You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Philippe Camus <Ph...@imail.org> on 2008/10/15 23:52:12 UTC
STS custom SAML issuer not working
Hi,
I am trying to implement a custom SAML token issuer for an STS server. The documentation I am using is: http://ws.apache.org/rampart/setting-up-sts.html.
If, following the documentation, I remove the default Rampart module, then I get an exception complaining that the Rampart module is not valid or has not been deployed.
If I deploy it normally, I receive the following exception:
[WARN] triggerActionNotSupportedFault: messageContext: [MessageContext: logID=ur
n:uuid:27E43CBA95C3534BB81224106538697] problemAction: http://schemas.xmlsoap.or
g/ws/2005/02/trust/RST/Issue
[ERROR] The [action] cannot be processed at the receiver.
org.apache.axis2.AxisFault: The [action] cannot be processed at the receiver.
at org.apache.axis2.addressing.AddressingFaultsHelper.triggerAddressingF
ault(AddressingFaultsHelper.java:373)
at org.apache.axis2.addressing.AddressingFaultsHelper.triggerActionNotSu
pportedFault(AddressingFaultsHelper.java:336)
at org.apache.axis2.handlers.addressing.AddressingValidationHandler.chec
kAction(AddressingValidationHandler.java:149)
at org.apache.axis2.handlers.addressing.AddressingValidationHandler.invo
ke(AddressingValidationHandler.java:55)
at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostReq
uest(HTTPTransportUtils.java:275)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:1
33)
Here is my services.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!--
!
! Copyright 2006 The Apache Software Foundation.
!
! Licensed under the Apache License, Version 2.0 (the "License");
! you may not use this file except in compliance with the License.
! You may obtain a copy of the License at
!
! http://www.apache.org/licenses/LICENSE-2.0
!
! Unless required by applicable law or agreed to in writing, software
! distributed under the License is distributed on an "AS IS" BASIS,
! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
! See the License for the specific language governing permissions and
! limitations under the License.
!-->
<!-- services.xml of Sample05 : WS Trust -->
<serviceGroup>
<service name="STS">
<module ref="rampart" />
<module ref="addressing" />
<module ref="rahas" />
<operation name="IssueToken"
mep="http://www.w3.org/2006/01/wsdl/in-out">
<messageReceiver
class="org.apache.rahas.STSMessageReceiver"/>
<!-- Action mapping to accept RST requests -->
<actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</actionMapping>
<actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</actionMapping>
<actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew</actionMapping>
<actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel</actionMapping>
<actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel</actionMapping>
<actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate</actionMapping>
<parameter name="token-dispatcher-configuration">
<token-dispatcher-configuration>
<!-- Issuers. You may have many issuers. -->
<issuer class="org.ihc.rampart.samples.MyIssuer" default="true">
<configuration
type="parameter">saml-issuer-config</configuration>
<tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
</issuer>
</token-dispatcher-configuration>
</parameter>
<parameter name="saml-issuer-config">
<saml-issuer-config>
<issuerName>SAMPLE_STS</issuerName>
<issuerKeyAlias>service</issuerKeyAlias>
<issuerKeyPassword>apache</issuerKeyPassword>
<cryptoProperties>
<crypto provider="org.apache.ws.security.components.crypto.Merlin">
<property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
<property name="org.apache.ws.security.crypto.merlin.file">C:/Softwares/Tools/rampart-1.4/samples/keys/service.jks</property>
<property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>
</crypto>
</cryptoProperties>
<timeToLive>300000</timeToLive>
<keySize>256</keySize>
<addRequestedAttachedRef />
<addRequestedUnattachedRef />
<!--
Key computation mechanism
1 - Use Request Entropy
2 - Provide Entropy
3 - Use Own Key
-->
<keyComputation>2</keyComputation>
<!--
proofKeyType element is valid only if the keyComputation is set to 3
i.e. Use Own Key
Valid values are: EncryptedKey & BinarySecret
-->
<proofKeyType>BinarySecret</proofKeyType>
<trusted-services>
<service alias="service">*</service>
</trusted-services>
</saml-issuer-config>
</parameter>
</operation>
<wsp:Policy wsu:Id="SigOnly" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>service</ramp:user>
<ramp:encryptionUser>client</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.ihc.rampart.samples.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">C:/Softwares/Tools/rampart-1.4/samples/keys/service.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
</serviceGroup>
Best regards,
Phil
RE: STS custom SAML issuer not working
Posted by Philippe Camus <Ph...@imail.org>.
