> for
> > others who wish to use Synapse in conjunction with Amazon's web services.
>
>
> This is perfect. I will help you through to get this working. If we need to
> implement message level policies for endpoints I can work on that soon so
> that we can include that on the point release that we are planing soon
> after
> the 1.2 with AXIOM improvements.
>
> Thanks,
> Ruwan
>
>
> > As
> > you know, AWS is becoming very popular, especially EC2 and S3.  My hope
> is
> > to use Synapse as proxy/mediator that will receive outbound, non
> > WS-Security
> > calls to AWS add on the appropriate WS-Security, then forward to AWS.
> >
> > jeff
> >
> > On Sun, Jun 8, 2008 at 12:35 PM, Paul Fremantle <pz...@gmail.com>
> wrote:
> >
> > > Ruwan
> > >
> > > I think its enough to set the anonymous one as long as we send it.
> > > That might just fix everything.
> > >
> > > Paul
> > >
> > > On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <ru...@gmail.com>
> > > wrote:
> > > > Hi Jeff and Paul,
> > > >
> > > > I was able to reproduce the issue, basically whatever we specify as
> the
> > > > ReplyTo header Addressing module changes it to anonymous for the
> > outbound
> > > > message and neglects sending it. So setting the ReplyTo header is not
> > > > effective for the moment. Jeff, could you please file a JIRA for
> this.
> > At
> > > > the same time I had a look at what Paul proposed and it seems to work
> > but
> > > > still it is just the anonymous address but not the one we set. You
> > could
> > > use
> > > > the property mediator at the axis2-client scope to set this property
> as
> > > > follows to include the anonymous header;
> > > >
> > > > <syn:property name="includeOptionalHeaders" value="true"
> > > > scope="axis2-client"/>
> > > >
> > > > Or if you use separateListener attribute to true with the
> > > enableAddressing
> > > > tag then you can see the non anonymous ReplyTo header is being sent
> to
> > > the
> > > > service.
> > > >
> > > > I will look for a solution to this issue ASAP. Thanks Jeff for
> pointing
> > > this
> > > > out.
> > > >
> > > > Thanks,
> > > > Ruwan
> > > >
> > > > On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <pz...@gmail.com>
> > wrote:
> > > >
> > > >> Jeff
> > > >>
> > > >> Thanks for the feedback. Please can you submit your code as a
> sample?
> > > >> We will definitely try to fix the bug. I agree rampart should not be
> > > >> causing addressing headers to appear. The reason that the anonymous
> > > >> header is being stripped out is because the WS-A spec says that no
> > > >> reply-to is equivalent to anonymous, so there is a bug in Amazon.
> > > >> However, there is a way in Axis2 to turn this behaviour off.
> > > >>
> > > >> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS,
> > > >> Boolean.TRUE);
> > > >>
> > > >> So another way to sort that out will be to set that property on the
> > > Axis2
> > > >> MC.
> > > >>
> > > >> Paul
> > > >>
> > > >> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com>
> > wrote:
> > > >> > Turns out my work-around really didn't solve the problem (because
> > > >> > Axis/Rampart is anticipating a WS-Addressing reply, and since I've
> > > >> stripped
> > > >> > it out downstream, I'd have to add it back manually).
> > > >> >
> > > >> > The crux of the issue is that I cannot figure out how to added
> this:
> > > >> >
> > > >> > <wsa:ReplyTo><wsa:Address>
> > > http://www.w3.org/2005/08/addressing/anonymous
> > > >> > </wsa:Address></wsa:ReplyTo>
> > > >> >
> > > >> > To my WS-Addressing part of my SOAP header.
> > > >> >
> > > >> > I believe it ought to be present, but it's not, as I've confirmed
> > > through
> > > >> > TCPMon. I've tried everything I can think of to get it to appear,
> > but
> > > >> thus
> > > >> > far have had no luck.
> > > >> >
> > > >> > Thanks,
> > > >> >
> > > >> > jeff
> > > >> >
> > > >> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com>
> > > wrote:
> > > >> >
> > > >> >> Maybe it's not a bug but a feature request :-).
> > > >> >>
> > > >> >> I see two issues:
> > > >> >>
> > > >> >> 1) WS-Security automatically adds undesirable WS-Addressing
> > elements
> > > >> (IMO,
> > > >> >> this should only happen when enableAddressing is specified). I
> > don't
> > > see
> > > >> >> anything in the WS-Security spec that indicates WS-Addressing is
> > > >> required. I
> > > >> >> don't see a way to turn this behavior off in Synapse, without
> > > resorting
> > > >> to a
> > > >> >> workaround such as I demonstrated (i.e., chaining together 2
> > > sequences,
> > > >> >> within one removing the undesirable WS-Addressing elements).
> > > >> >>
> > > >> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing element
> > (and
> > > >> it's
> > > >> >> child node Address) using the header mechanism (or property, for
> > that
> > > >> >> matter). This was the crux of my issue, as, for some reason,
> Amazon
> > > >> expected
> > > >> >> a ReplyTo. I suspect this is probably easily possible, but just
> > > wasn't
> > > >> able
> > > >> >> to figure it out.
> > > >> >>
> > > >> >> Btw, I was able to successfully interact with Amazon's SimpleDB
> > now!
> > > I
> > > >> hope
> > > >> >> to writeup a blog entry on my findings (I am actually also
> writing
> > > the
> > > >> book
> > > >> >> called Open Source SOA from Manning, and I am including a big
> > chapter
> > > on
> > > >> >> Synapse, which I am a huge fan of).
> > > >> >>
> > > >> >> To be honest, a lot of this WS-Security stuff is rather new to
> me,
> > so
> > > >> I'm
> > > >> >> feverishly trying to get a handle on it (the Manning book SOA
> > > Security
> > > >> has
> > > >> >> been a big help). I have used PasswordDigest mechanism a lot, but
> > not
> > > >> that
> > > >> >> signing with x509 certs as much.
> > > >> >>
> > > >> >> jeff
> > > >> >>
> > > >> >>
> > > >> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <
> > ruwan.linton@gmail.com
> > > >
> > > >> >> wrote:
> > > >> >>
> > > >> >>> Hi Jeff,
> > > >> >>>
> > > >> >>> What is the bug from your POV? I am sorry, I don't see a bug
> > > here.....
> > > >> >>>
> > > >> >>> Well you could go ahead and file a JIRA so that we can evaluate
> > what
> > > is
> > > >> >>> the
> > > >> >>> issue that you have faced and see whether is there something
> wrong
> > > with
> > > >> >>> Synapse, but I assume this is rather a configuration error.
> > > >> >>>
> > > >> >>> Thanks,
> > > >> >>> Ruwan
> > > >> >>>
> > > >> >>>
> > > >> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com>
> > > wrote:
> > > >> >>>
> > > >> >>> > As a follow-up, I was running it through tcpmon, which is why
> it
> > > had
> > > >> the
> > > >> >>> > strange address.
> > > >> >>> >
> > > >> >>> > Yes, I am running the latest 1.2 build from the URL provided
> me
> > > last
> > > >> >>> > Thursday, I believe.
> > > >> >>> >
> > > >> >>> > Should I submit this is a bug?
> > > >> >>> >
> > > >> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <
> > > ruwan.linton@gmail.com
> > > >> >
> > > >> >>> > wrote:
> > > >> >>> >
> > > >> >>> > > Hi Jeff,
> > > >> >>> > >
> > > >> >>> > > If you enable addressing to the outbound message then
> synapse
> > > >> should
> > > >> >>> be
> > > >> >>> > > sending the ReplyTo header as appropriate. May be amazon is
> > not
> > > >> >>> accepting
> > > >> >>> > > anonymous ReplyTo headers, so assuming that you are using
> the
> > > 1.2
> > > >> >>> build
> > > >> >>> > > here
> > > >> >>> > > is the proposed solution to this;
> > > >> >>> > >
> > > >> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > > >> >>> > >   <localEntry key="sec_policy"
> > > >> >>> > >
> > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > > >> >>> > >
> > > >> >>> > >   <in>
> > > >> >>> > >        <send>
> > > >> >>> > >           <endpoint name="secure">
> > > >> >>> > >               <address uri="http://localhost:8086">
> > > >> >>> > >                   <enableSec policy="sec_policy"/>
> > > >> >>> > >                    <enableAddressing
> separateListener="true"/>
> > > >> >>> > >                </address>
> > > >> >>> > >           </endpoint>
> > > >> >>> > >       </send>
> > > >> >>> > >   </in>
> > > >> >>> > >   <out>
> > > >> >>> > >        <header name="wsse:Security" action="remove"
> > xmlns:wsse="
> > > >> >>> > > http://www.w3.org/2005/08/addressing"/>
> > > >> >>> > >        <send/>
> > > >> >>> > >   </out>
> > > >> >>> > > </definitions>
> > > >> >>> > >
> > > >> >>> > > The above configuration should work, but please note that
> you
> > > need
> > > >> to
> > > >> >>> > > change
> > > >> >>> > > the address uri of the endpoint in the above configuration
> > from
> > > "
> > > >> >>> > > http://localhost:8086" to "AMAZON_URL"
> > > >> >>> > >
> > > >> >>> > > If this is not working could you please attach the TCPMon
> out
> > > put
> > > >> of
> > > >> >>> the
> > > >> >>> > > outbound message which is going to AMAZON (after changing
> > > important
> > > >> >>> > > information) and the message received from AMAZON. If you
> > don't
> > > >> want
> > > >> >>> to
> > > >> >>> > > post
> > > >> >>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
> > > >> >>> ruwan@wso2.com
> > > >> >>> > >)
> > > >> >>> > >
> > > >> >>> > > Thanks,
> > > >> >>> > > Ruwan
> > > >> >>> > >
> > > >> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <
> > jdavis@idalica.com>
> > > >> >>> wrote:
> > > >> >>> > >
> > > >> >>> > > > I did a little research, and I haven't seen anything in
> the
> > > >> standard
> > > >> >>> > that
> > > >> >>> > > > indicates WS-Security requires WS-Addressing.
> >  Unfortunately,
> > > it
> > > >> >>> > doesn't
> > > >> >>> > > > appear as though setting the header has any impact
> (further,
> > > if
> > > >> it
> > > >> >>> did,
> > > >> >>> > > the
> > > >> >>> > > > ReplyTo has a child element for the Address, so not sure
> how
> > > that
> > > >> >>> would
> > > >> >>> > > be
> > > >> >>> > > > added). Here's my configuration:
> > > >> >>> > > >
> > > >> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > > >> >>> > > >    <localEntry key="sec_policy"
> > > >> >>> > > >
> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > > >> >>> > > >
> > > >> >>> > > >    <in>
> > > >> >>> > > >        <header name="ReplyTo" action="set" value=""/>
> > > >> >>> > > >        <send>
> > > >> >>> > > >            <endpoint name="secure">
> > > >> >>> > > >                <address uri="http://localhost:8086">
> > > >> >>> > > >                    <enableSec policy="sec_policy"/>
> > > >> >>> > > >                    <enableAddressing/>
> > > >> >>> > > >                </address>
> > > >> >>> > > >            </endpoint>
> > > >> >>> > > >        </send>
> > > >> >>> > > >    </in>
> > > >> >>> > > >    <out>
> > > >> >>> > > >        <send/>
> > > >> >>> > > >    </out>
> > > >> >>> > > > </definitions>
> > > >> >>> > > >
> > > >> >>> > > > In lieu of the above header, I also tried:
> > > >> >>> > > >
> > > >> >>> > > > <header name="wsse:Security" action="remove"
> > > >> >>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> > > >> >>> > > >
> > > >> >>> > > > (I also tried removing the <enableAddressing/> node for
> each
> > > >> test).
> > > >> >>> > > >
> > > >> >>> > > > To recap my issue, it seems as though Amazon AWS (at least
> > for
> > > >> >>> SimpleDB
> > > >> >>> > > > service) requires the ReplyTo WS-Addressing element, if
> > > >> >>> WS-Addressing
> > > >> >>> > is
> > > >> >>> > > > used. I haven't found a way to remove WS-Addressing
> > generated
> > > >> >>> > > automatically
> > > >> >>> > > > by Synapse when WS-Security is used, and I haven't figure
> > out
> > > how
> > > >> to
> > > >> >>> > add
> > > >> >>> > > > ReplyTo (and it's child Address node) to the outbound
> > message.
> > > >> >>> > > >
> > > >> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining
> > together
> > > >> some
> > > >> >>> > > things
> > > >> >>> > > > to see if I can devise something.
> > > >> >>> > > >
> > > >> >>> > > > Thanks,
> > > >> >>> > > >
> > > >> >>> > > > jeff
> > > >> >>> > > >
> > > >> >>> > > >
> > > >> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <
> > > >> asankha@wso2.com
> > > >> >>> >
> > > >> >>> > > > wrote:
> > > >> >>> > > >
> > > >> >>> > > > > Hi Jeff
> > > >> >>> > > > >
> > > >> >>> > > > >> To be honest, I'm not entirely certain how to add it in
> > the
> > > >> >>> Header
> > > >> >>> > > > >> mediator,
> > > >> >>> > > > >> as you allude to. I did try various permutations of
> using
> > > the
> > > >> >>> > property
> > > >> >>> > > > and
> > > >> >>> > > > >> header nodes within the <in>, but nothing ever
> appeared.
> > > >> >>> > > > >>
> > > >> >>> > > > >>
> > > >> >>> > > > > I am sorry.. I had made a mistake in my reply earlier..
> to
> > > set
> > > >> the
> > > >> >>> > > > ReplyTo
> > > >> >>> > > > > header to something, you will use "<header
> name="ReplyTo"
> > > >> >>> > value="..."/>
> > > >> >>> > > > > format.. If you are familiar with using TCPMon, you can
> > > place
> > > >> it
> > > >> >>> > > between
> > > >> >>> > > > > your service and Amazon and route the message through it
> > to
> > > get
> > > >> a
> > > >> >>> > trace
> > > >> >>> > > > of
> > > >> >>> > > > > the messages. This will help you and us to solve any
> > > problems.
> > > >> >>> > > > >
> > > >> >>> > > > >> Obviously, Amazon's service is not entirely compliant
> > with
> > > the
> > > >> >>> > > > WS-Security
> > > >> >>> > > > >> standards. Even in their section under WS-Security
> SOAP,
> > > they
> > > >> >>> state
> > > >> >>> > > that
> > > >> >>> > > > >> "if
> > > >> >>> > > > >> you're using WS-Addressing, we recommend you also sign
> > the
> > > >> Action
> > > >> >>> > and
> > > >> >>> > > To
> > > >> >>> > > > >> header elements" (I haven't figured out how to do that
> > yet,
> > > >> but
> > > >> >>> I'll
> > > >> >>> > > dig
> > > >> >>> > > > >> into that).
> > > >> >>> > > > >>
> > > >> >>> > > > >>
> > > >> >>> > > > > If you are ok to share your configuration/scenario with
> us
> > > or
> > > >> let
> > > >> >>> us
> > > >> >>> > > try
> > > >> >>> > > > > some simple sample to reproduce the issue you are
> facing,
> > > one
> > > >> of
> > > >> >>> the
> > > >> >>> > > > > developers would be able to tell you exactly whats
> wrong,
> > > and
> > > >> what
> > > >> >>> > you
> > > >> >>> > > > could
> > > >> >>> > > > > do to get past the problem
> > > >> >>> > > > >
> > > >> >>> > > > > asankha
> > > >> >>> > > > >
> > > >> >>> > > >
> > > >> >>> > >
> > > >> >>> > >
> > > >> >>> > >
> > > >> >>> > > --
> > > >> >>> > > Ruwan Linton
> > > >> >>> > > http://www.wso2.org - "Oxygenating the Web Services
> Platform"
> > > >> >>> > >
> > > >> >>> >
> > > >> >>>
> > > >> >>>
> > > >> >>>
> > > >> >>> --
> > > >> >>> Ruwan Linton
> > > >> >>> http://www.wso2.org - "Oxygenating the Web Services Platform"
> > > >> >>>
> > > >> >>
> > > >> >>
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Paul Fremantle
> > > >> Co-Founder and CTO, WSO2
> > > >> Apache Synapse PMC Chair
> > > >> OASIS WS-RX TC Co-chair
> > > >>
> > > >> blog: http://pzf.fremantle.org
> > > >> paul@wso2.com
> > > >>
> > > >> "Oxygenating the Web Service Platform", www.wso2.com
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > Ruwan Linton
> > > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> > > >
> > >
> > >
> > >
> > > --
> > > Paul Fremantle
> > > Co-Founder and CTO, WSO2
> > > Apache Synapse PMC Chair
> > > OASIS WS-RX TC Co-chair
> > >
> > > blog: http://pzf.fremantle.org
> > > paul@wso2.com
> > >
> > > "Oxygenating the Web Service Platform", www.wso2.com
> > >
> >
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Ruwan Linton <ru...@gmail.com>]

Hi Jeff,

Nice to hear that you got it to work :-) ; See my comments in-line...

