You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Thomas Fielenbach <fi...@fb5.uni-siegen.de> on 2011/02/24 12:33:07 UTC
Loading external WSS Policy by Rampart
Hi all,
Currently I'm working on securing messages with rampart. Therefore I
just add Username/Pass/Timestamp in a policy. This works all fine (at
client and at server-side) using a code first approach and defining the
policy as well as the rampart-config in the services.xml.
services.xml (partially):
<service name="UserNameTokenService">
<parameter name="ServiceClass" locked="false">unt.UserNameToken
</parameter>
<operation name="add">
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
</operation>
<module ref="rampart" />
<wsp:Policy wsu:Id="UsernameTokenOverHTTP"
...
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>unt.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
...
When I want to use contract first and load a policy document from an
external source (e.g. http://ip:port/axis2/external-policy.xml), the
Axis2-framework responds with "
Exception in thread "main" org.apache.axis2.AxisFault: Must Understand
check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
: Security at
org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:446)
..."
The (relevant) part of the WSDL:
<wsdl:portType name="UserNameTokenExternalPolicyServicePortType">
<wsdl:operation name="add">
<wsdl:input message="ns:addRequest" wsaw:Action="urn:add">
</wsdl:input>
<wsdl:output message="ns:addResponse" wsaw:Action="urn:addResponse">
</wsdl:output>
</wsdl:operation>
<wsp:PolicyReference
URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
</wsdl:portType>
The services.xml is the same like above but wss- policy is deleted. I
have tried to define the rampart-config 1) in the services.xml 2) in the
external-policy.xml, but both times the error stated above occurs.
Tracking the request with TCPMon shows that the client sends a valid
request to the server.
Is it generally possbile to use references to policies with rampart? If
so, how do I have to change my code for that?
Thanks in advance & Best regards
--
*************************
Universität Siegen
Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
Hölderlinstr. 3
57068 Siegen
Raum: H-C 8329/3
Tel.: +49-271-740-3041
Fax: +49-271-740-3444
Mail: fielenbach@fb5.uni-siegen.de
Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
*************************
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: Loading external WSS Policy by Rampart
Posted by Thomas Fielenbach <fi...@fb5.uni-siegen.de>.
Am 24.02.2011 13:57, schrieb Thilina Mahesh Buddhika:
> Do you see any errors during the service deployment when an external
> policy reference is used?
>
> I guess, the policy is not properly attached to the service which is
> the most probable reason for the Must Understand check failed error.
>
> Thanks,
> Thilina
>
> On Thu, Feb 24, 2011 at 5:03 PM, Thomas Fielenbach
> <fielenbach@fb5.uni-siegen.de <ma...@fb5.uni-siegen.de>>
> wrote:
>
> Hi all,
>
> Currently I'm working on securing messages with rampart. Therefore
> I just add Username/Pass/Timestamp in a policy. This works all
> fine (at client and at server-side) using a code first approach
> and defining the policy as well as the rampart-config in the
> services.xml.
> services.xml (partially):
> <service name="UserNameTokenService">
> <parameter name="ServiceClass" locked="false">unt.UserNameToken
> </parameter>
> <operation name="add">
> <messageReceiver
> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
> </operation>
> <module ref="rampart" />
> <wsp:Policy wsu:Id="UsernameTokenOverHTTP"
> ...
> <sp:SignedSupportingTokens
>
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> />
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:passwordCallbackClass>unt.PWCBHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> ...
>
> When I want to use contract first and load a policy document from
> an external source (e.g.
> http://ip:port/axis2/external-policy.xml), the Axis2-framework
> responds with "
> Exception in thread "main" org.apache.axis2.AxisFault: Must
> Understand check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> : Security at
> org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:446)
> ..."
>
> The (relevant) part of the WSDL:
> <wsdl:portType name="UserNameTokenExternalPolicyServicePortType">
> <wsdl:operation name="add">
> <wsdl:input message="ns:addRequest" wsaw:Action="urn:add">
> </wsdl:input>
> <wsdl:output message="ns:addResponse" wsaw:Action="urn:addResponse">
> </wsdl:output>
> </wsdl:operation>
> <wsp:PolicyReference
> URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
> </wsdl:portType>
>
> The services.xml is the same like above but wss- policy is
> deleted. I have tried to define the rampart-config 1) in the
> services.xml 2) in the external-policy.xml, but both times the
> error stated above occurs.
