You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by mp...@s-und-n.de on 2006/05/22 18:20:29 UTC
Problems using both InflowSecurity and OutflowSecurity
Hi all,
thanks Ruchith's fast tip I am now able to combine any actions either in
the InflowSecurity OR the OutflowSecurity.
But if I try and combine both of them, I get a strange behaviour.
The simplest case is the following. Client and Server config are as
follows:
<parameter name="OutflowSecurity">
<action>
<items>Timestamp</items>
</action>
</parameter>
<parameter name="InflowSecurity">
<action>
<items>Timestamp</items>
</action>
</parameter>
The SOAP-Response contains the following Security Header:
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Timestamp-17940412">
<wsu:Created>2006-05-22T16:03:47.031Z</wsu:Created>
<wsu:Expires>2006-05-22T16:08:47.031Z</wsu:Expires>
</wsu:Timestamp>
<wsse11:SignatureConfirmation
xmlns:wsse11="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SigConf-16398807" />
</wsse:Security>
It is interesting that the response contains a
"SignatureConfirmation"-element (the request does NOT contain one).
Consistently the Client throws the following exception:
Exception in thread "main" org.apache.axis2.AxisFault: WSHandler: Check
Signature confirmation: got a SC element, but no stored SV; nested
exception is:
org.apache.ws.security.WSSecurityException: WSHandler: Check
Signature confirmation: got a SC element, but no stored SV
at
org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:336)
at
org.apache.axis2.security.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:82)
at org.apache.axis2.engine.Phase.invoke(Phase.java:381)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:473)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:445)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:355)
at
org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:279)
at
org.apache.ws.axis2.ReverseWSStub.reverseString(ReverseWSStub.java:109)
at reverseTest.Test.main(Test.java:26)
Caused by: org.apache.ws.security.WSSecurityException: WSHandler: Check
Signature confirmation: got a SC element, but no stored SV
at
org.apache.ws.security.handler.WSHandler.checkSignatureConfirmation(WSHandler.java:294)
at
org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:196)
... 8 more
Other errors appear if I combine other actions. As mentioned, everything
works fine if I just configure the security one-way, I can use any
action-order.
Freundliche Grüße / With kind regards
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Problems using both InflowSecurity and OutflowSecurity
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Michael,
Please add the following to both InflowConfiguration and
OutflowConfiguration in both service and client configs.
<enableSignatureConfirmation>false</enableSignatureConfirmation>
Thanks,
Ruchith
On 5/22/06, mpollmeier@s-und-n.de <mp...@s-und-n.de> wrote:
> Hi all,
>
> thanks Ruchith's fast tip I am now able to combine any actions either in
> the InflowSecurity OR the OutflowSecurity.
> But if I try and combine both of them, I get a strange behaviour.
>
> The simplest case is the following. Client and Server config are as
> follows:
> <parameter name="OutflowSecurity">
> <action>
> <items>Timestamp</items>
> </action>
> </parameter>
>
> <parameter name="InflowSecurity">
> <action>
> <items>Timestamp</items>
> </action>
> </parameter>
>
> The SOAP-Response contains the following Security Header:
>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soapenv:mustUnderstand="true">
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Timestamp-17940412">
> <wsu:Created>2006-05-22T16:03:47.031Z</wsu:Created>
> <wsu:Expires>2006-05-22T16:08:47.031Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse11:SignatureConfirmation
> xmlns:wsse11="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="SigConf-16398807" />
> </wsse:Security>
>
> It is interesting that the response contains a
> "SignatureConfirmation"-element (the request does NOT contain one).
> Consistently the Client throws the following exception:
>
> Exception in thread "main" org.apache.axis2.AxisFault: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV; nested
> exception is:
> org.apache.ws.security.WSSecurityException: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV
> at
> org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:336)
> at
> org.apache.axis2.security.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:82)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:381)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:473)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:445)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:355)
> at
> org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:279)
> at
> org.apache.ws.axis2.ReverseWSStub.reverseString(ReverseWSStub.java:109)
> at reverseTest.Test.main(Test.java:26)
> Caused by: org.apache.ws.security.WSSecurityException: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV
> at
> org.apache.ws.security.handler.WSHandler.checkSignatureConfirmation(WSHandler.java:294)
> at
> org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:196)
> ... 8 more
>
>
> Other errors appear if I combine other actions. As mentioned, everything
> works fine if I just configure the security one-way, I can use any
> action-order.
>
>
> Freundliche Grüße / With kind regards
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Problems using both InflowSecurity and OutflowSecurity
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Michael,
Please add the following to both InflowConfiguration and
OutflowConfiguration in both service and client configs.
<enableSignatureConfirmation>false</enableSignatureConfirmation>
Thanks,
Ruchith
On 5/22/06, mpollmeier@s-und-n.de <mp...@s-und-n.de> wrote:
> Hi all,
>
> thanks Ruchith's fast tip I am now able to combine any actions either in
> the InflowSecurity OR the OutflowSecurity.
> But if I try and combine both of them, I get a strange behaviour.
>
> The simplest case is the following. Client and Server config are as
> follows:
> <parameter name="OutflowSecurity">
> <action>
> <items>Timestamp</items>
> </action>
> </parameter>
>
> <parameter name="InflowSecurity">
> <action>
> <items>Timestamp</items>
> </action>
> </parameter>
>
> The SOAP-Response contains the following Security Header:
>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soapenv:mustUnderstand="true">
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Timestamp-17940412">
> <wsu:Created>2006-05-22T16:03:47.031Z</wsu:Created>
> <wsu:Expires>2006-05-22T16:08:47.031Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse11:SignatureConfirmation
> xmlns:wsse11="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="SigConf-16398807" />
> </wsse:Security>
>
> It is interesting that the response contains a
> "SignatureConfirmation"-element (the request does NOT contain one).
> Consistently the Client throws the following exception:
>
> Exception in thread "main" org.apache.axis2.AxisFault: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV; nested
> exception is:
> org.apache.ws.security.WSSecurityException: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV
> at
> org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:336)
> at
> org.apache.axis2.security.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:82)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:381)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:473)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:445)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:355)
> at
> org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:279)
> at
> org.apache.ws.axis2.ReverseWSStub.reverseString(ReverseWSStub.java:109)
> at reverseTest.Test.main(Test.java:26)
> Caused by: org.apache.ws.security.WSSecurityException: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV
> at
> org.apache.ws.security.handler.WSHandler.checkSignatureConfirmation(WSHandler.java:294)
> at
> org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:196)
> ... 8 more
>
>
> Other errors appear if I combine other actions. As mentioned, everything
> works fine if I just configure the security one-way, I can use any
> action-order.
>
>
> Freundliche Grüße / With kind regards
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org