On Mon, Jun 9, 2008 at 3:59 AM, Jeff Davis <jd...@idalica.com> wrote:

> I'm sure you guys are sick of hearing from me by now :-).
>
> That change you guys had suggested corrected the issue with the ReplyTo
> being generated. That's the good news! I do have one last issue (I am so
> close to getting everything entirely working). I believe this is also do to
> a buggy Amazon WS implementation. That is, there response doesn't contain
> any WSSE security stuff in their response. Here's an example of what I
> receive from them:


Jeff, I guess this is accepted and known as *message level policies*, so the
in-message contains a security policy and the out-message does not.


>
>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> ">
>    <soapenv:Header>
>        <wsa:RelatesTo xmlns:wsa="http://www.w3.org/2005/08/addressing"
>
> >urn:uuid:A25F54392EB2D8B86E1212962691230477001-1880534923</wsa:RelatesTo>
>        <wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
>            >http://www.w3.org/2005/08/addressing/anonymous</wsa:To>
>        <wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing
> ">ListDomains:Response</wsa:Action>
>        <wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
>            >urn:uuid:337570bf-2dd7-4e5d-a578-3a57800ec5e4</wsa:MessageID>
>    </soapenv:Header>
>    <soapenv:Body>
>        <ListDomainsResponse xmlns="
> http://sdb.amazonaws.com/doc/2007-11-07/
> ">
>            <ListDomainsResult>
>                <DomainName>test</DomainName>
>            </ListDomainsResult>
>            <ResponseMetadata>
>                <RequestId>337570bf-2dd7-4e5d-a578-3a57800ec5e4</RequestId>
>                <BoxUsage>0.0000071759</BoxUsage>
>            </ResponseMetadata>
>        </ListDomainsResponse>
>    </soapenv:Body>
> </soapenv:Envelope>
>
>
> Apparently Rampart anticipates a WS-Security in the response, but as you
> can
> see, it's not present. I've tried identifying where in the WS-Policy
> configuration I can have that turned off, but I don't see anything.
>
> I could probably add it myself, but not sure how to do this without
> resorting to a custom mediator of some sort, since I don't believe XSTL or
> Script mediators have access to the SOAP header in the response?


Actually both the Script mediator and the XSLT mediator has the access to
SOAP headers, but I don't see none of these to be fitting to your problem
because Rampart is going to throw an error upon receiving this message if
you engage security to the outbound message. By the way, what is your new
configuration. Are you forwarding the message from the client without
modifying the security headers? Or do you engage security on the outbound
message on the endpoint?

If it is the former, we should be able to use a custom mediator, but if that
is the later we need a small improvement on the Synapse side, which Asankha
has pointed. (Message level policies for the outbound messages on endpoint
level)


>
>
> Upon conclusion of this whole exercise, I will get something written up for
> others who wish to use Synapse in conjunction with Amazon's web services.


This is perfect. I will help you through to get this working. If we need to
implement message level policies for endpoints I can work on that soon so
that we can include that on the point release that we are planing soon after
the 1.2 with AXIOM improvements.

Thanks,
Ruwan


> As
> you know, AWS is becoming very popular, especially EC2 and S3.  My hope is
> to use Synapse as proxy/mediator that will receive outbound, non
> WS-Security
> calls to AWS add on the appropriate WS-Security, then forward to AWS.
>
> jeff
>
> On Sun, Jun 8, 2008 at 12:35 PM, Paul Fremantle <pz...@gmail.com> wrote:
>
> > Ruwan
> >
> > I think its enough to set the anonymous one as long as we send it.
> > That might just fix everything.
> >
> > Paul
> >
> > On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <ru...@gmail.com>
> > wrote:
> > > Hi Jeff and Paul,
> > >
> > > I was able to reproduce the issue, basically whatever we specify as the
> > > ReplyTo header Addressing module changes it to anonymous for the
> outbound
> > > message and neglects sending it. So setting the ReplyTo header is not
> > > effective for the moment. Jeff, could you please file a JIRA for this.
> At
> > > the same time I had a look at what Paul proposed and it seems to work
> but
> > > still it is just the anonymous address but not the one we set. You
> could
> > use
> > > the property mediator at the axis2-client scope to set this property as
> > > follows to include the anonymous header;
> > >
> > > <syn:property name="includeOptionalHeaders" value="true"
> > > scope="axis2-client"/>
> > >
> > > Or if you use separateListener attribute to true with the
> > enableAddressing
> > > tag then you can see the non anonymous ReplyTo header is being sent to
> > the
> > > service.
> > >
> > > I will look for a solution to this issue ASAP. Thanks Jeff for pointing
> > this
> > > out.
> > >
> > > Thanks,
> > > Ruwan
> > >
> > > On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <pz...@gmail.com>
> wrote:
> > >
> > >> Jeff
> > >>
> > >> Thanks for the feedback. Please can you submit your code as a sample?
> > >> We will definitely try to fix the bug. I agree rampart should not be
> > >> causing addressing headers to appear. The reason that the anonymous
> > >> header is being stripped out is because the WS-A spec says that no
> > >> reply-to is equivalent to anonymous, so there is a bug in Amazon.
> > >> However, there is a way in Axis2 to turn this behaviour off.
> > >>
> > >> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS,
> > >> Boolean.TRUE);
> > >>
> > >> So another way to sort that out will be to set that property on the
> > Axis2
> > >> MC.
> > >>
> > >> Paul
> > >>
> > >> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com>
> wrote:
> > >> > Turns out my work-around really didn't solve the problem (because
> > >> > Axis/Rampart is anticipating a WS-Addressing reply, and since I've
> > >> stripped
> > >> > it out downstream, I'd have to add it back manually).
> > >> >
> > >> > The crux of the issue is that I cannot figure out how to added this:
> > >> >
> > >> > <wsa:ReplyTo><wsa:Address>
> > http://www.w3.org/2005/08/addressing/anonymous
> > >> > </wsa:Address></wsa:ReplyTo>
> > >> >
> > >> > To my WS-Addressing part of my SOAP header.
> > >> >
> > >> > I believe it ought to be present, but it's not, as I've confirmed
> > through
> > >> > TCPMon. I've tried everything I can think of to get it to appear,
> but
> > >> thus
> > >> > far have had no luck.
> > >> >
> > >> > Thanks,
> > >> >
> > >> > jeff
> > >> >
> > >> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com>
> > wrote:
> > >> >
> > >> >> Maybe it's not a bug but a feature request :-).
> > >> >>
> > >> >> I see two issues:
> > >> >>
> > >> >> 1) WS-Security automatically adds undesirable WS-Addressing
> elements
> > >> (IMO,
> > >> >> this should only happen when enableAddressing is specified). I
> don't
> > see
> > >> >> anything in the WS-Security spec that indicates WS-Addressing is
> > >> required. I
> > >> >> don't see a way to turn this behavior off in Synapse, without
> > resorting
> > >> to a
> > >> >> workaround such as I demonstrated (i.e., chaining together 2
> > sequences,
> > >> >> within one removing the undesirable WS-Addressing elements).
> > >> >>
> > >> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing element
> (and
> > >> it's
> > >> >> child node Address) using the header mechanism (or property, for
> that
> > >> >> matter). This was the crux of my issue, as, for some reason, Amazon
> > >> expected
> > >> >> a ReplyTo. I suspect this is probably easily possible, but just
> > wasn't
> > >> able
> > >> >> to figure it out.
> > >> >>
> > >> >> Btw, I was able to successfully interact with Amazon's SimpleDB
> now!
> > I
> > >> hope
> > >> >> to writeup a blog entry on my findings (I am actually also writing
> > the
> > >> book
> > >> >> called Open Source SOA from Manning, and I am including a big
> chapter
> > on
> > >> >> Synapse, which I am a huge fan of).
> > >> >>
> > >> >> To be honest, a lot of this WS-Security stuff is rather new to me,
> so
> > >> I'm
> > >> >> feverishly trying to get a handle on it (the Manning book SOA
> > Security
> > >> has
> > >> >> been a big help). I have used PasswordDigest mechanism a lot, but
> not
> > >> that
> > >> >> signing with x509 certs as much.
> > >> >>
> > >> >> jeff
> > >> >>
> > >> >>
> > >> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <
> ruwan.linton@gmail.com
> > >
> > >> >> wrote:
> > >> >>
> > >> >>> Hi Jeff,
> > >> >>>
> > >> >>> What is the bug from your POV? I am sorry, I don't see a bug
> > here.....
> > >> >>>
> > >> >>> Well you could go ahead and file a JIRA so that we can evaluate
> what
> > is
> > >> >>> the
> > >> >>> issue that you have faced and see whether is there something wrong
> > with
> > >> >>> Synapse, but I assume this is rather a configuration error.
> > >> >>>
> > >> >>> Thanks,
> > >> >>> Ruwan
> > >> >>>
> > >> >>>
> > >> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com>
> > wrote:
> > >> >>>
> > >> >>> > As a follow-up, I was running it through tcpmon, which is why it
> > had
> > >> the
> > >> >>> > strange address.
> > >> >>> >
> > >> >>> > Yes, I am running the latest 1.2 build from the URL provided me
> > last
> > >> >>> > Thursday, I believe.
> > >> >>> >
> > >> >>> > Should I submit this is a bug?
> > >> >>> >
> > >> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <
> > ruwan.linton@gmail.com
> > >> >
> > >> >>> > wrote:
> > >> >>> >
> > >> >>> > > Hi Jeff,
> > >> >>> > >
> > >> >>> > > If you enable addressing to the outbound message then synapse
> > >> should
> > >> >>> be
> > >> >>> > > sending the ReplyTo header as appropriate. May be amazon is
> not
> > >> >>> accepting
> > >> >>> > > anonymous ReplyTo headers, so assuming that you are using the
> > 1.2
> > >> >>> build
> > >> >>> > > here
> > >> >>> > > is the proposed solution to this;
> > >> >>> > >
> > >> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > >> >>> > >   <localEntry key="sec_policy"
> > >> >>> > >
> src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > >> >>> > >
> > >> >>> > >   <in>
> > >> >>> > >        <send>
> > >> >>> > >           <endpoint name="secure">
> > >> >>> > >               <address uri="http://localhost:8086">
> > >> >>> > >                   <enableSec policy="sec_policy"/>
> > >> >>> > >                    <enableAddressing separateListener="true"/>
> > >> >>> > >                </address>
> > >> >>> > >           </endpoint>
> > >> >>> > >       </send>
> > >> >>> > >   </in>
> > >> >>> > >   <out>
> > >> >>> > >        <header name="wsse:Security" action="remove"
> xmlns:wsse="
> > >> >>> > > http://www.w3.org/2005/08/addressing"/>
> > >> >>> > >        <send/>
> > >> >>> > >   </out>
> > >> >>> > > </definitions>
> > >> >>> > >
> > >> >>> > > The above configuration should work, but please note that you
> > need
> > >> to
> > >> >>> > > change
> > >> >>> > > the address uri of the endpoint in the above configuration
> from
> > "
> > >> >>> > > http://localhost:8086" to "AMAZON_URL"
> > >> >>> > >
> > >> >>> > > If this is not working could you please attach the TCPMon out
> > put
> > >> of
> > >> >>> the
> > >> >>> > > outbound message which is going to AMAZON (after changing
> > important
> > >> >>> > > information) and the message received from AMAZON. If you
> don't
> > >> want
> > >> >>> to
> > >> >>> > > post
> > >> >>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
> > >> >>> ruwan@wso2.com
> > >> >>> > >)
> > >> >>> > >
> > >> >>> > > Thanks,
> > >> >>> > > Ruwan
> > >> >>> > >
> > >> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <
> jdavis@idalica.com>
> > >> >>> wrote:
> > >> >>> > >
> > >> >>> > > > I did a little research, and I haven't seen anything in the
> > >> standard
> > >> >>> > that
> > >> >>> > > > indicates WS-Security requires WS-Addressing.
>  Unfortunately,
> > it
> > >> >>> > doesn't
> > >> >>> > > > appear as though setting the header has any impact (further,
> > if
> > >> it
> > >> >>> did,
> > >> >>> > > the
> > >> >>> > > > ReplyTo has a child element for the Address, so not sure how
> > that
> > >> >>> would
> > >> >>> > > be
> > >> >>> > > > added). Here's my configuration:
> > >> >>> > > >
> > >> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > >> >>> > > >    <localEntry key="sec_policy"
> > >> >>> > > >
> > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > >> >>> > > >
> > >> >>> > > >    <in>
> > >> >>> > > >        <header name="ReplyTo" action="set" value=""/>
> > >> >>> > > >        <send>
> > >> >>> > > >            <endpoint name="secure">
> > >> >>> > > >                <address uri="http://localhost:8086">
> > >> >>> > > >                    <enableSec policy="sec_policy"/>
> > >> >>> > > >                    <enableAddressing/>
> > >> >>> > > >                </address>
> > >> >>> > > >            </endpoint>
> > >> >>> > > >        </send>
> > >> >>> > > >    </in>
> > >> >>> > > >    <out>
> > >> >>> > > >        <send/>
> > >> >>> > > >    </out>
> > >> >>> > > > </definitions>
> > >> >>> > > >
> > >> >>> > > > In lieu of the above header, I also tried:
> > >> >>> > > >
> > >> >>> > > > <header name="wsse:Security" action="remove"
> > >> >>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> > >> >>> > > >
> > >> >>> > > > (I also tried removing the <enableAddressing/> node for each
> > >> test).
> > >> >>> > > >
> > >> >>> > > > To recap my issue, it seems as though Amazon AWS (at least
> for
> > >> >>> SimpleDB
> > >> >>> > > > service) requires the ReplyTo WS-Addressing element, if
> > >> >>> WS-Addressing
> > >> >>> > is
> > >> >>> > > > used. I haven't found a way to remove WS-Addressing
> generated
> > >> >>> > > automatically
> > >> >>> > > > by Synapse when WS-Security is used, and I haven't figure
> out
> > how
> > >> to
> > >> >>> > add
> > >> >>> > > > ReplyTo (and it's child Address node) to the outbound
> message.
> > >> >>> > > >
> > >> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining
> together
> > >> some
> > >> >>> > > things
> > >> >>> > > > to see if I can devise something.
> > >> >>> > > >
> > >> >>> > > > Thanks,
> > >> >>> > > >
> > >> >>> > > > jeff
> > >> >>> > > >
> > >> >>> > > >
> > >> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <
> > >> asankha@wso2.com
> > >> >>> >
> > >> >>> > > > wrote:
> > >> >>> > > >
> > >> >>> > > > > Hi Jeff
> > >> >>> > > > >
> > >> >>> > > > >> To be honest, I'm not entirely certain how to add it in
> the
> > >> >>> Header
> > >> >>> > > > >> mediator,
> > >> >>> > > > >> as you allude to. I did try various permutations of using
> > the
> > >> >>> > property
> > >> >>> > > > and
> > >> >>> > > > >> header nodes within the <in>, but nothing ever appeared.
> > >> >>> > > > >>
> > >> >>> > > > >>
> > >> >>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to
> > set
> > >> the
> > >> >>> > > > ReplyTo
> > >> >>> > > > > header to something, you will use "<header name="ReplyTo"
> > >> >>> > value="..."/>
> > >> >>> > > > > format.. If you are familiar with using TCPMon, you can
> > place
> > >> it
> > >> >>> > > between
> > >> >>> > > > > your service and Amazon and route the message through it
> to
> > get
> > >> a
> > >> >>> > trace
> > >> >>> > > > of
> > >> >>> > > > > the messages. This will help you and us to solve any
> > problems.
> > >> >>> > > > >
> > >> >>> > > > >> Obviously, Amazon's service is not entirely compliant
> with
> > the
> > >> >>> > > > WS-Security
> > >> >>> > > > >> standards. Even in their section under WS-Security SOAP,
> > they
> > >> >>> state
> > >> >>> > > that
> > >> >>> > > > >> "if
> > >> >>> > > > >> you're using WS-Addressing, we recommend you also sign
> the
> > >> Action
> > >> >>> > and
> > >> >>> > > To
> > >> >>> > > > >> header elements" (I haven't figured out how to do that
> yet,
> > >> but
> > >> >>> I'll
> > >> >>> > > dig
> > >> >>> > > > >> into that).
> > >> >>> > > > >>
> > >> >>> > > > >>
> > >> >>> > > > > If you are ok to share your configuration/scenario with us
> > or
> > >> let
> > >> >>> us
> > >> >>> > > try
> > >> >>> > > > > some simple sample to reproduce the issue you are facing,
> > one
> > >> of
> > >> >>> the
> > >> >>> > > > > developers would be able to tell you exactly whats wrong,
> > and
> > >> what
> > >> >>> > you
> > >> >>> > > > could
> > >> >>> > > > > do to get past the problem
> > >> >>> > > > >
> > >> >>> > > > > asankha
> > >> >>> > > > >
> > >> >>> > > >
> > >> >>> > >
> > >> >>> > >
> > >> >>> > >
> > >> >>> > > --
> > >> >>> > > Ruwan Linton
> > >> >>> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> > >> >>> > >
> > >> >>> >
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> --
> > >> >>> Ruwan Linton
> > >> >>> http://www.wso2.org - "Oxygenating the Web Services Platform"
> > >> >>>
> > >> >>
> > >> >>
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Paul Fremantle
> > >> Co-Founder and CTO, WSO2
> > >> Apache Synapse PMC Chair
> > >> OASIS WS-RX TC Co-chair
> > >>
> > >> blog: http://pzf.fremantle.org
> > >> paul@wso2.com
> > >>
> > >> "Oxygenating the Web Service Platform", www.wso2.com
> > >>
> > >
> > >
> > >
> > > --
> > > Ruwan Linton
> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> > >
> >
> >
> >
> > --
> > Paul Fremantle
> > Co-Founder and CTO, WSO2
> > Apache Synapse PMC Chair
> > OASIS WS-RX TC Co-chair
> >
> > blog: http://pzf.fremantle.org
> > paul@wso2.com
> >
> > "Oxygenating the Web Service Platform", www.wso2.com
> >
>



