On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe < [EMAIL PROTECTED]> wrote:
> Nandana Mihindukulasooriya wrote: > >> Hi Ronnie, >> Please change the policy as given below. >> > > But should not this policy come from the service? Ideally yes. ;) Thanks, Keith. > > > Samisa... > > >> <wsp:Policy ...> >> <sp:AsymmetricBinding> >> ... >> </sp:AsymmetricBinding> >> <sp:SupportingTokens> >> <wsp:Policy> >> <sp:UsernameToken/> >> </sp:SupportingTokens> >> <sp:Wss10 .../> >> <sp:SignedParts .../> >> <ramp:RampartConfig/> >> </wsp:Policy> >> >> Just the structure is shown above. The Supporting token assertion should >> be a top level assetion. In you case, you have it as a nested assertion >> within Asymmetric Binding assertion. >> >> And if your username and private key alias is different, you need to use >> both "user" and "userCertAlias" parameters in the RampartConfig as mentioned >> by Martin. But if both of them are the same, you can just have the "user" >> parameter [1]. >> >> And I don't understand why you have both user and encryptionUser set to >> "user". >> <ramp:user>user</ramp:user> >> <ramp:encryptionUser>user</ramp:encryptionUser> >> >> thanks, >> nandana >> >> [1] - http://wso2.org/library/3733 >> >> >> On Tue, Oct 7, 2008 at 8:40 AM, RonnieMJ <[EMAIL PROTECTED]<mailto: >> [EMAIL PROTECTED]>> wrote: >> >> >> I don't actually get an exception (well I do get a soap fault for >> not having >> all of the right headers from their server). >> >> The message usually gets sent out simply without the username >> token. If I >> DO get the username token to go, it's as a signedsupportingtoken >> (which is >> not what they want). >> >> >> >> Samisa Abeysinghe-2 wrote: >> > >> > What is the exception that you get? >> > >> > Samisa... >> > >> > RonnieMJ wrote: >> >> I'm pretty new to WS, and especially the security piece, but >> I'm using >> >> rampart 1.4 using policy files to try to function as a client to an >> >> existing >> >> (external to my company) web service. >> >> >> >> I know that I need to send both a usernameToken and sign the >> header with >> >> a >> >> certificate. I've been able to do EITHER, but so far haven't >> been able >> >> to >> >> do both. >> >> >> >> I've tried it about 20 different ways, but my most recent >> attempt is: >> >> >> >> >> >> <wsp:Policy wsu:Id="SigAndUName" >> >> >> xmlns:wsu=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> " >> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >> >> <wsp:All> >> >> <sp:AsymmetricBinding >> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> >> <wsp:Policy> >> >> <sp:InitiatorToken> >> >> <wsp:Policy> >> >> <sp:X509Token >> >> >> sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient >> "> >> >> <wsp:Policy> >> >> >> <sp:WssX509V3Token10/> >> >> </wsp:Policy> >> >> </sp:X509Token> >> >> </wsp:Policy> >> >> </sp:InitiatorToken> >> >> <sp:RecipientToken> >> >> <wsp:Policy> >> >> <sp:X509Token >> >> >> sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> >> >> <wsp:Policy> >> >> >> <sp:WssX509V3Token10/> >> >> </wsp:Policy> >> >> </sp:X509Token> >> >> </wsp:Policy> >> >> </sp:RecipientToken> >> >> <sp:AlgorithmSuite> >> >> <wsp:Policy> >> >> <sp:Basic128Rsa15/> >> >> </wsp:Policy> >> >> </sp:AlgorithmSuite> >> >> <sp:Layout> >> >> <wsp:Policy> >> >> <sp:Lax/> >> >> </wsp:Policy> >> >> </sp:Layout> >> >> <sp:OnlySignEntireHeadersAndBody/> >> >> <sp:SupportingTokens> >> >> <wsp:Policy> >> >> <sp:UsernameToken >> >> >> sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient >> " >> >> /> >> >> </wsp:Policy> >> >> </sp:SupportingTokens> >> >> </wsp:Policy> >> >> </sp:AsymmetricBinding> >> >> >> >> >> >> <sp:Wss10 >> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> >> <wsp:Policy> >> >> <sp:MustSupportRefKeyIdentifier /> >> >> <sp:MustSupportRefIssuerSerial /> >> >> </wsp:Policy> >> >> </sp:Wss10> >> >> >> >> >> >> <sp:SignedParts >> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> >> <sp:Body/> >> >> </sp:SignedParts> >> >> >> >> <ramp:RampartConfig >> xmlns:ramp="http://ws.apache.org/rampart/policy";> >> >> <ramp:user>user</ramp:user> >> >> >> <ramp:encryptionUser>user</ramp:encryptionUser> >> >> >> >> >> >> >> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass> >> >> >> >> <ramp:signatureCrypto> >> >> <ramp:crypto >> >> provider="org.apache.ws.security.components.crypto.Merlin"> >> >> <ramp:property >> >> >> >> >> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property> >> >> <ramp:property >> >> >> >> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> >> >> <ramp:property >> >> >> >> >> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property> >> >> <ramp:property >> >> >> >> >> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property> >> >> </ramp:crypto> >> >> </ramp:signatureCrypto> >> >> </ramp:RampartConfig> >> >> >> >> </wsp:All> >> >> </wsp:Policy> >> >> >> >> >> >> >> >> I expect the final header output to be something like: >> >> <SOAP-ENV:Header > >> >> <wsse:Security > >> >> <wsse:UsernameToken > >> >> <wsse:Username >XXX</wsse:Username> >> >> </wsse:UsernameToken> >> >> <wsse:BinarySecurityToken >> >binaryTokenHere</wsse:BinarySecurityToken> >> >> <ds:Signature > >> >> <ds:SignedInfo > >> >> <ds:CanonicalizationMethod >> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> >> <ds:SignatureMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >> >> <ds:Reference > >> >> <ds:Transforms > >> >> <ds:Transform /> >> >> </ds:Transforms> >> >> <ds:DigestMethod /> >> >> <ds:DigestValue >> </ds:DigestValue> >> >> </ds:Reference> >> >> <ds:Reference > >> >> <ds:Transforms > >> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> >> </ds:Transforms> >> >> <ds:DigestMethod >> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >> >> <ds:DigestValue >> </ds:DigestValue> >> >> </ds:Reference> >> >> </ds:SignedInfo> >> >> <ds:SignatureValue </ds:SignatureValue> >> >> <ds:KeyInfo > >> >> <wsse:SecurityTokenReference > >> >> <wsse:Reference /> >> >> </wsse:SecurityTokenReference> >> >> </ds:KeyInfo> >> >> </ds:Signature> >> >> </wsse:Security> >> >> </SOAP-ENV:Header> >> >> >> >> >> >> I'm fairly sure I've just got the policy file slightly off. Any >> >> suggestions? Thanks for any reply. >> >> >> > >> > >> > -- >> > Samisa Abeysinghe >> > >> > http://people.apache.org/~samisa/<http://people.apache.org/%7Esamisa/> >> <http://people.apache.org/%7Esamisa/> >> > >> > >> > >> --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > For additional commands, e-mail: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > >> > >> > >> >> -- >> View this message in context: >> >> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html >> Sent from the Axis - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> For additional commands, e-mail: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> >> >> >> >> -- >> Nandana Mihindukulasooriya WSO2 inc. >> >> http://nandana83.blogspot.com/ >> http://www.wso2.org >> > > > -- > Samisa Abeysinghe > > http://people.apache.org/~samisa/ <http://people.apache.org/%7Esamisa/> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Keith Chapman Senior Software Engineer WSO2 Inc. Oxygenating the Web Service Platform. http://wso2.org/ blog: http://www.keith-chapman.org
