Nandana Mihindukulasooriya wrote:
Hi Ronnie,
Please change the policy as given below.
But should not this policy come from the service?
Samisa...
<wsp:Policy ...>
<sp:AsymmetricBinding>
...
</sp:AsymmetricBinding>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken/>
</sp:SupportingTokens>
<sp:Wss10 .../>
<sp:SignedParts .../>
<ramp:RampartConfig/>
</wsp:Policy>
Just the structure is shown above. The Supporting token assertion
should be a top level assetion. In you case, you have it as a nested
assertion within Asymmetric Binding assertion.
And if your username and private key alias is different, you need to
use both "user" and "userCertAlias" parameters in the RampartConfig as
mentioned by Martin. But if both of them are the same, you can just
have the "user" parameter [1].
And I don't understand why you have both user and encryptionUser set
to "user".
<ramp:user>user</ramp:user>
<ramp:encryptionUser>user</ramp:encryptionUser>
thanks,
nandana
[1] - http://wso2.org/library/3733
On Tue, Oct 7, 2008 at 8:40 AM, RonnieMJ <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
I don't actually get an exception (well I do get a soap fault for
not having
all of the right headers from their server).
The message usually gets sent out simply without the username
token. If I
DO get the username token to go, it's as a signedsupportingtoken
(which is
not what they want).
Samisa Abeysinghe-2 wrote:
>
> What is the exception that you get?
>
> Samisa...
>
> RonnieMJ wrote:
>> I'm pretty new to WS, and especially the security piece, but
I'm using
>> rampart 1.4 using policy files to try to function as a client to an
>> existing
>> (external to my company) web service.
>>
>> I know that I need to send both a usernameToken and sign the
header with
>> a
>> certificate. I've been able to do EITHER, but so far haven't
been able
>> to
>> do both.
>>
>> I've tried it about 20 different ways, but my most recent
attempt is:
>>
>>
>> <wsp:Policy wsu:Id="SigAndUName"
>>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
>> <wsp:All>
>> <sp:AsymmetricBinding
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>> <wsp:Policy>
>> <sp:InitiatorToken>
>> <wsp:Policy>
>> <sp:X509Token
>>
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
>> <wsp:Policy>
>>
<sp:WssX509V3Token10/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:InitiatorToken>
>> <sp:RecipientToken>
>> <wsp:Policy>
>> <sp:X509Token
>>
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
>> <wsp:Policy>
>>
<sp:WssX509V3Token10/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:RecipientToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic128Rsa15/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Lax/>
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:OnlySignEntireHeadersAndBody/>
>> <sp:SupportingTokens>
>> <wsp:Policy>
>> <sp:UsernameToken
>>
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
>> />
>> </wsp:Policy>
>> </sp:SupportingTokens>
>> </wsp:Policy>
>> </sp:AsymmetricBinding>
>>
>>
>> <sp:Wss10
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>> <wsp:Policy>
>> <sp:MustSupportRefKeyIdentifier />
>> <sp:MustSupportRefIssuerSerial />
>> </wsp:Policy>
>> </sp:Wss10>
>>
>>
>> <sp:SignedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>> <sp:Body/>
>> </sp:SignedParts>
>>
>> <ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
>> <ramp:user>user</ramp:user>
>>
<ramp:encryptionUser>user</ramp:encryptionUser>
>>
>>
<ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
>>
>> <ramp:signatureCrypto>
>> <ramp:crypto
>> provider="org.apache.ws.security.components.crypto.Merlin">
>> <ramp:property
>>
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> <ramp:property
>>
name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
>> <ramp:property
>>
name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
>> <ramp:property
>>
name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
>> </ramp:crypto>
>> </ramp:signatureCrypto>
>> </ramp:RampartConfig>
>>
>> </wsp:All>
>> </wsp:Policy>
>>
>>
>>
>> I expect the final header output to be something like:
>> <SOAP-ENV:Header >
>> <wsse:Security >
>> <wsse:UsernameToken >
>> <wsse:Username >XXX</wsse:Username>
>> </wsse:UsernameToken>
>> <wsse:BinarySecurityToken
>binaryTokenHere</wsse:BinarySecurityToken>
>> <ds:Signature >
>> <ds:SignedInfo >
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference >
>> <ds:Transforms >
>> <ds:Transform />
>> </ds:Transforms>
>> <ds:DigestMethod />
>> <ds:DigestValue
</ds:DigestValue>
>> </ds:Reference>
>> <ds:Reference >
>> <ds:Transforms >
>> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue
</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue </ds:SignatureValue>
>> <ds:KeyInfo >
>> <wsse:SecurityTokenReference >
>> <wsse:Reference />
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </wsse:Security>
>> </SOAP-ENV:Header>
>>
>>
>> I'm fairly sure I've just got the policy file slightly off. Any
>> suggestions? Thanks for any reply.
>>
>
>
> --
> Samisa Abeysinghe
>
> http://people.apache.org/~samisa/
<http://people.apache.org/%7Esamisa/>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>
>
>
--
View this message in context:
http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
--
Samisa Abeysinghe
http://people.apache.org/~samisa/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