Thanks Nandana,
I will try and post the result. I won't explore this option anymore however: I simply went through the source code of Rampart and Rahas and modified whatever classes I needed.
I am confused by your comment though: isn't Rahas the WS-Trust implementation??
Best regards,
Phil
-----Original Message-----
From: Nandana Mihindukulasooriya [mailto:nandana.cse@gmail.com]
Sent: Tuesday, October 21, 2008 12:02 AM
To: rampart-dev@ws.apache.org
Subject: Re: STS custom SAML issuer not working
Hi Phil,
You don't need to engage the rahas module for this scenario. Rahas
module is only needed to do secure conversation. Rahas module [1] adds a
module operation with the same action mapping, so I'm not sure whether this
is causing a problem. Can you please try without engaging rahas.
thanks,
nandana
[1] -
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust-mar/module.xml?view=markup
On Thu, Oct 16, 2008 at 3:52 AM, Philippe Camus <Ph...@imail.org>wrote:
> Hi,
>
> I am trying to implement a custom SAML token issuer for an STS server. The
> documentation I am using is: t<http://ws.apache.org/rampart/setting-up-sts.html>
>
> If, following the documentation, I remove the default Rampart module, then
> I get an exception complaining that the Rampart module is not valid or has
> not been deployed.
>
> If I deploy it normally, I receive the following exception:
>
> [WARN] triggerActionNotSupportedFault: messageContext: [MessageContext:
> logID=ur
> n:uuid:27E43CBA95C3534BB81224106538697] problemAction:
> http://schemas.xmlsoap.or
> g/ws/2005/02/trust/RST/Issue
> [ERROR] The [action] cannot be processed at the receiver.
> org.apache.axis2.AxisFault: The [action] cannot be processed at the
> receiver.
> at
> org.apache.axis2.addressing.AddressingFaultsHelper.triggerAddressingF
> ault(AddressingFaultsHelper.java:373)
> at
> org.apache.axis2.addressing.AddressingFaultsHelper.triggerActionNotSu
> pportedFault(AddressingFaultsHelper.java:336)
> at
> org.apache.axis2.handlers.addressing.AddressingValidationHandler.chec
> kAction(AddressingValidationHandler.java:149)
> at
> org.apache.axis2.handlers.addressing.AddressingValidationHandler.invo
> ke(AddressingValidationHandler.java:55)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostReq
> uest(HTTPTransportUtils.java:275)
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:1
> 33)
>
>
> Here is my services.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> !
> ! Copyright 2006 The Apache Software Foundation.
> !
> ! Licensed under the Apache License, Version 2.0 (the "License");
> ! you may not use this file except in compliance with the License.
> ! You may obtain a copy of the License at
> !
> ! http://www.apache.org/licenses/LICENSE-2.0
> !
> ! Unless required by applicable law or agreed to in writing, software
> ! distributed under the License is distributed on an "AS IS" BASIS,
> ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> ! See the License for the specific language governing permissions and
> ! limitations under the License.