-- 
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

I'm sure you guys are sick of hearing from me by now :-).

That change you guys had suggested corrected the issue with the ReplyTo
being generated. That's the good news! I do have one last issue (I am so
close to getting everything entirely working). I believe this is also do to
a buggy Amazon WS implementation. That is, there response doesn't contain
any WSSE security stuff in their response. Here's an example of what I
receive from them:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsa:RelatesTo xmlns:wsa="http://www.w3.org/2005/08/addressing"

>urn:uuid:A25F54392EB2D8B86E1212962691230477001-1880534923</wsa:RelatesTo>
        <wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"
            >http://www.w3.org/2005/08/addressing/anonymous</wsa:To>
        <wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing
">ListDomains:Response</wsa:Action>
        <wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"
            >urn:uuid:337570bf-2dd7-4e5d-a578-3a57800ec5e4</wsa:MessageID>
    </soapenv:Header>
    <soapenv:Body>
        <ListDomainsResponse xmlns="http://sdb.amazonaws.com/doc/2007-11-07/
">
            <ListDomainsResult>
                <DomainName>test</DomainName>
            </ListDomainsResult>
            <ResponseMetadata>
                <RequestId>337570bf-2dd7-4e5d-a578-3a57800ec5e4</RequestId>
                <BoxUsage>0.0000071759</BoxUsage>
            </ResponseMetadata>
        </ListDomainsResponse>
    </soapenv:Body>
</soapenv:Envelope>


Apparently Rampart anticipates a WS-Security in the response, but as you can
see, it's not present. I've tried identifying where in the WS-Policy
configuration I can have that turned off, but I don't see anything.

I could probably add it myself, but not sure how to do this without
resorting to a custom mediator of some sort, since I don't believe XSTL or
Script mediators have access to the SOAP header in the response?

Upon conclusion of this whole exercise, I will get something written up for
others who wish to use Synapse in conjunction with Amazon's web services. As
you know, AWS is becoming very popular, especially EC2 and S3.  My hope is
to use Synapse as proxy/mediator that will receive outbound, non WS-Security
calls to AWS add on the appropriate WS-Security, then forward to AWS.

jeff

On Sun, Jun 8, 2008 at 12:35 PM, Paul Fremantle <pz...@gmail.com> wrote:

> Ruwan
>
> I think its enough to set the anonymous one as long as we send it.
> That might just fix everything.
>
> Paul
>
> On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <ru...@gmail.com>
> wrote:
> > Hi Jeff and Paul,
> >
> > I was able to reproduce the issue, basically whatever we specify as the
> > ReplyTo header Addressing module changes it to anonymous for the outbound
> > message and neglects sending it. So setting the ReplyTo header is not
> > effective for the moment. Jeff, could you please file a JIRA for this. At
> > the same time I had a look at what Paul proposed and it seems to work but
> > still it is just the anonymous address but not the one we set. You could
> use
> > the property mediator at the axis2-client scope to set this property as
> > follows to include the anonymous header;
> >
> > <syn:property name="includeOptionalHeaders" value="true"
> > scope="axis2-client"/>
> >
> > Or if you use separateListener attribute to true with the
> enableAddressing
> > tag then you can see the non anonymous ReplyTo header is being sent to
> the
> > service.
> >
> > I will look for a solution to this issue ASAP. Thanks Jeff for pointing
> this
> > out.
> >
> > Thanks,
> > Ruwan
> >
> > On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <pz...@gmail.com> wrote:
> >
> >> Jeff
> >>
> >> Thanks for the feedback. Please can you submit your code as a sample?
> >> We will definitely try to fix the bug. I agree rampart should not be
> >> causing addressing headers to appear. The reason that the anonymous
> >> header is being stripped out is because the WS-A spec says that no
> >> reply-to is equivalent to anonymous, so there is a bug in Amazon.
> >> However, there is a way in Axis2 to turn this behaviour off.
> >>
> >> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS,
> >> Boolean.TRUE);
> >>
> >> So another way to sort that out will be to set that property on the
> Axis2
> >> MC.
> >>
> >> Paul
> >>
> >> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com> wrote:
> >> > Turns out my work-around really didn't solve the problem (because
> >> > Axis/Rampart is anticipating a WS-Addressing reply, and since I've
> >> stripped
> >> > it out downstream, I'd have to add it back manually).
> >> >
> >> > The crux of the issue is that I cannot figure out how to added this:
> >> >
> >> > <wsa:ReplyTo><wsa:Address>
> http://www.w3.org/2005/08/addressing/anonymous
> >> > </wsa:Address></wsa:ReplyTo>
> >> >
> >> > To my WS-Addressing part of my SOAP header.
> >> >
> >> > I believe it ought to be present, but it's not, as I've confirmed
> through
> >> > TCPMon. I've tried everything I can think of to get it to appear, but
> >> thus
> >> > far have had no luck.
> >> >
> >> > Thanks,
> >> >
> >> > jeff
> >> >
> >> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com>
> wrote:
> >> >
> >> >> Maybe it's not a bug but a feature request :-).
> >> >>
> >> >> I see two issues:
> >> >>
> >> >> 1) WS-Security automatically adds undesirable WS-Addressing elements
> >> (IMO,
> >> >> this should only happen when enableAddressing is specified). I don't
> see
> >> >> anything in the WS-Security spec that indicates WS-Addressing is
> >> required. I
> >> >> don't see a way to turn this behavior off in Synapse, without
> resorting
> >> to a
> >> >> workaround such as I demonstrated (i.e., chaining together 2
> sequences,
> >> >> within one removing the undesirable WS-Addressing elements).
> >> >>
> >> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and
> >> it's
> >> >> child node Address) using the header mechanism (or property, for that
> >> >> matter). This was the crux of my issue, as, for some reason, Amazon
> >> expected
> >> >> a ReplyTo. I suspect this is probably easily possible, but just
> wasn't
> >> able
> >> >> to figure it out.
> >> >>
> >> >> Btw, I was able to successfully interact with Amazon's SimpleDB now!
> I
> >> hope
> >> >> to writeup a blog entry on my findings (I am actually also writing
> the
> >> book
> >> >> called Open Source SOA from Manning, and I am including a big chapter
> on
> >> >> Synapse, which I am a huge fan of).
> >> >>
> >> >> To be honest, a lot of this WS-Security stuff is rather new to me, so
> >> I'm
> >> >> feverishly trying to get a handle on it (the Manning book SOA
> Security
> >> has
> >> >> been a big help). I have used PasswordDigest mechanism a lot, but not
> >> that
> >> >> signing with x509 certs as much.
> >> >>
> >> >> jeff
> >> >>
> >> >>
> >> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <ruwan.linton@gmail.com
> >
> >> >> wrote:
> >> >>
> >> >>> Hi Jeff,
> >> >>>
> >> >>> What is the bug from your POV? I am sorry, I don't see a bug
> here.....
> >> >>>
> >> >>> Well you could go ahead and file a JIRA so that we can evaluate what
> is
> >> >>> the
> >> >>> issue that you have faced and see whether is there something wrong
> with
> >> >>> Synapse, but I assume this is rather a configuration error.
> >> >>>
> >> >>> Thanks,
> >> >>> Ruwan
> >> >>>
> >> >>>
> >> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com>
> wrote:
> >> >>>
> >> >>> > As a follow-up, I was running it through tcpmon, which is why it
> had
> >> the
> >> >>> > strange address.
> >> >>> >
> >> >>> > Yes, I am running the latest 1.2 build from the URL provided me
> last
> >> >>> > Thursday, I believe.
> >> >>> >
> >> >>> > Should I submit this is a bug?
> >> >>> >
> >> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <
> ruwan.linton@gmail.com
> >> >
> >> >>> > wrote:
> >> >>> >
> >> >>> > > Hi Jeff,
> >> >>> > >
> >> >>> > > If you enable addressing to the outbound message then synapse
> >> should
> >> >>> be
> >> >>> > > sending the ReplyTo header as appropriate. May be amazon is not
> >> >>> accepting
> >> >>> > > anonymous ReplyTo headers, so assuming that you are using the
> 1.2
> >> >>> build
> >> >>> > > here
> >> >>> > > is the proposed solution to this;
> >> >>> > >
> >> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >> >>> > >   <localEntry key="sec_policy"
> >> >>> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >> >>> > >
> >> >>> > >   <in>
> >> >>> > >        <send>
> >> >>> > >           <endpoint name="secure">
> >> >>> > >               <address uri="http://localhost:8086">
> >> >>> > >                   <enableSec policy="sec_policy"/>
> >> >>> > >                    <enableAddressing separateListener="true"/>
> >> >>> > >                </address>
> >> >>> > >           </endpoint>
> >> >>> > >       </send>
> >> >>> > >   </in>
> >> >>> > >   <out>
> >> >>> > >        <header name="wsse:Security" action="remove" xmlns:wsse="
> >> >>> > > http://www.w3.org/2005/08/addressing"/>
> >> >>> > >        <send/>
> >> >>> > >   </out>
> >> >>> > > </definitions>
> >> >>> > >
> >> >>> > > The above configuration should work, but please note that you
> need
> >> to
> >> >>> > > change
> >> >>> > > the address uri of the endpoint in the above configuration from
> "
> >> >>> > > http://localhost:8086" to "AMAZON_URL"
> >> >>> > >
> >> >>> > > If this is not working could you please attach the TCPMon out
> put
> >> of
> >> >>> the
> >> >>> > > outbound message which is going to AMAZON (after changing
> important
> >> >>> > > information) and the message received from AMAZON. If you don't
> >> want
> >> >>> to
> >> >>> > > post
> >> >>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
> >> >>> ruwan@wso2.com
> >> >>> > >)
> >> >>> > >
> >> >>> > > Thanks,
> >> >>> > > Ruwan
> >> >>> > >
> >> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com>
> >> >>> wrote:
> >> >>> > >
> >> >>> > > > I did a little research, and I haven't seen anything in the
> >> standard
> >> >>> > that
> >> >>> > > > indicates WS-Security requires WS-Addressing.  Unfortunately,
> it
> >> >>> > doesn't
> >> >>> > > > appear as though setting the header has any impact (further,
> if
> >> it
> >> >>> did,
> >> >>> > > the
> >> >>> > > > ReplyTo has a child element for the Address, so not sure how
> that
> >> >>> would
> >> >>> > > be
> >> >>> > > > added). Here's my configuration:
> >> >>> > > >
> >> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >> >>> > > >    <localEntry key="sec_policy"
> >> >>> > > >
> src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >> >>> > > >
> >> >>> > > >    <in>
> >> >>> > > >        <header name="ReplyTo" action="set" value=""/>
> >> >>> > > >        <send>
> >> >>> > > >            <endpoint name="secure">
> >> >>> > > >                <address uri="http://localhost:8086">
> >> >>> > > >                    <enableSec policy="sec_policy"/>
> >> >>> > > >                    <enableAddressing/>
> >> >>> > > >                </address>
> >> >>> > > >            </endpoint>
> >> >>> > > >        </send>
> >> >>> > > >    </in>
> >> >>> > > >    <out>
> >> >>> > > >        <send/>
> >> >>> > > >    </out>
> >> >>> > > > </definitions>
> >> >>> > > >
> >> >>> > > > In lieu of the above header, I also tried:
> >> >>> > > >
> >> >>> > > > <header name="wsse:Security" action="remove"
> >> >>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> >> >>> > > >
> >> >>> > > > (I also tried removing the <enableAddressing/> node for each
> >> test).
> >> >>> > > >
> >> >>> > > > To recap my issue, it seems as though Amazon AWS (at least for
> >> >>> SimpleDB
> >> >>> > > > service) requires the ReplyTo WS-Addressing element, if
> >> >>> WS-Addressing
> >> >>> > is
> >> >>> > > > used. I haven't found a way to remove WS-Addressing generated
> >> >>> > > automatically
> >> >>> > > > by Synapse when WS-Security is used, and I haven't figure out
> how
> >> to
> >> >>> > add
> >> >>> > > > ReplyTo (and it's child Address node) to the outbound message.
> >> >>> > > >
> >> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining together
> >> some
> >> >>> > > things
> >> >>> > > > to see if I can devise something.
> >> >>> > > >
> >> >>> > > > Thanks,
> >> >>> > > >
> >> >>> > > > jeff
> >> >>> > > >
> >> >>> > > >
> >> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <
> >> asankha@wso2.com
> >> >>> >
> >> >>> > > > wrote:
> >> >>> > > >
> >> >>> > > > > Hi Jeff
> >> >>> > > > >
> >> >>> > > > >> To be honest, I'm not entirely certain how to add it in the
> >> >>> Header
> >> >>> > > > >> mediator,
> >> >>> > > > >> as you allude to. I did try various permutations of using
> the
> >> >>> > property
> >> >>> > > > and
> >> >>> > > > >> header nodes within the <in>, but nothing ever appeared.
> >> >>> > > > >>
> >> >>> > > > >>
> >> >>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to
> set
> >> the
> >> >>> > > > ReplyTo
> >> >>> > > > > header to something, you will use "<header name="ReplyTo"
> >> >>> > value="..."/>
> >> >>> > > > > format.. If you are familiar with using TCPMon, you can
> place
> >> it
> >> >>> > > between
> >> >>> > > > > your service and Amazon and route the message through it to
> get
> >> a
> >> >>> > trace
> >> >>> > > > of
> >> >>> > > > > the messages. This will help you and us to solve any
> problems.
> >> >>> > > > >
> >> >>> > > > >> Obviously, Amazon's service is not entirely compliant with
> the
> >> >>> > > > WS-Security
> >> >>> > > > >> standards. Even in their section under WS-Security SOAP,
> they
> >> >>> state
> >> >>> > > that
> >> >>> > > > >> "if
> >> >>> > > > >> you're using WS-Addressing, we recommend you also sign the
> >> Action
> >> >>> > and
> >> >>> > > To
> >> >>> > > > >> header elements" (I haven't figured out how to do that yet,
> >> but
> >> >>> I'll
> >> >>> > > dig
> >> >>> > > > >> into that).
> >> >>> > > > >>
> >> >>> > > > >>
> >> >>> > > > > If you are ok to share your configuration/scenario with us
> or
> >> let
> >> >>> us
> >> >>> > > try
> >> >>> > > > > some simple sample to reproduce the issue you are facing,
> one
> >> of
> >> >>> the
> >> >>> > > > > developers would be able to tell you exactly whats wrong,
> and
> >> what
> >> >>> > you
> >> >>> > > > could
> >> >>> > > > > do to get past the problem
> >> >>> > > > >
> >> >>> > > > > asankha
> >> >>> > > > >
> >> >>> > > >
> >> >>> > >
> >> >>> > >
> >> >>> > >
> >> >>> > > --
> >> >>> > > Ruwan Linton
> >> >>> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >> >>> > >
> >> >>> >
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Ruwan Linton
> >> >>> http://www.wso2.org - "Oxygenating the Web Services Platform"
> >> >>>
> >> >>
> >> >>
> >> >
> >>
> >>
> >>
> >> --
> >> Paul Fremantle
> >> Co-Founder and CTO, WSO2
> >> Apache Synapse PMC Chair
> >> OASIS WS-RX TC Co-chair
> >>
> >> blog: http://pzf.fremantle.org
> >> paul@wso2.com
> >>
> >> "Oxygenating the Web Service Platform", www.wso2.com
> >>
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
>
>
>
> --
> Paul Fremantle
> Co-Founder and CTO, WSO2
> Apache Synapse PMC Chair
> OASIS WS-RX TC Co-chair
>
> blog: http://pzf.fremantle.org
> paul@wso2.com
>
> "Oxygenating the Web Service Platform", www.wso2.com
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Paul Fremantle <pz...@gmail.com>]

