Hi, I'm a newbie in web services and security, I'm using wso2 as an axis2
wrapper for making working with Spring easier, well
I have published a service that requires user token authentication and SSL
transport using this policy:
<wsp:Policy wsu:Id="UsernameTokenOverHTTPS"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"
/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy";>
<ramp:passwordCallbackClass>pe.gob.hndac.ldap.PasswordCallbackHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
If i send this request (sniffed with TCPmon)
POST
http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
User-Agent: Axis2C/1.5.0
Content-Type: application/soap+xml;charset=UTF-8
;action="urn:getPatientDetails"
Host: 172.17.0.24:8080
Content-Length: 310
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";
xmlns:ws="http://ws.hndac.gob.pe";>
<soap:Header/>
<soap:Body>
<ws:getPatientDetails>
<!--Optional:-->
<ws:identificador>12</ws:identificador>
</ws:getPatientDetails>
</soap:Body>
</soap:Envelope>
I receive this answer:
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";>
<soapenv:Body>
<soapenv:Fault xmlns:axis2ns19="
http://www.w3.org/2003/05/soap-envelope";>
<soapenv:Code>
<soapenv:Value>axis2ns19:Sender</soapenv:Value>
<soapenv:Subcode>
<soapenv:Value xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">wsse:InvalidSecurity</soapenv:Value>
</soapenv:Subcode>
</soapenv:Code>
<soapenv:Reason>
<soapenv:Text xml:lang="en-US">Missing wsse:Security header in
request</soapenv:Text>
</soapenv:Reason>
<soapenv:Detail/>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
Ok, this is an axis fault, it is ok, but if I send:
POST
http://172.17.0.24:8080/emrws/services/emrAuthWs.emrAuthWsHttpSoap12Endpoint/HTTP/1.1
User-Agent: Axis2C/1.5.0
Content-Length: 294
Content-Type: application/soap+xml;charset=UTF-8
Host: 172.17.0.24:8080
<soapenv:Envelope
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";><soapenv:Header/><soapenv:Body><ws:getPatientDetails
xmlns:ws="http://ws.hndac.gob.pe";>
<!--Optional:-->
<ws:identificador>12</ws:identificador>
</ws:getPatientDetails></soapenv:Body></soapenv:Envelope>
Note the missing action attribute in the http content-type header, I receive
this answer:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/soap+xml;
action="urn:getPatientDetailsResponse";charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 20 Oct 2009 13:30:41 GMT
641
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="
http://www.w3.org/2003/05/soap-envelope";><soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="true"><wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-16078681"><wsu:Created>2009-10-20T13:30:41.184Z</wsu:Created><wsu:Expires>2009-10-20T13:35:41.184Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body><ns:getPatientDetailsResponse
xmlns:ns="http://ws.hndac.gob.pe";><ns:return xmlns:ax23="http://model/xsd";
type="model.Paciente"><ax23:apellidoMaterno>ALFARO</ax23:apellidoMaterno><ax23:apellidoPaterno>SAENZ</ax23:apellidoPaterno><ax23:direccion
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:nil="true"
/><ax23:documentoIdentidad xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"; xsi:nil="true"
/><ax23:fechaAdmision xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:nil="true"
/><ax23:fechaNacimiento>1957-08-16T05:00:00.000Z</ax23:fechaNacimiento><ax23:identificador>12</ax23:identificador><ax23:nombres>CARMEN
ROSA</ax23:nombres><ax23:sexo>F</ax23:sexo><ax23:telefono xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"; xsi:nil="true"
/><ax23:ubigeoNacimiento xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"; xsi:nil="true"
/><ax23:ubigeoResidencia xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"; xsi:nil="true"
/></ns:return></ns:getPatientDetailsResponse></soapenv:Body></soapenv:Envelope>
0
Auchh, without user authentication neither SSL transport :S
--
Jaime Hablutzel
(tildes omitidas intencionalmente) 9 8964 0369