> !-->
> <!-- services.xml of Sample05 : WS Trust -->
> <serviceGroup>
> <service name="STS">
> <module ref="rampart" />
> <module ref="addressing" />
> <module ref="rahas" />
> <operation name="IssueToken"
> mep="http://www.w3.org/2006/01/wsdl/in-out">
> <messageReceiver
> class="org.apache.rahas.STSMessageReceiver"/>
>
> <!-- Action mapping to accept RST requests -->
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
> </actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
> </actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew
> </actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel
> </actionMapping>
> <actionMapping>
> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel</actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate
> </actionMapping>
>
> <parameter name="token-dispatcher-configuration">
> <token-dispatcher-configuration>
> <!-- Issuers. You may have many issuers. -->
> <issuer class="org.ihc.rampart.samples.MyIssuer" default="true">
> <configuration
> type="parameter">saml-issuer-config</configuration>
> <tokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> </tokenType>
> </issuer>
> </token-dispatcher-configuration>
> </parameter>
> <parameter name="saml-issuer-config">
> <saml-issuer-config>
> <issuerName>SAMPLE_STS</issuerName>
> <issuerKeyAlias>service</issuerKeyAlias>
> <issuerKeyPassword>apache</issuerKeyPassword>
> <cryptoProperties>
> <crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
> <property
> name="org.apache.ws.security.crypto.merlin.file">C:/Softwares/Tools/rampart-1.4/samples/keys/service.jks</property>
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>
> </crypto>
> </cryptoProperties>
> <timeToLive>300000</timeToLive>
> <keySize>256</keySize>
> <addRequestedAttachedRef />
> <addRequestedUnattachedRef />
>
> <!--
> Key computation mechanism
> 1 - Use Request Entropy
> 2 - Provide Entropy
> 3 - Use Own Key
> -->
> <keyComputation>2</keyComputation>
>
> <!--
> proofKeyType element is valid only if the keyComputation is
> set to 3
> i.e. Use Own Key
>
> Valid values are: EncryptedKey & BinarySecret
> -->
> <proofKeyType>BinarySecret</proofKeyType>
> <trusted-services>
> <service alias="service">*</service>
> </trusted-services>
> </saml-issuer-config>
> </parameter>
>
> </operation>
>
>
> <wsp:Policy wsu:Id="SigOnly" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> <ramp:user>service</ramp:user>
>
> <ramp:encryptionUser>client</ramp:encryptionUser>
>
> <ramp:passwordCallbackClass>org.ihc.rampart.samples.PWCBHandler</ramp:passwordCallbackClass>
>
> <ramp:signatureCrypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">C:/Softwares/Tools/rampart-1.4/samples/keys/service.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
>
>
> </ramp:RampartConfig>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
>
> </service>
> </serviceGroup>
>
>
>
>
> Best regards,
>
> Phil
>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
Re: STS custom SAML issuer not working
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Phil,
You don't need to engage the rahas module for this scenario. Rahas
module is only needed to do secure conversation. Rahas module [1] adds a
module operation with the same action mapping, so I'm not sure whether this
is causing a problem. Can you please try without engaging rahas.
thanks,
nandana
[1] -
http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-trust-mar/module.xml?view=markup
On Thu, Oct 16, 2008 at 3:52 AM, Philippe Camus <Ph...@imail.org>wrote:
> Hi,
>
> I am trying to implement a custom SAML token issuer for an STS server. The
> documentation I am using is: t<http://ws.apache.org/rampart/setting-up-sts.html>
>
> If, following the documentation, I remove the default Rampart module, then
> I get an exception complaining that the Rampart module is not valid or has
> not been deployed.
>
> If I deploy it normally, I receive the following exception:
>
> [WARN] triggerActionNotSupportedFault: messageContext: [MessageContext:
> logID=ur
> n:uuid:27E43CBA95C3534BB81224106538697] problemAction:
> http://schemas.xmlsoap.or
> g/ws/2005/02/trust/RST/Issue
> [ERROR] The [action] cannot be processed at the receiver.
> org.apache.axis2.AxisFault: The [action] cannot be processed at the
> receiver.