Ruwan

I think its enough to set the anonymous one as long as we send it.
That might just fix everything.

Paul

On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <ru...@gmail.com> wrote:
> Hi Jeff and Paul,
>
> I was able to reproduce the issue, basically whatever we specify as the
> ReplyTo header Addressing module changes it to anonymous for the outbound
> message and neglects sending it. So setting the ReplyTo header is not
> effective for the moment. Jeff, could you please file a JIRA for this. At
> the same time I had a look at what Paul proposed and it seems to work but
> still it is just the anonymous address but not the one we set. You could use
> the property mediator at the axis2-client scope to set this property as
> follows to include the anonymous header;
>
> <syn:property name="includeOptionalHeaders" value="true"
> scope="axis2-client"/>
>
> Or if you use separateListener attribute to true with the enableAddressing
> tag then you can see the non anonymous ReplyTo header is being sent to the
> service.
>
> I will look for a solution to this issue ASAP. Thanks Jeff for pointing this
> out.
>
> Thanks,
> Ruwan
>
> On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <pz...@gmail.com> wrote:
>
>> Jeff
>>
>> Thanks for the feedback. Please can you submit your code as a sample?
>> We will definitely try to fix the bug. I agree rampart should not be
>> causing addressing headers to appear. The reason that the anonymous
>> header is being stripped out is because the WS-A spec says that no
>> reply-to is equivalent to anonymous, so there is a bug in Amazon.
>> However, there is a way in Axis2 to turn this behaviour off.
>>
>> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS,
>> Boolean.TRUE);
>>
>> So another way to sort that out will be to set that property on the Axis2
>> MC.
>>
>> Paul
>>
>> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com> wrote:
>> > Turns out my work-around really didn't solve the problem (because
>> > Axis/Rampart is anticipating a WS-Addressing reply, and since I've
>> stripped
>> > it out downstream, I'd have to add it back manually).
>> >
>> > The crux of the issue is that I cannot figure out how to added this:
>> >
>> > <wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous
>> > </wsa:Address></wsa:ReplyTo>
>> >
>> > To my WS-Addressing part of my SOAP header.
>> >
>> > I believe it ought to be present, but it's not, as I've confirmed through
>> > TCPMon. I've tried everything I can think of to get it to appear, but
>> thus
>> > far have had no luck.
>> >
>> > Thanks,
>> >
>> > jeff
>> >
>> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com> wrote:
>> >
>> >> Maybe it's not a bug but a feature request :-).
>> >>
>> >> I see two issues:
>> >>
>> >> 1) WS-Security automatically adds undesirable WS-Addressing elements
>> (IMO,
>> >> this should only happen when enableAddressing is specified). I don't see
>> >> anything in the WS-Security spec that indicates WS-Addressing is
>> required. I
>> >> don't see a way to turn this behavior off in Synapse, without resorting
>> to a
>> >> workaround such as I demonstrated (i.e., chaining together 2 sequences,
>> >> within one removing the undesirable WS-Addressing elements).
>> >>
>> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and
>> it's
>> >> child node Address) using the header mechanism (or property, for that
>> >> matter). This was the crux of my issue, as, for some reason, Amazon
>> expected
>> >> a ReplyTo. I suspect this is probably easily possible, but just wasn't
>> able
>> >> to figure it out.
>> >>
>> >> Btw, I was able to successfully interact with Amazon's SimpleDB now! I
>> hope
>> >> to writeup a blog entry on my findings (I am actually also writing the
>> book
>> >> called Open Source SOA from Manning, and I am including a big chapter on
>> >> Synapse, which I am a huge fan of).
>> >>
>> >> To be honest, a lot of this WS-Security stuff is rather new to me, so
>> I'm
>> >> feverishly trying to get a handle on it (the Manning book SOA Security
>> has
>> >> been a big help). I have used PasswordDigest mechanism a lot, but not
>> that
>> >> signing with x509 certs as much.
>> >>
>> >> jeff
>> >>
>> >>
>> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <ru...@gmail.com>
>> >> wrote:
>> >>
>> >>> Hi Jeff,
>> >>>
>> >>> What is the bug from your POV? I am sorry, I don't see a bug here.....
>> >>>
>> >>> Well you could go ahead and file a JIRA so that we can evaluate what is
>> >>> the
>> >>> issue that you have faced and see whether is there something wrong with
>> >>> Synapse, but I assume this is rather a configuration error.
>> >>>
>> >>> Thanks,
>> >>> Ruwan
>> >>>
>> >>>
>> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com> wrote:
>> >>>
>> >>> > As a follow-up, I was running it through tcpmon, which is why it had
>> the
>> >>> > strange address.
>> >>> >
>> >>> > Yes, I am running the latest 1.2 build from the URL provided me last
>> >>> > Thursday, I believe.
>> >>> >
>> >>> > Should I submit this is a bug?
>> >>> >
>> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <ruwan.linton@gmail.com
>> >
>> >>> > wrote:
>> >>> >
>> >>> > > Hi Jeff,
>> >>> > >
>> >>> > > If you enable addressing to the outbound message then synapse
>> should
>> >>> be
>> >>> > > sending the ReplyTo header as appropriate. May be amazon is not
>> >>> accepting
>> >>> > > anonymous ReplyTo headers, so assuming that you are using the 1.2
>> >>> build
>> >>> > > here
>> >>> > > is the proposed solution to this;
>> >>> > >
>> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
>> >>> > >   <localEntry key="sec_policy"
>> >>> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>> >>> > >
>> >>> > >   <in>
>> >>> > >        <send>
>> >>> > >           <endpoint name="secure">
>> >>> > >               <address uri="http://localhost:8086">
>> >>> > >                   <enableSec policy="sec_policy"/>
>> >>> > >                    <enableAddressing separateListener="true"/>
>> >>> > >                </address>
>> >>> > >           </endpoint>
>> >>> > >       </send>
>> >>> > >   </in>
>> >>> > >   <out>
>> >>> > >        <header name="wsse:Security" action="remove" xmlns:wsse="
>> >>> > > http://www.w3.org/2005/08/addressing"/>
>> >>> > >        <send/>
>> >>> > >   </out>
>> >>> > > </definitions>
>> >>> > >
>> >>> > > The above configuration should work, but please note that you need
>> to
>> >>> > > change
>> >>> > > the address uri of the endpoint in the above configuration from "
>> >>> > > http://localhost:8086" to "AMAZON_URL"
>> >>> > >
>> >>> > > If this is not working could you please attach the TCPMon out put
>> of
>> >>> the
>> >>> > > outbound message which is going to AMAZON (after changing important
>> >>> > > information) and the message received from AMAZON. If you don't
>> want
>> >>> to
>> >>> > > post
>> >>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
>> >>> ruwan@wso2.com
>> >>> > >)
>> >>> > >
>> >>> > > Thanks,
>> >>> > > Ruwan
>> >>> > >
>> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com>
>> >>> wrote:
>> >>> > >
>> >>> > > > I did a little research, and I haven't seen anything in the
>> standard
>> >>> > that
>> >>> > > > indicates WS-Security requires WS-Addressing.  Unfortunately, it
>> >>> > doesn't
>> >>> > > > appear as though setting the header has any impact (further, if
>> it
>> >>> did,
>> >>> > > the
>> >>> > > > ReplyTo has a child element for the Address, so not sure how that
>> >>> would
>> >>> > > be
>> >>> > > > added). Here's my configuration:
>> >>> > > >
>> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
>> >>> > > >    <localEntry key="sec_policy"
>> >>> > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>> >>> > > >
>> >>> > > >    <in>
>> >>> > > >        <header name="ReplyTo" action="set" value=""/>
>> >>> > > >        <send>
>> >>> > > >            <endpoint name="secure">
>> >>> > > >                <address uri="http://localhost:8086">
>> >>> > > >                    <enableSec policy="sec_policy"/>
>> >>> > > >                    <enableAddressing/>
>> >>> > > >                </address>
>> >>> > > >            </endpoint>
>> >>> > > >        </send>
>> >>> > > >    </in>
>> >>> > > >    <out>
>> >>> > > >        <send/>
>> >>> > > >    </out>
>> >>> > > > </definitions>
>> >>> > > >
>> >>> > > > In lieu of the above header, I also tried:
>> >>> > > >
>> >>> > > > <header name="wsse:Security" action="remove"
>> >>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
>> >>> > > >
>> >>> > > > (I also tried removing the <enableAddressing/> node for each
>> test).
>> >>> > > >
>> >>> > > > To recap my issue, it seems as though Amazon AWS (at least for
>> >>> SimpleDB
>> >>> > > > service) requires the ReplyTo WS-Addressing element, if
>> >>> WS-Addressing
>> >>> > is
>> >>> > > > used. I haven't found a way to remove WS-Addressing generated
>> >>> > > automatically
>> >>> > > > by Synapse when WS-Security is used, and I haven't figure out how
>> to
>> >>> > add
>> >>> > > > ReplyTo (and it's child Address node) to the outbound message.
>> >>> > > >
>> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining together
>> some
>> >>> > > things
>> >>> > > > to see if I can devise something.
>> >>> > > >
>> >>> > > > Thanks,
>> >>> > > >
>> >>> > > > jeff
>> >>> > > >
>> >>> > > >
>> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <
>> asankha@wso2.com
>> >>> >
>> >>> > > > wrote:
>> >>> > > >
>> >>> > > > > Hi Jeff
>> >>> > > > >
>> >>> > > > >> To be honest, I'm not entirely certain how to add it in the
>> >>> Header
>> >>> > > > >> mediator,
>> >>> > > > >> as you allude to. I did try various permutations of using the
>> >>> > property
>> >>> > > > and
>> >>> > > > >> header nodes within the <in>, but nothing ever appeared.
>> >>> > > > >>
>> >>> > > > >>
>> >>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to set
>> the
>> >>> > > > ReplyTo
>> >>> > > > > header to something, you will use "<header name="ReplyTo"
>> >>> > value="..."/>
>> >>> > > > > format.. If you are familiar with using TCPMon, you can place
>> it
>> >>> > > between
>> >>> > > > > your service and Amazon and route the message through it to get
>> a
>> >>> > trace
>> >>> > > > of
>> >>> > > > > the messages. This will help you and us to solve any problems.
>> >>> > > > >
>> >>> > > > >> Obviously, Amazon's service is not entirely compliant with the
>> >>> > > > WS-Security
>> >>> > > > >> standards. Even in their section under WS-Security SOAP, they
>> >>> state
>> >>> > > that
>> >>> > > > >> "if
>> >>> > > > >> you're using WS-Addressing, we recommend you also sign the
>> Action
>> >>> > and
>> >>> > > To
>> >>> > > > >> header elements" (I haven't figured out how to do that yet,
>> but
>> >>> I'll
>> >>> > > dig
>> >>> > > > >> into that).
>> >>> > > > >>
>> >>> > > > >>
>> >>> > > > > If you are ok to share your configuration/scenario with us or
>> let
>> >>> us
>> >>> > > try
>> >>> > > > > some simple sample to reproduce the issue you are facing, one
>> of
>> >>> the
>> >>> > > > > developers would be able to tell you exactly whats wrong, and
>> what
>> >>> > you
>> >>> > > > could
>> >>> > > > > do to get past the problem
>> >>> > > > >
>> >>> > > > > asankha
>> >>> > > > >
>> >>> > > >
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > > --
>> >>> > > Ruwan Linton
>> >>> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
>> >>> > >
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Ruwan Linton
>> >>> http://www.wso2.org - "Oxygenating the Web Services Platform"
>> >>>
>> >>
>> >>
>> >
>>
>>
>>
>> --
>> Paul Fremantle
>> Co-Founder and CTO, WSO2
>> Apache Synapse PMC Chair
>> OASIS WS-RX TC Co-chair
>>
>> blog: http://pzf.fremantle.org
>> paul@wso2.com
>>
>> "Oxygenating the Web Service Platform", www.wso2.com
>>
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>



-- 
Paul Fremantle
Co-Founder and CTO, WSO2
Apache Synapse PMC Chair
OASIS WS-RX TC Co-chair

blog: http://pzf.fremantle.org
paul@wso2.com

"Oxygenating the Web Service Platform", www.wso2.com

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Ruwan Linton <ru...@gmail.com>]

Hi Jeff and Paul,

I was able to reproduce the issue, basically whatever we specify as the
ReplyTo header Addressing module changes it to anonymous for the outbound
message and neglects sending it. So setting the ReplyTo header is not
effective for the moment. Jeff, could you please file a JIRA for this. At
the same time I had a look at what Paul proposed and it seems to work but
still it is just the anonymous address but not the one we set. You could use
the property mediator at the axis2-client scope to set this property as
follows to include the anonymous header;

<syn:property name="includeOptionalHeaders" value="true"
scope="axis2-client"/>

Or if you use separateListener attribute to true with the enableAddressing
tag then you can see the non anonymous ReplyTo header is being sent to the
service.

