You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Haselmann, Till" <Ti...@viadee.de> on 2007/09/06 13:45:16 UTC
Rampart configuration using WS-Policy not working correctly
Dear all:
I have problems with rampart 1.3 using a configuration based on
WS-Policy. With the policy below I try to have the <soapenv:Body>
signed, but not the <wsu:Timestamp> (just for the sake of the example).
I think this should be accomplished by this policy:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SecConvPolicy2"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/In
cludeToken/Never">
<wsp:Policy>
<sp:RequireKeyIdentifierReference/>
<sp:WssX509V3Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>WSAnyUser</ramp:user>
<ramp:encryptionUser>WSTestSuite</ramp:encryptionUser>
<ramp:passwordCallbackClass>de.computernoma.wstestsuite.axis2.service.PW
CBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:prop
erty>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">resources/WSClient.jks<
/ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.alias">WSClient</ram
p:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">storePass<
/ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:prop
erty>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">resources/WSClient.jks<
/ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">storePass<
/ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
It does not work, though, because the signature includes the
<wsu:Timestamp>, but not the <soapenv:Body>, as you can see in the
following message:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd" soapenv:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd" wsu:Id="Timestamp-31457736">
<wsu:Created>2007-09-06T11:21:43.150Z</wsu:Created>
<wsu:Expires>2007-09-06T11:26:43.150Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="EncKeyId-26553312">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so
ap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
token-profile-1.0#X509SubjectKeyIdentifier">GbIgSztgwfY27b9zC3/Ti2/C7nA=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>DgV5l5lasGy+h4xtaGx3qRfdv8v2t4ew6iHAnE0SZ1Ex4zu413Zmbd
afEryvJN8XkBQ1gFBX+LuDA6qNYG41f+6UjMRlfehKyxvoEVI0dkjugHjEI8u2QNZSp2/CK8
jUaz9PrFlrTh1ksVtb5u4A8/XwUVKQydafEMTltd8vio8=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<xenc:ReferenceList/>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-16391045">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference
URI="#Timestamp-31457736">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Piezs8O4/HuITSnnBhF57Y9vh5Q=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>QiRyERqWKzqZzHTAzppXzqMssWE=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-2411975">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd" wsu:Id="STRId-4317866">
<wsse:Reference
URI="#EncKeyId-26553312"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1
.0#SAMLAssertionID"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:To>http://localhost:5556/axis2/services/WSTestSuite/</wsa:To>
<wsa:MessageID>urn:uuid:C4E4D468A6AAFCEE581189077703512</wsa:MessageID>
<wsa:Action>urn:DoCalculation</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<ns1:CalculationRequest
xmlns:ns1="http://computernoma.de/WSTestSuite/types/">
<operator>+</operator>
<values>
<value>1</value>
<value>2</value>
<value>3</value>
</values>
</ns1:CalculationRequest>
</soapenv:Body>
</soapenv:Envelope>
Also, this message contains a reference to a SAML-Token that I can see
nowhere in the Envelope. Instead, I think it should be a reference to
an <xenc:EncryptedKey>. It seems that this causes problems on the
receiver side (WSSecurityException: "Reference URI is null"). So my
questions are:
1) How can I sign the Body of the message and *not* sign the Timestamp?
2) Is it correct that the ValueType of the <wsse:Reference> is given as
a SAML-1.0-Token?
3) Is there any good documentation on writing policy files for rampart
(or in general)?
4) Why is there a Signature included in the SOAP-Message if I don't
specify any SignedParts or SignedElements or Timestamp at all in the
policy?
Thanks for any clarification.
Regards,
Till.
--
Till Haselmann
till.haselmann@viadee.de