> at
> org.apache.axis2.addressing.AddressingFaultsHelper.triggerAddressingF
> ault(AddressingFaultsHelper.java:373)
> at
> org.apache.axis2.addressing.AddressingFaultsHelper.triggerActionNotSu
> pportedFault(AddressingFaultsHelper.java:336)
> at
> org.apache.axis2.handlers.addressing.AddressingValidationHandler.chec
> kAction(AddressingValidationHandler.java:149)
> at
> org.apache.axis2.handlers.addressing.AddressingValidationHandler.invo
> ke(AddressingValidationHandler.java:55)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostReq
> uest(HTTPTransportUtils.java:275)
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:1
> 33)
>
>
> Here is my services.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> !
> ! Copyright 2006 The Apache Software Foundation.
> !
> ! Licensed under the Apache License, Version 2.0 (the "License");
> ! you may not use this file except in compliance with the License.
> ! You may obtain a copy of the License at
> !
> ! http://www.apache.org/licenses/LICENSE-2.0
> !
> ! Unless required by applicable law or agreed to in writing, software
> ! distributed under the License is distributed on an "AS IS" BASIS,
> ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> ! See the License for the specific language governing permissions and
> ! limitations under the License.
> !-->
> <!-- services.xml of Sample05 : WS Trust -->
> <serviceGroup>
> <service name="STS">
> <module ref="rampart" />
> <module ref="addressing" />
> <module ref="rahas" />
> <operation name="IssueToken"
> mep="http://www.w3.org/2006/01/wsdl/in-out">
> <messageReceiver
> class="org.apache.rahas.STSMessageReceiver"/>
>
> <!-- Action mapping to accept RST requests -->
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
> </actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
> </actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew
> </actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel
> </actionMapping>
> <actionMapping>
> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel</actionMapping>
> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate
> </actionMapping>
>
> <parameter name="token-dispatcher-configuration">
> <token-dispatcher-configuration>
> <!-- Issuers. You may have many issuers. -->
> <issuer class="org.ihc.rampart.samples.MyIssuer" default="true">
> <configuration
> type="parameter">saml-issuer-config</configuration>
> <tokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> </tokenType>
> </issuer>
> </token-dispatcher-configuration>
> </parameter>
> <parameter name="saml-issuer-config">
> <saml-issuer-config>
> <issuerName>SAMPLE_STS</issuerName>
> <issuerKeyAlias>service</issuerKeyAlias>
> <issuerKeyPassword>apache</issuerKeyPassword>
> <cryptoProperties>
> <crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
> <property
> name="org.apache.ws.security.crypto.merlin.file">C:/Softwares/Tools/rampart-1.4/samples/keys/service.jks</property>
> <property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>
> </crypto>
> </cryptoProperties>
> <timeToLive>300000</timeToLive>
> <keySize>256</keySize>
> <addRequestedAttachedRef />
> <addRequestedUnattachedRef />
>
> <!--
> Key computation mechanism
> 1 - Use Request Entropy
> 2 - Provide Entropy
> 3 - Use Own Key
> -->
> <keyComputation>2</keyComputation>
>
> <!--
> proofKeyType element is valid only if the keyComputation is
> set to 3
> i.e. Use Own Key
>
> Valid values are: EncryptedKey & BinarySecret
> -->
> <proofKeyType>BinarySecret</proofKeyType>
> <trusted-services>
> <service alias="service">*</service>
> </trusted-services>
> </saml-issuer-config>
> </parameter>
>
> </operation>
>
>
> <wsp:Policy wsu:Id="SigOnly" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> <ramp:user>service</ramp:user>
>
> <ramp:encryptionUser>client</ramp:encryptionUser>
>
> <ramp:passwordCallbackClass>org.ihc.rampart.samples.PWCBHandler</ramp:passwordCallbackClass>
>
> <ramp:signatureCrypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">C:/Softwares/Tools/rampart-1.4/samples/keys/service.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
>
>
> </ramp:RampartConfig>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
>
> </service>
> </serviceGroup>
>
>
>
>
> Best regards,
>
> Phil
>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org