I will look for a solution to this issue ASAP. Thanks Jeff for pointing this
out.

Thanks,
Ruwan

On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <pz...@gmail.com> wrote:

> Jeff
>
> Thanks for the feedback. Please can you submit your code as a sample?
> We will definitely try to fix the bug. I agree rampart should not be
> causing addressing headers to appear. The reason that the anonymous
> header is being stripped out is because the WS-A spec says that no
> reply-to is equivalent to anonymous, so there is a bug in Amazon.
> However, there is a way in Axis2 to turn this behaviour off.
>
> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS,
> Boolean.TRUE);
>
> So another way to sort that out will be to set that property on the Axis2
> MC.
>
> Paul
>
> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com> wrote:
> > Turns out my work-around really didn't solve the problem (because
> > Axis/Rampart is anticipating a WS-Addressing reply, and since I've
> stripped
> > it out downstream, I'd have to add it back manually).
> >
> > The crux of the issue is that I cannot figure out how to added this:
> >
> > <wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous
> > </wsa:Address></wsa:ReplyTo>
> >
> > To my WS-Addressing part of my SOAP header.
> >
> > I believe it ought to be present, but it's not, as I've confirmed through
> > TCPMon. I've tried everything I can think of to get it to appear, but
> thus
> > far have had no luck.
> >
> > Thanks,
> >
> > jeff
> >
> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com> wrote:
> >
> >> Maybe it's not a bug but a feature request :-).
> >>
> >> I see two issues:
> >>
> >> 1) WS-Security automatically adds undesirable WS-Addressing elements
> (IMO,
> >> this should only happen when enableAddressing is specified). I don't see
> >> anything in the WS-Security spec that indicates WS-Addressing is
> required. I
> >> don't see a way to turn this behavior off in Synapse, without resorting
> to a
> >> workaround such as I demonstrated (i.e., chaining together 2 sequences,
> >> within one removing the undesirable WS-Addressing elements).
> >>
> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and
> it's
> >> child node Address) using the header mechanism (or property, for that
> >> matter). This was the crux of my issue, as, for some reason, Amazon
> expected
> >> a ReplyTo. I suspect this is probably easily possible, but just wasn't
> able
> >> to figure it out.
> >>
> >> Btw, I was able to successfully interact with Amazon's SimpleDB now! I
> hope
> >> to writeup a blog entry on my findings (I am actually also writing the
> book
> >> called Open Source SOA from Manning, and I am including a big chapter on
> >> Synapse, which I am a huge fan of).
> >>
> >> To be honest, a lot of this WS-Security stuff is rather new to me, so
> I'm
> >> feverishly trying to get a handle on it (the Manning book SOA Security
> has
> >> been a big help). I have used PasswordDigest mechanism a lot, but not
> that
> >> signing with x509 certs as much.
> >>
> >> jeff
> >>
> >>
> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <ru...@gmail.com>
> >> wrote:
> >>
> >>> Hi Jeff,
> >>>
> >>> What is the bug from your POV? I am sorry, I don't see a bug here.....
> >>>
> >>> Well you could go ahead and file a JIRA so that we can evaluate what is
> >>> the
> >>> issue that you have faced and see whether is there something wrong with
> >>> Synapse, but I assume this is rather a configuration error.
> >>>
> >>> Thanks,
> >>> Ruwan
> >>>
> >>>
> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com> wrote:
> >>>
> >>> > As a follow-up, I was running it through tcpmon, which is why it had
> the
> >>> > strange address.
> >>> >
> >>> > Yes, I am running the latest 1.2 build from the URL provided me last
> >>> > Thursday, I believe.
> >>> >
> >>> > Should I submit this is a bug?
> >>> >
> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <ruwan.linton@gmail.com
> >
> >>> > wrote:
> >>> >
> >>> > > Hi Jeff,
> >>> > >
> >>> > > If you enable addressing to the outbound message then synapse
> should
> >>> be
> >>> > > sending the ReplyTo header as appropriate. May be amazon is not
> >>> accepting
> >>> > > anonymous ReplyTo headers, so assuming that you are using the 1.2
> >>> build
> >>> > > here
> >>> > > is the proposed solution to this;
> >>> > >
> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >>> > >   <localEntry key="sec_policy"
> >>> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >>> > >
> >>> > >   <in>
> >>> > >        <send>
> >>> > >           <endpoint name="secure">
> >>> > >               <address uri="http://localhost:8086">
> >>> > >                   <enableSec policy="sec_policy"/>
> >>> > >                    <enableAddressing separateListener="true"/>
> >>> > >                </address>
> >>> > >           </endpoint>
> >>> > >       </send>
> >>> > >   </in>
> >>> > >   <out>
> >>> > >        <header name="wsse:Security" action="remove" xmlns:wsse="
> >>> > > http://www.w3.org/2005/08/addressing"/>
> >>> > >        <send/>
> >>> > >   </out>
> >>> > > </definitions>
> >>> > >
> >>> > > The above configuration should work, but please note that you need
> to
> >>> > > change
> >>> > > the address uri of the endpoint in the above configuration from "
> >>> > > http://localhost:8086" to "AMAZON_URL"
> >>> > >
> >>> > > If this is not working could you please attach the TCPMon out put
> of
> >>> the
> >>> > > outbound message which is going to AMAZON (after changing important
> >>> > > information) and the message received from AMAZON. If you don't
> want
> >>> to
> >>> > > post
> >>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
> >>> ruwan@wso2.com
> >>> > >)
> >>> > >
> >>> > > Thanks,
> >>> > > Ruwan
> >>> > >
> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com>
> >>> wrote:
> >>> > >
> >>> > > > I did a little research, and I haven't seen anything in the
> standard
> >>> > that
> >>> > > > indicates WS-Security requires WS-Addressing.  Unfortunately, it
> >>> > doesn't
> >>> > > > appear as though setting the header has any impact (further, if
> it
> >>> did,
> >>> > > the
> >>> > > > ReplyTo has a child element for the Address, so not sure how that
> >>> would
> >>> > > be
> >>> > > > added). Here's my configuration:
> >>> > > >
> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >>> > > >    <localEntry key="sec_policy"
> >>> > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >>> > > >
> >>> > > >    <in>
> >>> > > >        <header name="ReplyTo" action="set" value=""/>
> >>> > > >        <send>
> >>> > > >            <endpoint name="secure">
> >>> > > >                <address uri="http://localhost:8086">
> >>> > > >                    <enableSec policy="sec_policy"/>
> >>> > > >                    <enableAddressing/>
> >>> > > >                </address>
> >>> > > >            </endpoint>
> >>> > > >        </send>
> >>> > > >    </in>
> >>> > > >    <out>
> >>> > > >        <send/>
> >>> > > >    </out>
> >>> > > > </definitions>
> >>> > > >
> >>> > > > In lieu of the above header, I also tried:
> >>> > > >
> >>> > > > <header name="wsse:Security" action="remove"
> >>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> >>> > > >
> >>> > > > (I also tried removing the <enableAddressing/> node for each
> test).
> >>> > > >
> >>> > > > To recap my issue, it seems as though Amazon AWS (at least for
> >>> SimpleDB
> >>> > > > service) requires the ReplyTo WS-Addressing element, if
> >>> WS-Addressing
> >>> > is
> >>> > > > used. I haven't found a way to remove WS-Addressing generated
> >>> > > automatically
> >>> > > > by Synapse when WS-Security is used, and I haven't figure out how
> to
> >>> > add
> >>> > > > ReplyTo (and it's child Address node) to the outbound message.
> >>> > > >
> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining together
> some
> >>> > > things
> >>> > > > to see if I can devise something.
> >>> > > >
> >>> > > > Thanks,
> >>> > > >
> >>> > > > jeff
> >>> > > >
> >>> > > >
> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <
> asankha@wso2.com
> >>> >
> >>> > > > wrote:
> >>> > > >
> >>> > > > > Hi Jeff
> >>> > > > >
> >>> > > > >> To be honest, I'm not entirely certain how to add it in the
> >>> Header
> >>> > > > >> mediator,
> >>> > > > >> as you allude to. I did try various permutations of using the
> >>> > property
> >>> > > > and
> >>> > > > >> header nodes within the <in>, but nothing ever appeared.
> >>> > > > >>
> >>> > > > >>
> >>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to set
> the
> >>> > > > ReplyTo
> >>> > > > > header to something, you will use "<header name="ReplyTo"
> >>> > value="..."/>
> >>> > > > > format.. If you are familiar with using TCPMon, you can place
> it
> >>> > > between
> >>> > > > > your service and Amazon and route the message through it to get
> a
> >>> > trace
> >>> > > > of
> >>> > > > > the messages. This will help you and us to solve any problems.
> >>> > > > >
> >>> > > > >> Obviously, Amazon's service is not entirely compliant with the
> >>> > > > WS-Security
> >>> > > > >> standards. Even in their section under WS-Security SOAP, they
> >>> state
> >>> > > that
> >>> > > > >> "if
> >>> > > > >> you're using WS-Addressing, we recommend you also sign the
> Action
> >>> > and
> >>> > > To
> >>> > > > >> header elements" (I haven't figured out how to do that yet,
> but
> >>> I'll
> >>> > > dig
> >>> > > > >> into that).
> >>> > > > >>
> >>> > > > >>
> >>> > > > > If you are ok to share your configuration/scenario with us or
> let
> >>> us
> >>> > > try
> >>> > > > > some simple sample to reproduce the issue you are facing, one
> of
> >>> the
> >>> > > > > developers would be able to tell you exactly whats wrong, and
> what
> >>> > you
> >>> > > > could
> >>> > > > > do to get past the problem
> >>> > > > >
> >>> > > > > asankha
> >>> > > > >
> >>> > > >
> >>> > >
> >>> > >
> >>> > >
> >>> > > --
> >>> > > Ruwan Linton
> >>> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >>> > >
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Ruwan Linton
> >>> http://www.wso2.org - "Oxygenating the Web Services Platform"
> >>>
> >>
> >>
> >
>
>
>
> --
> Paul Fremantle
> Co-Founder and CTO, WSO2
> Apache Synapse PMC Chair
> OASIS WS-RX TC Co-chair
>
> blog: http://pzf.fremantle.org
> paul@wso2.com
>
> "Oxygenating the Web Service Platform", www.wso2.com
>



-- 
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Paul Fremantle <pz...@gmail.com>]

Jeff

Thanks for the feedback. Please can you submit your code as a sample?
We will definitely try to fix the bug. I agree rampart should not be
causing addressing headers to appear. The reason that the anonymous
header is being stripped out is because the WS-A spec says that no
reply-to is equivalent to anonymous, so there is a bug in Amazon.
However, there is a way in Axis2 to turn this behaviour off.

options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS, Boolean.TRUE);

So another way to sort that out will be to set that property on the Axis2 MC.