>
> Tracking the request with TCPMon shows that the client sends a
> valid request to the server.
>
> Is it generally possbile to use references to policies with
> rampart? If so, how do I have to change my code for that?
>
> Thanks in advance & Best regards
>
>
> --
> *************************
> Universität Siegen
> Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
> Hölderlinstr. 3
> 57068 Siegen
>
> Raum: H-C 8329/3
> Tel.: +49-271-740-3041
> Fax: +49-271-740-3444
> Mail: fielenbach@fb5.uni-siegen.de
> <ma...@fb5.uni-siegen.de>
>
> Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
> *************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
> <ma...@axis.apache.org>
> For additional commands, e-mail: java-user-help@axis.apache.org
> <ma...@axis.apache.org>
>
>
>
>
> --
> Thilina Mahesh Buddhika
> http://blog.thilinamb.com
Hi,
There is no error occuring during deployment. Web Service is available,
rampart is engaged as module and there are no exceptions during
deployment (AXIS2 as webapp in a tomcat).
Thats the question. Is axis2/rampart capable of reading an external
policy (here available in the tomcat)? In my wsdl the policy is bound
to the portType with: <wsp:PolicyReference
URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
Moreover there is the question where/how I have to define the
rampart-configs? Normally this would be placed directly in the policy
defined in the services.xml but maybe thats not a feasible approach if
the policy is placed externally.
Best regards
Thomas
--
*************************
Universität Siegen
Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
Hölderlinstr. 3
57068 Siegen
Raum: H-C 8329/3
Tel.: +49-271-740-3041
Fax: +49-271-740-3444
Mail: fielenbach@fb5.uni-siegen.de
Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
*************************
Re: Loading external WSS Policy by Rampart
Posted by Thilina Mahesh Buddhika <th...@gmail.com>.
Do you see any errors during the service deployment when an external policy
reference is used?
I guess, the policy is not properly attached to the service which is the
most probable reason for the Must Understand check failed error.
Thanks,
Thilina
On Thu, Feb 24, 2011 at 5:03 PM, Thomas Fielenbach <
fielenbach@fb5.uni-siegen.de> wrote:
> Hi all,
>
> Currently I'm working on securing messages with rampart. Therefore I just
> add Username/Pass/Timestamp in a policy. This works all fine (at client and
> at server-side) using a code first approach and defining the policy as well
> as the rampart-config in the services.xml.
> services.xml (partially):
> <service name="UserNameTokenService">
> <parameter name="ServiceClass" locked="false">unt.UserNameToken
> </parameter>
> <operation name="add">
> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"
> />
> </operation>
> <module ref="rampart" />
> <wsp:Policy wsu:Id="UsernameTokenOverHTTP"
> ...
> <sp:SignedSupportingTokens
> xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> />
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:passwordCallbackClass>unt.PWCBHandler</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:All>
> ...
>
> When I want to use contract first and load a policy document from an
> external source (e.g. http://ip:port/axis2/external-policy.xml), the
> Axis2-framework responds with "
> Exception in thread "main" org.apache.axis2.AxisFault: Must Understand
> check failed for header
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd: Security at
> org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:446)
> ..."
>
> The (relevant) part of the WSDL:
> <wsdl:portType name="UserNameTokenExternalPolicyServicePortType">
> <wsdl:operation name="add">
> <wsdl:input message="ns:addRequest" wsaw:Action="urn:add">
> </wsdl:input>
> <wsdl:output message="ns:addResponse" wsaw:Action="urn:addResponse">
> </wsdl:output>
> </wsdl:operation>
> <wsp:PolicyReference URI="
> http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
> </wsdl:portType>
>
> The services.xml is the same like above but wss- policy is deleted. I have
> tried to define the rampart-config 1) in the services.xml 2) in the
> external-policy.xml, but both times the error stated above occurs.
>
> Tracking the request with TCPMon shows that the client sends a valid
> request to the server.
>
> Is it generally possbile to use references to policies with rampart? If so,
> how do I have to change my code for that?
>
> Thanks in advance & Best regards
>
>
> --
> *************************
> Universität Siegen
> Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
> Hölderlinstr. 3
> 57068 Siegen
>
> Raum: H-C 8329/3
> Tel.: +49-271-740-3041
> Fax: +49-271-740-3444
> Mail: fielenbach@fb5.uni-siegen.de
>
> Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
> *************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-user-help@axis.apache.org
>
>
--
Thilina Mahesh Buddhika
http://blog.thilinamb.com