Paul

On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <jd...@idalica.com> wrote:
> Turns out my work-around really didn't solve the problem (because
> Axis/Rampart is anticipating a WS-Addressing reply, and since I've stripped
> it out downstream, I'd have to add it back manually).
>
> The crux of the issue is that I cannot figure out how to added this:
>
> <wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous
> </wsa:Address></wsa:ReplyTo>
>
> To my WS-Addressing part of my SOAP header.
>
> I believe it ought to be present, but it's not, as I've confirmed through
> TCPMon. I've tried everything I can think of to get it to appear, but thus
> far have had no luck.
>
> Thanks,
>
> jeff
>
> On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com> wrote:
>
>> Maybe it's not a bug but a feature request :-).
>>
>> I see two issues:
>>
>> 1) WS-Security automatically adds undesirable WS-Addressing elements (IMO,
>> this should only happen when enableAddressing is specified). I don't see
>> anything in the WS-Security spec that indicates WS-Addressing is required. I
>> don't see a way to turn this behavior off in Synapse, without resorting to a
>> workaround such as I demonstrated (i.e., chaining together 2 sequences,
>> within one removing the undesirable WS-Addressing elements).
>>
>> 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and it's
>> child node Address) using the header mechanism (or property, for that
>> matter). This was the crux of my issue, as, for some reason, Amazon expected
>> a ReplyTo. I suspect this is probably easily possible, but just wasn't able
>> to figure it out.
>>
>> Btw, I was able to successfully interact with Amazon's SimpleDB now! I hope
>> to writeup a blog entry on my findings (I am actually also writing the book
>> called Open Source SOA from Manning, and I am including a big chapter on
>> Synapse, which I am a huge fan of).
>>
>> To be honest, a lot of this WS-Security stuff is rather new to me, so I'm
>> feverishly trying to get a handle on it (the Manning book SOA Security has
>> been a big help). I have used PasswordDigest mechanism a lot, but not that
>> signing with x509 certs as much.
>>
>> jeff
>>
>>
>> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <ru...@gmail.com>
>> wrote:
>>
>>> Hi Jeff,
>>>
>>> What is the bug from your POV? I am sorry, I don't see a bug here.....
>>>
>>> Well you could go ahead and file a JIRA so that we can evaluate what is
>>> the
>>> issue that you have faced and see whether is there something wrong with
>>> Synapse, but I assume this is rather a configuration error.
>>>
>>> Thanks,
>>> Ruwan
>>>
>>>
>>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com> wrote:
>>>
>>> > As a follow-up, I was running it through tcpmon, which is why it had the
>>> > strange address.
>>> >
>>> > Yes, I am running the latest 1.2 build from the URL provided me last
>>> > Thursday, I believe.
>>> >
>>> > Should I submit this is a bug?
>>> >
>>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <ru...@gmail.com>
>>> > wrote:
>>> >
>>> > > Hi Jeff,
>>> > >
>>> > > If you enable addressing to the outbound message then synapse should
>>> be
>>> > > sending the ReplyTo header as appropriate. May be amazon is not
>>> accepting
>>> > > anonymous ReplyTo headers, so assuming that you are using the 1.2
>>> build
>>> > > here
>>> > > is the proposed solution to this;
>>> > >
>>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
>>> > >   <localEntry key="sec_policy"
>>> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>>> > >
>>> > >   <in>
>>> > >        <send>
>>> > >           <endpoint name="secure">
>>> > >               <address uri="http://localhost:8086">
>>> > >                   <enableSec policy="sec_policy"/>
>>> > >                    <enableAddressing separateListener="true"/>
>>> > >                </address>
>>> > >           </endpoint>
>>> > >       </send>
>>> > >   </in>
>>> > >   <out>
>>> > >        <header name="wsse:Security" action="remove" xmlns:wsse="
>>> > > http://www.w3.org/2005/08/addressing"/>
>>> > >        <send/>
>>> > >   </out>
>>> > > </definitions>
>>> > >
>>> > > The above configuration should work, but please note that you need to
>>> > > change
>>> > > the address uri of the endpoint in the above configuration from "
>>> > > http://localhost:8086" to "AMAZON_URL"
>>> > >
>>> > > If this is not working could you please attach the TCPMon out put of
>>> the
>>> > > outbound message which is going to AMAZON (after changing important
>>> > > information) and the message received from AMAZON. If you don't want
>>> to
>>> > > post
>>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
>>> ruwan@wso2.com
>>> > >)
>>> > >
>>> > > Thanks,
>>> > > Ruwan
>>> > >
>>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com>
>>> wrote:
>>> > >
>>> > > > I did a little research, and I haven't seen anything in the standard
>>> > that
>>> > > > indicates WS-Security requires WS-Addressing.  Unfortunately, it
>>> > doesn't
>>> > > > appear as though setting the header has any impact (further, if it
>>> did,
>>> > > the
>>> > > > ReplyTo has a child element for the Address, so not sure how that
>>> would
>>> > > be
>>> > > > added). Here's my configuration:
>>> > > >
>>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
>>> > > >    <localEntry key="sec_policy"
>>> > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>>> > > >
>>> > > >    <in>
>>> > > >        <header name="ReplyTo" action="set" value=""/>
>>> > > >        <send>
>>> > > >            <endpoint name="secure">
>>> > > >                <address uri="http://localhost:8086">
>>> > > >                    <enableSec policy="sec_policy"/>
>>> > > >                    <enableAddressing/>
>>> > > >                </address>
>>> > > >            </endpoint>
>>> > > >        </send>
>>> > > >    </in>
>>> > > >    <out>
>>> > > >        <send/>
>>> > > >    </out>
>>> > > > </definitions>
>>> > > >
>>> > > > In lieu of the above header, I also tried:
>>> > > >
>>> > > > <header name="wsse:Security" action="remove"
>>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
>>> > > >
>>> > > > (I also tried removing the <enableAddressing/> node for each test).
>>> > > >
>>> > > > To recap my issue, it seems as though Amazon AWS (at least for
>>> SimpleDB
>>> > > > service) requires the ReplyTo WS-Addressing element, if
>>> WS-Addressing
>>> > is
>>> > > > used. I haven't found a way to remove WS-Addressing generated
>>> > > automatically
>>> > > > by Synapse when WS-Security is used, and I haven't figure out how to
>>> > add
>>> > > > ReplyTo (and it's child Address node) to the outbound message.
>>> > > >
>>> > > > Anyone have any work-arounds? Maybe I'll try chaining together some
>>> > > things
>>> > > > to see if I can devise something.
>>> > > >
>>> > > > Thanks,
>>> > > >
>>> > > > jeff
>>> > > >
>>> > > >
>>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <asankha@wso2.com
>>> >
>>> > > > wrote:
>>> > > >
>>> > > > > Hi Jeff
>>> > > > >
>>> > > > >> To be honest, I'm not entirely certain how to add it in the
>>> Header
>>> > > > >> mediator,
>>> > > > >> as you allude to. I did try various permutations of using the
>>> > property
>>> > > > and
>>> > > > >> header nodes within the <in>, but nothing ever appeared.
>>> > > > >>
>>> > > > >>
>>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to set the
>>> > > > ReplyTo
>>> > > > > header to something, you will use "<header name="ReplyTo"
>>> > value="..."/>
>>> > > > > format.. If you are familiar with using TCPMon, you can place it
>>> > > between
>>> > > > > your service and Amazon and route the message through it to get a
>>> > trace
>>> > > > of
>>> > > > > the messages. This will help you and us to solve any problems.
>>> > > > >
>>> > > > >> Obviously, Amazon's service is not entirely compliant with the
>>> > > > WS-Security
>>> > > > >> standards. Even in their section under WS-Security SOAP, they
>>> state
>>> > > that
>>> > > > >> "if
>>> > > > >> you're using WS-Addressing, we recommend you also sign the Action
>>> > and
>>> > > To
>>> > > > >> header elements" (I haven't figured out how to do that yet, but
>>> I'll
>>> > > dig
>>> > > > >> into that).
>>> > > > >>
>>> > > > >>
>>> > > > > If you are ok to share your configuration/scenario with us or let
>>> us
>>> > > try
>>> > > > > some simple sample to reproduce the issue you are facing, one of
>>> the
>>> > > > > developers would be able to tell you exactly whats wrong, and what
>>> > you
>>> > > > could
>>> > > > > do to get past the problem
>>> > > > >
>>> > > > > asankha
>>> > > > >
>>> > > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Ruwan Linton
>>> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
>>> > >
>>> >
>>>
>>>
>>>
>>> --
>>> Ruwan Linton
>>> http://www.wso2.org - "Oxygenating the Web Services Platform"
>>>
>>
>>
>



-- 
Paul Fremantle
Co-Founder and CTO, WSO2
Apache Synapse PMC Chair
OASIS WS-RX TC Co-chair

blog: http://pzf.fremantle.org
paul@wso2.com

"Oxygenating the Web Service Platform", www.wso2.com

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

Turns out my work-around really didn't solve the problem (because
Axis/Rampart is anticipating a WS-Addressing reply, and since I've stripped
it out downstream, I'd have to add it back manually).

The crux of the issue is that I cannot figure out how to added this:

<wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous
</wsa:Address></wsa:ReplyTo>

To my WS-Addressing part of my SOAP header.

I believe it ought to be present, but it's not, as I've confirmed through
TCPMon. I've tried everything I can think of to get it to appear, but thus
far have had no luck.

Thanks,

jeff

On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <jd...@idalica.com> wrote:

> Maybe it's not a bug but a feature request :-).
>
> I see two issues:
>
> 1) WS-Security automatically adds undesirable WS-Addressing elements (IMO,
> this should only happen when enableAddressing is specified). I don't see
> anything in the WS-Security spec that indicates WS-Addressing is required. I
> don't see a way to turn this behavior off in Synapse, without resorting to a
> workaround such as I demonstrated (i.e., chaining together 2 sequences,
> within one removing the undesirable WS-Addressing elements).
>
> 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and it's
> child node Address) using the header mechanism (or property, for that
> matter). This was the crux of my issue, as, for some reason, Amazon expected
> a ReplyTo. I suspect this is probably easily possible, but just wasn't able
> to figure it out.
>
> Btw, I was able to successfully interact with Amazon's SimpleDB now! I hope
> to writeup a blog entry on my findings (I am actually also writing the book
> called Open Source SOA from Manning, and I am including a big chapter on
> Synapse, which I am a huge fan of).
>
> To be honest, a lot of this WS-Security stuff is rather new to me, so I'm
> feverishly trying to get a handle on it (the Manning book SOA Security has
> been a big help). I have used PasswordDigest mechanism a lot, but not that
> signing with x509 certs as much.
>
> jeff
>
>
> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <ru...@gmail.com>
> wrote:
>
>> Hi Jeff,
>>
>> What is the bug from your POV? I am sorry, I don't see a bug here.....
>>
>> Well you could go ahead and file a JIRA so that we can evaluate what is
>> the
>> issue that you have faced and see whether is there something wrong with
>> Synapse, but I assume this is rather a configuration error.
>>
>> Thanks,
>> Ruwan
>>
>>
>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com> wrote:
>>
>> > As a follow-up, I was running it through tcpmon, which is why it had the
>> > strange address.
>> >
>> > Yes, I am running the latest 1.2 build from the URL provided me last
>> > Thursday, I believe.
>> >
>> > Should I submit this is a bug?
>> >
>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <ru...@gmail.com>
>> > wrote:
>> >
>> > > Hi Jeff,
>> > >
>> > > If you enable addressing to the outbound message then synapse should
>> be
>> > > sending the ReplyTo header as appropriate. May be amazon is not
>> accepting
>> > > anonymous ReplyTo headers, so assuming that you are using the 1.2
>> build
>> > > here
>> > > is the proposed solution to this;
>> > >
>> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
>> > >   <localEntry key="sec_policy"
>> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>> > >
>> > >   <in>
>> > >        <send>
>> > >           <endpoint name="secure">
>> > >               <address uri="http://localhost:8086">
>> > >                   <enableSec policy="sec_policy"/>
>> > >                    <enableAddressing separateListener="true"/>
>> > >                </address>
>> > >           </endpoint>
>> > >       </send>
>> > >   </in>
>> > >   <out>
>> > >        <header name="wsse:Security" action="remove" xmlns:wsse="
>> > > http://www.w3.org/2005/08/addressing"/>
>> > >        <send/>
>> > >   </out>
>> > > </definitions>
>> > >
>> > > The above configuration should work, but please note that you need to
>> > > change
>> > > the address uri of the endpoint in the above configuration from "
>> > > http://localhost:8086" to "AMAZON_URL"
>> > >
>> > > If this is not working could you please attach the TCPMon out put of
>> the
>> > > outbound message which is going to AMAZON (after changing important
>> > > information) and the message received from AMAZON. If you don't want
>> to
>> > > post
>> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
>> ruwan@wso2.com
>> > >)
>> > >
>> > > Thanks,
>> > > Ruwan
>> > >
>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com>
>> wrote:
>> > >
>> > > > I did a little research, and I haven't seen anything in the standard
>> > that
>> > > > indicates WS-Security requires WS-Addressing.  Unfortunately, it
>> > doesn't
>> > > > appear as though setting the header has any impact (further, if it
>> did,
>> > > the
>> > > > ReplyTo has a child element for the Address, so not sure how that
>> would
>> > > be
>> > > > added). Here's my configuration:
>> > > >
>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
>> > > >    <localEntry key="sec_policy"
>> > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>> > > >
>> > > >    <in>
>> > > >        <header name="ReplyTo" action="set" value=""/>
>> > > >        <send>
>> > > >            <endpoint name="secure">
>> > > >                <address uri="http://localhost:8086">
>> > > >                    <enableSec policy="sec_policy"/>
>> > > >                    <enableAddressing/>
>> > > >                </address>
>> > > >            </endpoint>
>> > > >        </send>
>> > > >    </in>
>> > > >    <out>
>> > > >        <send/>
>> > > >    </out>
>> > > > </definitions>
>> > > >
>> > > > In lieu of the above header, I also tried:
>> > > >
>> > > > <header name="wsse:Security" action="remove"
>> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
>> > > >
>> > > > (I also tried removing the <enableAddressing/> node for each test).
>> > > >
>> > > > To recap my issue, it seems as though Amazon AWS (at least for
>> SimpleDB
>> > > > service) requires the ReplyTo WS-Addressing element, if
>> WS-Addressing
>> > is
>> > > > used. I haven't found a way to remove WS-Addressing generated
>> > > automatically
>> > > > by Synapse when WS-Security is used, and I haven't figure out how to
>> > add
>> > > > ReplyTo (and it's child Address node) to the outbound message.
>> > > >
>> > > > Anyone have any work-arounds? Maybe I'll try chaining together some
>> > > things
>> > > > to see if I can devise something.
>> > > >
>> > > > Thanks,
>> > > >
>> > > > jeff
>> > > >
>> > > >
>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <asankha@wso2.com
>> >
>> > > > wrote:
>> > > >
>> > > > > Hi Jeff
>> > > > >
>> > > > >> To be honest, I'm not entirely certain how to add it in the
>> Header
>> > > > >> mediator,
>> > > > >> as you allude to. I did try various permutations of using the
>> > property
>> > > > and
>> > > > >> header nodes within the <in>, but nothing ever appeared.
>> > > > >>
>> > > > >>
>> > > > > I am sorry.. I had made a mistake in my reply earlier.. to set the
>> > > > ReplyTo
>> > > > > header to something, you will use "<header name="ReplyTo"
>> > value="..."/>
>> > > > > format.. If you are familiar with using TCPMon, you can place it
>> > > between
>> > > > > your service and Amazon and route the message through it to get a
>> > trace
>> > > > of
>> > > > > the messages. This will help you and us to solve any problems.
>> > > > >
>> > > > >> Obviously, Amazon's service is not entirely compliant with the
>> > > > WS-Security
>> > > > >> standards. Even in their section under WS-Security SOAP, they
>> state
>> > > that
>> > > > >> "if
>> > > > >> you're using WS-Addressing, we recommend you also sign the Action
>> > and
>> > > To
>> > > > >> header elements" (I haven't figured out how to do that yet, but
>> I'll
>> > > dig
>> > > > >> into that).
>> > > > >>
>> > > > >>
>> > > > > If you are ok to share your configuration/scenario with us or let
>> us
>> > > try
>> > > > > some simple sample to reproduce the issue you are facing, one of
>> the
>> > > > > developers would be able to tell you exactly whats wrong, and what
>> > you
>> > > > could
>> > > > > do to get past the problem
>> > > > >
>> > > > > asankha
>> > > > >
>> > > >
>> > >
>> > >
>> > >
>> > > --
>> > > Ruwan Linton
>> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
>> > >
>> >
>>
>>
>>
>> --
>> Ruwan Linton
>> http://www.wso2.org - "Oxygenating the Web Services Platform"
>>
>
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

Maybe it's not a bug but a feature request :-).

I see two issues:

1) WS-Security automatically adds undesirable WS-Addressing elements (IMO,
this should only happen when enableAddressing is specified). I don't see
anything in the WS-Security spec that indicates WS-Addressing is required. I
don't see a way to turn this behavior off in Synapse, without resorting to a
workaround such as I demonstrated (i.e., chaining together 2 sequences,
within one removing the undesirable WS-Addressing elements).

2) I didn't see a a way to add the ReplyTo WS-Addressing element (and it's
child node Address) using the header mechanism (or property, for that
matter). This was the crux of my issue, as, for some reason, Amazon expected
a ReplyTo. I suspect this is probably easily possible, but just wasn't able
to figure it out.

Btw, I was able to successfully interact with Amazon's SimpleDB now! I hope
to writeup a blog entry on my findings (I am actually also writing the book
called Open Source SOA from Manning, and I am including a big chapter on
Synapse, which I am a huge fan of).

To be honest, a lot of this WS-Security stuff is rather new to me, so I'm
feverishly trying to get a handle on it (the Manning book SOA Security has
been a big help). I have used PasswordDigest mechanism a lot, but not that
signing with x509 certs as much.

jeff

On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <ru...@gmail.com> wrote:

> Hi Jeff,
>
> What is the bug from your POV? I am sorry, I don't see a bug here.....
>
> Well you could go ahead and file a JIRA so that we can evaluate what is the
> issue that you have faced and see whether is there something wrong with
> Synapse, but I assume this is rather a configuration error.
>
> Thanks,
> Ruwan
>
>
> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com> wrote:
>
> > As a follow-up, I was running it through tcpmon, which is why it had the
> > strange address.
> >
> > Yes, I am running the latest 1.2 build from the URL provided me last
> > Thursday, I believe.
> >
> > Should I submit this is a bug?
> >
> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <ru...@gmail.com>
> > wrote:
> >
> > > Hi Jeff,
> > >
> > > If you enable addressing to the outbound message then synapse should be
> > > sending the ReplyTo header as appropriate. May be amazon is not
> accepting
> > > anonymous ReplyTo headers, so assuming that you are using the 1.2 build
> > > here
> > > is the proposed solution to this;
> > >
> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > >   <localEntry key="sec_policy"
> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > >
> > >   <in>
> > >        <send>
> > >           <endpoint name="secure">
> > >               <address uri="http://localhost:8086">
> > >                   <enableSec policy="sec_policy"/>
> > >                    <enableAddressing separateListener="true"/>
> > >                </address>
> > >           </endpoint>
> > >       </send>
> > >   </in>
> > >   <out>
> > >        <header name="wsse:Security" action="remove" xmlns:wsse="
> > > http://www.w3.org/2005/08/addressing"/>
> > >        <send/>
> > >   </out>
> > > </definitions>
> > >
> > > The above configuration should work, but please note that you need to
> > > change
> > > the address uri of the endpoint in the above configuration from "
> > > http://localhost:8086" to "AMAZON_URL"
> > >
> > > If this is not working could you please attach the TCPMon out put of
> the
> > > outbound message which is going to AMAZON (after changing important
> > > information) and the message received from AMAZON. If you don't want to
> > > post
> > > it publicly you may send it to me (mailto:ruwan@wso2.com <
> ruwan@wso2.com
> > >)
> > >
> > > Thanks,
> > > Ruwan
> > >
> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com> wrote:
> > >
> > > > I did a little research, and I haven't seen anything in the standard
> > that
> > > > indicates WS-Security requires WS-Addressing.  Unfortunately, it
> > doesn't
> > > > appear as though setting the header has any impact (further, if it
> did,
> > > the
> > > > ReplyTo has a child element for the Address, so not sure how that
> would
> > > be
> > > > added). Here's my configuration:
> > > >
> > > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > > >    <localEntry key="sec_policy"
> > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > > >
> > > >    <in>
> > > >        <header name="ReplyTo" action="set" value=""/>
> > > >        <send>
> > > >            <endpoint name="secure">
> > > >                <address uri="http://localhost:8086">
> > > >                    <enableSec policy="sec_policy"/>
> > > >                    <enableAddressing/>
> > > >                </address>
> > > >            </endpoint>
> > > >        </send>
> > > >    </in>
> > > >    <out>
> > > >        <send/>
> > > >    </out>
> > > > </definitions>
> > > >
> > > > In lieu of the above header, I also tried:
> > > >
> > > > <header name="wsse:Security" action="remove"
> > > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> > > >
> > > > (I also tried removing the <enableAddressing/> node for each test).
> > > >
> > > > To recap my issue, it seems as though Amazon AWS (at least for
> SimpleDB
> > > > service) requires the ReplyTo WS-Addressing element, if WS-Addressing
> > is
> > > > used. I haven't found a way to remove WS-Addressing generated
> > > automatically
> > > > by Synapse when WS-Security is used, and I haven't figure out how to
> > add
> > > > ReplyTo (and it's child Address node) to the outbound message.
> > > >
> > > > Anyone have any work-arounds? Maybe I'll try chaining together some
> > > things
> > > > to see if I can devise something.
> > > >
> > > > Thanks,
> > > >
> > > > jeff
> > > >
> > > >
> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <as...@wso2.com>
> > > > wrote:
> > > >
> > > > > Hi Jeff
> > > > >
> > > > >> To be honest, I'm not entirely certain how to add it in the Header
> > > > >> mediator,
> > > > >> as you allude to. I did try various permutations of using the
> > property
> > > > and
> > > > >> header nodes within the <in>, but nothing ever appeared.
> > > > >>
> > > > >>
> > > > > I am sorry.. I had made a mistake in my reply earlier.. to set the
> > > > ReplyTo
> > > > > header to something, you will use "<header name="ReplyTo"
> > value="..."/>
> > > > > format.. If you are familiar with using TCPMon, you can place it
> > > between
> > > > > your service and Amazon and route the message through it to get a
> > trace
> > > > of
> > > > > the messages. This will help you and us to solve any problems.
> > > > >
> > > > >> Obviously, Amazon's service is not entirely compliant with the
> > > > WS-Security
> > > > >> standards. Even in their section under WS-Security SOAP, they
> state
> > > that
> > > > >> "if
> > > > >> you're using WS-Addressing, we recommend you also sign the Action
> > and
> > > To
> > > > >> header elements" (I haven't figured out how to do that yet, but
> I'll
> > > dig
> > > > >> into that).
> > > > >>
> > > > >>
> > > > > If you are ok to share your configuration/scenario with us or let
> us
> > > try
> > > > > some simple sample to reproduce the issue you are facing, one of
> the
> > > > > developers would be able to tell you exactly whats wrong, and what
> > you
> > > > could
> > > > > do to get past the problem
> > > > >
> > > > > asankha
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Ruwan Linton
> > > http://www.wso2.org - "Oxygenating the Web Services Platform"
> > >
> >
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Ruwan Linton <ru...@gmail.com>]

Hi Jeff,

What is the bug from your POV? I am sorry, I don't see a bug here.....

Well you could go ahead and file a JIRA so that we can evaluate what is the
issue that you have faced and see whether is there something wrong with
Synapse, but I assume this is rather a configuration error.

Thanks,
Ruwan


On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <jd...@idalica.com> wrote:

> As a follow-up, I was running it through tcpmon, which is why it had the
> strange address.
>
> Yes, I am running the latest 1.2 build from the URL provided me last
> Thursday, I believe.
>
> Should I submit this is a bug?
>
> On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <ru...@gmail.com>
> wrote:
>
> > Hi Jeff,
> >
> > If you enable addressing to the outbound message then synapse should be
> > sending the ReplyTo header as appropriate. May be amazon is not accepting
> > anonymous ReplyTo headers, so assuming that you are using the 1.2 build
> > here
> > is the proposed solution to this;
> >
> > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >   <localEntry key="sec_policy"
> > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >
> >   <in>
> >        <send>
> >           <endpoint name="secure">
> >               <address uri="http://localhost:8086">
> >                   <enableSec policy="sec_policy"/>
> >                    <enableAddressing separateListener="true"/>
> >                </address>
> >           </endpoint>
> >       </send>
> >   </in>
> >   <out>
> >        <header name="wsse:Security" action="remove" xmlns:wsse="
> > http://www.w3.org/2005/08/addressing"/>
> >        <send/>
> >   </out>
> > </definitions>
> >
> > The above configuration should work, but please note that you need to
> > change
> > the address uri of the endpoint in the above configuration from "
> > http://localhost:8086" to "AMAZON_URL"
> >
> > If this is not working could you please attach the TCPMon out put of the
> > outbound message which is going to AMAZON (after changing important
> > information) and the message received from AMAZON. If you don't want to
> > post
> > it publicly you may send it to me (mailto:ruwan@wso2.com <ruwan@wso2.com
> >)
> >
> > Thanks,
> > Ruwan
> >
> > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com> wrote:
> >
> > > I did a little research, and I haven't seen anything in the standard
> that
> > > indicates WS-Security requires WS-Addressing.  Unfortunately, it
> doesn't
> > > appear as though setting the header has any impact (further, if it did,
> > the
> > > ReplyTo has a child element for the Address, so not sure how that would
> > be
> > > added). Here's my configuration:
> > >
> > > <definitions xmlns="http://ws.apache.org/ns/synapse">
> > >    <localEntry key="sec_policy"
> > > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> > >
> > >    <in>
> > >        <header name="ReplyTo" action="set" value=""/>
> > >        <send>
> > >            <endpoint name="secure">
> > >                <address uri="http://localhost:8086">
> > >                    <enableSec policy="sec_policy"/>
> > >                    <enableAddressing/>
> > >                </address>
> > >            </endpoint>
> > >        </send>
> > >    </in>
> > >    <out>
> > >        <send/>
> > >    </out>
> > > </definitions>
> > >
> > > In lieu of the above header, I also tried:
> > >
> > > <header name="wsse:Security" action="remove"
> > >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> > >
> > > (I also tried removing the <enableAddressing/> node for each test).
> > >
> > > To recap my issue, it seems as though Amazon AWS (at least for SimpleDB
> > > service) requires the ReplyTo WS-Addressing element, if WS-Addressing
> is
> > > used. I haven't found a way to remove WS-Addressing generated
> > automatically
> > > by Synapse when WS-Security is used, and I haven't figure out how to
> add
> > > ReplyTo (and it's child Address node) to the outbound message.
> > >
> > > Anyone have any work-arounds? Maybe I'll try chaining together some
> > things
> > > to see if I can devise something.
> > >
> > > Thanks,
> > >
> > > jeff
> > >
> > >
> > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <as...@wso2.com>
> > > wrote:
> > >
> > > > Hi Jeff
> > > >
> > > >> To be honest, I'm not entirely certain how to add it in the Header
> > > >> mediator,
> > > >> as you allude to. I did try various permutations of using the
> property
> > > and
> > > >> header nodes within the <in>, but nothing ever appeared.
> > > >>
> > > >>
> > > > I am sorry.. I had made a mistake in my reply earlier.. to set the
> > > ReplyTo
> > > > header to something, you will use "<header name="ReplyTo"
> value="..."/>
> > > > format.. If you are familiar with using TCPMon, you can place it
> > between
> > > > your service and Amazon and route the message through it to get a
> trace
> > > of
> > > > the messages. This will help you and us to solve any problems.
> > > >
> > > >> Obviously, Amazon's service is not entirely compliant with the
> > > WS-Security
> > > >> standards. Even in their section under WS-Security SOAP, they state
> > that
> > > >> "if
> > > >> you're using WS-Addressing, we recommend you also sign the Action
> and
> > To
> > > >> header elements" (I haven't figured out how to do that yet, but I'll
> > dig
> > > >> into that).
> > > >>
> > > >>
> > > > If you are ok to share your configuration/scenario with us or let us
> > try
> > > > some simple sample to reproduce the issue you are facing, one of the
> > > > developers would be able to tell you exactly whats wrong, and what
> you
> > > could
> > > > do to get past the problem
> > > >
> > > > asankha
> > > >
> > >
> >
> >
> >
> > --
> > Ruwan Linton
> > http://www.wso2.org - "Oxygenating the Web Services Platform"
> >
>



-- 
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

As a follow-up, I was running it through tcpmon, which is why it had the
strange address.

Yes, I am running the latest 1.2 build from the URL provided me last
Thursday, I believe.

Should I submit this is a bug?

On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <ru...@gmail.com> wrote:

> Hi Jeff,
>
> If you enable addressing to the outbound message then synapse should be
> sending the ReplyTo header as appropriate. May be amazon is not accepting
> anonymous ReplyTo headers, so assuming that you are using the 1.2 build
> here
> is the proposed solution to this;
>
> <definitions xmlns="http://ws.apache.org/ns/synapse">
>   <localEntry key="sec_policy"
> src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>
>   <in>
>        <send>
>           <endpoint name="secure">
>               <address uri="http://localhost:8086">
>                   <enableSec policy="sec_policy"/>
>                    <enableAddressing separateListener="true"/>
>                </address>
>           </endpoint>
>       </send>
>   </in>
>   <out>
>        <header name="wsse:Security" action="remove" xmlns:wsse="
> http://www.w3.org/2005/08/addressing"/>
>        <send/>
>   </out>
> </definitions>
>
> The above configuration should work, but please note that you need to
> change
> the address uri of the endpoint in the above configuration from "
> http://localhost:8086" to "AMAZON_URL"
>
> If this is not working could you please attach the TCPMon out put of the
> outbound message which is going to AMAZON (after changing important
> information) and the message received from AMAZON. If you don't want to
> post
> it publicly you may send it to me (mailto:ruwan@wso2.com <ru...@wso2.com>)
>
> Thanks,
> Ruwan
>
> On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com> wrote:
>
> > I did a little research, and I haven't seen anything in the standard that
> > indicates WS-Security requires WS-Addressing.  Unfortunately, it doesn't
> > appear as though setting the header has any impact (further, if it did,
> the
> > ReplyTo has a child element for the Address, so not sure how that would
> be
> > added). Here's my configuration:
> >
> > <definitions xmlns="http://ws.apache.org/ns/synapse">
> >    <localEntry key="sec_policy"
> > src="file:repository/conf/sample/resources/policy/amazon.xml"/>
> >
> >    <in>
> >        <header name="ReplyTo" action="set" value=""/>
> >        <send>
> >            <endpoint name="secure">
> >                <address uri="http://localhost:8086">
> >                    <enableSec policy="sec_policy"/>
> >                    <enableAddressing/>
> >                </address>
> >            </endpoint>
> >        </send>
> >    </in>
> >    <out>
> >        <send/>
> >    </out>
> > </definitions>
> >
> > In lieu of the above header, I also tried:
> >
> > <header name="wsse:Security" action="remove"
> >       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
> >
> > (I also tried removing the <enableAddressing/> node for each test).
> >
> > To recap my issue, it seems as though Amazon AWS (at least for SimpleDB
> > service) requires the ReplyTo WS-Addressing element, if WS-Addressing is
> > used. I haven't found a way to remove WS-Addressing generated
> automatically
> > by Synapse when WS-Security is used, and I haven't figure out how to add
> > ReplyTo (and it's child Address node) to the outbound message.
> >
> > Anyone have any work-arounds? Maybe I'll try chaining together some
> things
> > to see if I can devise something.
> >
> > Thanks,
> >
> > jeff
> >
> >
> > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <as...@wso2.com>
> > wrote:
> >
> > > Hi Jeff
> > >
> > >> To be honest, I'm not entirely certain how to add it in the Header
> > >> mediator,
> > >> as you allude to. I did try various permutations of using the property
> > and
> > >> header nodes within the <in>, but nothing ever appeared.
> > >>
> > >>
> > > I am sorry.. I had made a mistake in my reply earlier.. to set the
> > ReplyTo
> > > header to something, you will use "<header name="ReplyTo" value="..."/>
> > > format.. If you are familiar with using TCPMon, you can place it
> between
> > > your service and Amazon and route the message through it to get a trace
> > of
> > > the messages. This will help you and us to solve any problems.
> > >
> > >> Obviously, Amazon's service is not entirely compliant with the
> > WS-Security
> > >> standards. Even in their section under WS-Security SOAP, they state
> that
> > >> "if
> > >> you're using WS-Addressing, we recommend you also sign the Action and
> To
> > >> header elements" (I haven't figured out how to do that yet, but I'll
> dig
> > >> into that).
> > >>
> > >>
> > > If you are ok to share your configuration/scenario with us or let us
> try
> > > some simple sample to reproduce the issue you are facing, one of the
> > > developers would be able to tell you exactly whats wrong, and what you
> > could
> > > do to get past the problem
> > >
> > > asankha
> > >
> >
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Ruwan Linton <ru...@gmail.com>]

Hi Jeff,

If you enable addressing to the outbound message then synapse should be
sending the ReplyTo header as appropriate. May be amazon is not accepting
anonymous ReplyTo headers, so assuming that you are using the 1.2 build here
is the proposed solution to this;

<definitions xmlns="http://ws.apache.org/ns/synapse">
   <localEntry key="sec_policy"
src="file:repository/conf/sample/resources/policy/amazon.xml"/>

   <in>
       <send>
           <endpoint name="secure">
               <address uri="http://localhost:8086">
                   <enableSec policy="sec_policy"/>
                   <enableAddressing separateListener="true"/>
               </address>
           </endpoint>
       </send>
   </in>
   <out>
       <header name="wsse:Security" action="remove" xmlns:wsse="
http://www.w3.org/2005/08/addressing"/>
       <send/>
   </out>
</definitions>

The above configuration should work, but please note that you need to change
the address uri of the endpoint in the above configuration from "
http://localhost:8086" to "AMAZON_URL"

If this is not working could you please attach the TCPMon out put of the
outbound message which is going to AMAZON (after changing important
information) and the message received from AMAZON. If you don't want to post
it publicly you may send it to me (mailto:ruwan@wso2.com <ru...@wso2.com>)

Thanks,
Ruwan

On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <jd...@idalica.com> wrote:

> I did a little research, and I haven't seen anything in the standard that
> indicates WS-Security requires WS-Addressing.  Unfortunately, it doesn't
> appear as though setting the header has any impact (further, if it did, the
> ReplyTo has a child element for the Address, so not sure how that would be
> added). Here's my configuration:
>
> <definitions xmlns="http://ws.apache.org/ns/synapse">
>    <localEntry key="sec_policy"
> src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>
>    <in>
>        <header name="ReplyTo" action="set" value=""/>
>        <send>
>            <endpoint name="secure">
>                <address uri="http://localhost:8086">
>                    <enableSec policy="sec_policy"/>
>                    <enableAddressing/>
>                </address>
>            </endpoint>
>        </send>
>    </in>
>    <out>
>        <send/>
>    </out>
> </definitions>
>
> In lieu of the above header, I also tried:
>
> <header name="wsse:Security" action="remove"
>       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
>
> (I also tried removing the <enableAddressing/> node for each test).
>
> To recap my issue, it seems as though Amazon AWS (at least for SimpleDB
> service) requires the ReplyTo WS-Addressing element, if WS-Addressing is
> used. I haven't found a way to remove WS-Addressing generated automatically
> by Synapse when WS-Security is used, and I haven't figure out how to add
> ReplyTo (and it's child Address node) to the outbound message.
>
> Anyone have any work-arounds? Maybe I'll try chaining together some things
> to see if I can devise something.
>
> Thanks,
>
> jeff
>
>
> On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <as...@wso2.com>
> wrote:
>
> > Hi Jeff
> >
> >> To be honest, I'm not entirely certain how to add it in the Header
> >> mediator,
> >> as you allude to. I did try various permutations of using the property
> and
> >> header nodes within the <in>, but nothing ever appeared.
> >>
> >>
> > I am sorry.. I had made a mistake in my reply earlier.. to set the
> ReplyTo
> > header to something, you will use "<header name="ReplyTo" value="..."/>
> > format.. If you are familiar with using TCPMon, you can place it between
> > your service and Amazon and route the message through it to get a trace
> of
> > the messages. This will help you and us to solve any problems.
> >
> >> Obviously, Amazon's service is not entirely compliant with the
> WS-Security
> >> standards. Even in their section under WS-Security SOAP, they state that
> >> "if
> >> you're using WS-Addressing, we recommend you also sign the Action and To
> >> header elements" (I haven't figured out how to do that yet, but I'll dig
> >> into that).
> >>
> >>
> > If you are ok to share your configuration/scenario with us or let us try
> > some simple sample to reproduce the issue you are facing, one of the
> > developers would be able to tell you exactly whats wrong, and what you
> could
> > do to get past the problem
> >
> > asankha
> >
>



-- 
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

Actually, I was able to get beyond this issue using the following
definition:



On Sat, Jun 7, 2008 at 7:31 PM, Jeff Davis <jd...@idalica.com> wrote:

> I did a little research, and I haven't seen anything in the standard that
> indicates WS-Security requires WS-Addressing.  Unfortunately, it doesn't
> appear as though setting the header has any impact (further, if it did, the
> ReplyTo has a child element for the Address, so not sure how that would be
> added). Here's my configuration:
>
> <definitions xmlns="http://ws.apache.org/ns/synapse">
>     <localEntry key="sec_policy"
> src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>
>     <in>
>         <header name="ReplyTo" action="set" value=""/><definitions xmlns="
> http://ws.apache.org/ns/synapse" xmlns:wsa="
> http://www.w3.org/2005/08/addressing">
>     <localEntry key="sec_policy"
> src="file:repository/conf/sample/resources/policy/amazon.xml"/>
>
>     <sequence name="amazonFirstPassIn" trace="enable">
>         <send>
>             <endpoint name="secure">
>                 <address uri="
> http://localhost:8280/soap/amazonNoAddressing">
>                     <enableSec policy="sec_policy"/>
>                 </address>
>             </endpoint>
>         </send>
>     </sequence>
>
>     <sequence name="amazonSecondPassIn" trace="enable">
>         <send>
>             <endpoint name="secure">
>                 <address uri="http://localhost:8086">
>
>                 </address>
>             </endpoint>
>         </send>
>     </sequence>
>
>     <sequence name="amazonFirstPassOut" trace="enable">
>         <header name="wsa:Address" action="remove"
>             xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
>         <send/>
>     </sequence>
>
>     <sequence name="amazonSecondPassOut" trace="enable">
>         <header name="wsse:Security" action="remove"
>             xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "/>
>         <send/>
>     </sequence>
>
>     <proxy name="amazon" transports="http, https">
>         <target inSequence="amazonFirstPassIn"
> outSequence="amazonFirstPassOut"/>
>     </proxy>
>
>     <proxy name="amazonNoAddressing" transports="http, https">
>         <target inSequence="amazonSecondPassIn"
> outSequence="amazonSecondPassOut"/>
>     </proxy>
>
> </definitions>
>

To be honest, I'm not entirely sure I understand the sequence why this
works, but I'm glad it does :-)


>         <send>
>             <endpoint name="secure">
>                 <address uri="http://localhost:8086">
>                     <enableSec policy="sec_policy"/>
>                     <enableAddressing/>
>                 </address>
>             </endpoint>
>         </send>
>     </in>
>     <out>
>         <send/>
>     </out>
> </definitions>
>
> In lieu of the above header, I also tried:
>
> <header name="wsse:Security" action="remove"
>        xmlns:wsse="http://www.w3.org/2005/08/addressing"/>
>
> (I also tried removing the <enableAddressing/> node for each test).
>
> To recap my issue, it seems as though Amazon AWS (at least for SimpleDB
> service) requires the ReplyTo WS-Addressing element, if WS-Addressing is
> used. I haven't found a way to remove WS-Addressing generated automatically
> by Synapse when WS-Security is used, and I haven't figure out how to add
> ReplyTo (and it's child Address node) to the outbound message.
>
> Anyone have any work-arounds? Maybe I'll try chaining together some things
> to see if I can devise something.
>
> Thanks,
>
> jeff
>
>
>
> On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <as...@wso2.com>
> wrote:
>
>> Hi Jeff
>>
>>> To be honest, I'm not entirely certain how to add it in the Header
>>> mediator,
>>> as you allude to. I did try various permutations of using the property
>>> and
>>> header nodes within the <in>, but nothing ever appeared.
>>>
>>>
>> I am sorry.. I had made a mistake in my reply earlier.. to set the ReplyTo
>> header to something, you will use "<header name="ReplyTo" value="..."/>
>> format.. If you are familiar with using TCPMon, you can place it between
>> your service and Amazon and route the message through it to get a trace of
>> the messages. This will help you and us to solve any problems.
>>
>>> Obviously, Amazon's service is not entirely compliant with the
>>> WS-Security
>>> standards. Even in their section under WS-Security SOAP, they state that
>>> "if
>>> you're using WS-Addressing, we recommend you also sign the Action and To
>>> header elements" (I haven't figured out how to do that yet, but I'll dig
>>> into that).
>>>
>>>
>> If you are ok to share your configuration/scenario with us or let us try
>> some simple sample to reproduce the issue you are facing, one of the
>> developers would be able to tell you exactly whats wrong, and what you could
>> do to get past the problem
>>
>> asankha
>>
>
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

I did a little research, and I haven't seen anything in the standard that
indicates WS-Security requires WS-Addressing.  Unfortunately, it doesn't
appear as though setting the header has any impact (further, if it did, the
ReplyTo has a child element for the Address, so not sure how that would be
added). Here's my configuration:

<definitions xmlns="http://ws.apache.org/ns/synapse">
    <localEntry key="sec_policy"
src="file:repository/conf/sample/resources/policy/amazon.xml"/>

    <in>
        <header name="ReplyTo" action="set" value=""/>
        <send>
            <endpoint name="secure">
                <address uri="http://localhost:8086">
                    <enableSec policy="sec_policy"/>
                    <enableAddressing/>
                </address>
            </endpoint>
        </send>
    </in>
    <out>
        <send/>
    </out>
</definitions>

In lieu of the above header, I also tried:

<header name="wsse:Security" action="remove"
       xmlns:wsse="http://www.w3.org/2005/08/addressing"/>

(I also tried removing the <enableAddressing/> node for each test).

To recap my issue, it seems as though Amazon AWS (at least for SimpleDB
service) requires the ReplyTo WS-Addressing element, if WS-Addressing is
used. I haven't found a way to remove WS-Addressing generated automatically
by Synapse when WS-Security is used, and I haven't figure out how to add
ReplyTo (and it's child Address node) to the outbound message.

Anyone have any work-arounds? Maybe I'll try chaining together some things
to see if I can devise something.

Thanks,

jeff


On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <as...@wso2.com> wrote:

> Hi Jeff
>
>> To be honest, I'm not entirely certain how to add it in the Header
>> mediator,
>> as you allude to. I did try various permutations of using the property and
>> header nodes within the <in>, but nothing ever appeared.
>>
>>
> I am sorry.. I had made a mistake in my reply earlier.. to set the ReplyTo
> header to something, you will use "<header name="ReplyTo" value="..."/>
> format.. If you are familiar with using TCPMon, you can place it between
> your service and Amazon and route the message through it to get a trace of
> the messages. This will help you and us to solve any problems.
>
>> Obviously, Amazon's service is not entirely compliant with the WS-Security
>> standards. Even in their section under WS-Security SOAP, they state that
>> "if
>> you're using WS-Addressing, we recommend you also sign the Action and To
>> header elements" (I haven't figured out how to do that yet, but I'll dig
>> into that).
>>
>>
> If you are ok to share your configuration/scenario with us or let us try
> some simple sample to reproduce the issue you are facing, one of the
> developers would be able to tell you exactly whats wrong, and what you could
> do to get past the problem
>
> asankha
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

["Asankha C. Perera" <as...@wso2.com>]

Hi Jeff
> To be honest, I'm not entirely certain how to add it in the Header mediator,
> as you allude to. I did try various permutations of using the property and
> header nodes within the <in>, but nothing ever appeared.
>   
I am sorry.. I had made a mistake in my reply earlier.. to set the 
ReplyTo header to something, you will use "<header name="ReplyTo" 
value="..."/> format.. If you are familiar with using TCPMon, you can 
place it between your service and Amazon and route the message through 
it to get a trace of the messages. This will help you and us to solve 
any problems.
> Obviously, Amazon's service is not entirely compliant with the WS-Security
> standards. Even in their section under WS-Security SOAP, they state that "if
> you're using WS-Addressing, we recommend you also sign the Action and To
> header elements" (I haven't figured out how to do that yet, but I'll dig
> into that).
>   
If you are ok to share your configuration/scenario with us or let us try 
some simple sample to reproduce the issue you are facing, one of the 
developers would be able to tell you exactly whats wrong, and what you 
could do to get past the problem

asankha

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

[Jeff Davis <jd...@idalica.com>]

To be honest, I'm not entirely certain how to add it in the Header mediator,
as you allude to. I did try various permutations of using the property and
header nodes within the <in>, but nothing ever appeared.

Obviously, Amazon's service is not entirely compliant with the WS-Security
standards. Even in their section under WS-Security SOAP, they state that "if
you're using WS-Addressing, we recommend you also sign the Action and To
header elements" (I haven't figured out how to do that yet, but I'll dig
into that).

Thanks again!

jeff

On Sat, Jun 7, 2008 at 3:35 AM, Asankha C. Perera <as...@wso2.com> wrote:

> Hi Jeff
>
> AFAIK WS-Security requires WS-Addressing.. so if Amazon requires the
> ReplyTo header, why not first add is with the Header mediator before the
> send mediator is called?
>
> <header name="To" value="http://www.w3.org/2005/08/addressing/anonymous"/>
>
> asankha
>
>
> Jeff Davis wrote:
>
>> Hi Everyone,
>>
>> I have an interesting problem. I'm trying to setup Synapse so that I can
>> use
>> to add the appropriate WS-Security stuff to outbound requests going to
>> Amazon's services such as SimpleDB (most of their services accept SOAP
>> with
>> WS-Security). I'm able to properly configure the policy file so that the
>> BinarySecurityToken is added to the outbound request. Problem I have now
>> is
>> that WS-Security also adds a few WS-Addressing elements automatically
>> (even
>> when enableAddressing is not specified). For example, it adds:
>>
>>        <wsa:To>http://localhost:8086</wsa:To>
>>
>>
>> <wsa:MessageID>urn:uuid:CAB4C2774609414B961212810086922918001272489401</wsa:MessageID>
>>        <wsa:Action>CreateDomain</wsa:Action
>>
>> This is a problem insofar as Amazon then returns a message: "WS-Addressing
>> is missing a required parameter (ReplyTo)".  Amazon does not require
>> WS-Addressing support, and when I remove those elements manually through
>> somethign like soapUI, I do get beyond this issue.
>>
>> Any suggestions how I can get those WS-Addressing elements easily removed?
>> I'm wondering if I can put it through another sequence to remove it? I see
>> you can do some meta-data WS-Addressing stuff in WS-Policy, but I didn't
>> see
>> a way of turning it off.
>>
>> Thanks,
>>
>> jeff
>>
>>
>>
>

Re: WS-Security -- Unwanted WS-Addressing elements being automatically added

["Asankha C. Perera" <as...@wso2.com>]

Hi Jeff

AFAIK WS-Security requires WS-Addressing.. so if Amazon requires the 
ReplyTo header, why not first add is with the Header mediator before the 
send mediator is called?

<header name="To" value="http://www.w3.org/2005/08/addressing/anonymous"/>

asankha

Jeff Davis wrote:
> Hi Everyone,
>
> I have an interesting problem. I'm trying to setup Synapse so that I can use
> to add the appropriate WS-Security stuff to outbound requests going to
> Amazon's services such as SimpleDB (most of their services accept SOAP with
> WS-Security). I'm able to properly configure the policy file so that the
> BinarySecurityToken is added to the outbound request. Problem I have now is
> that WS-Security also adds a few WS-Addressing elements automatically (even
> when enableAddressing is not specified). For example, it adds:
>
>         <wsa:To>http://localhost:8086</wsa:To>
>
> <wsa:MessageID>urn:uuid:CAB4C2774609414B961212810086922918001272489401</wsa:MessageID>
>         <wsa:Action>CreateDomain</wsa:Action
>
> This is a problem insofar as Amazon then returns a message: "WS-Addressing
> is missing a required parameter (ReplyTo)".  Amazon does not require
> WS-Addressing support, and when I remove those elements manually through
> somethign like soapUI, I do get beyond this issue.
>
> Any suggestions how I can get those WS-Addressing elements easily removed?
> I'm wondering if I can put it through another sequence to remove it? I see
> you can do some meta-data WS-Addressing stuff in WS-Policy, but I didn't see
> a way of turning it off.
>
> Thanks,
>
> jeff
>
>