Is anyone done this before? It seems bug to me, however I am not sure becaue I am new to AXIS2.
amiteshksingh wrote: > > Hi, > > I have one Service which contains two separate policy for two different > clients using the <sp:ExactlyOne> policy operator as given below > Service Policy: > <wsp:Policy wsu:Id="SgnOnlyAnonymous" > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:ExactlyOne> > <wsp:All> > <wsp:ExactlyOne> > <sp:AsymmetricBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> > <wsp:Policy> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > <wsp:Policy> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:TripleDesRsa15/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:TransportBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <!-- <sp:HttpsToken > RequireClientCertificate="false"/> --> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > </wsp:Policy> > </sp:TransportBinding> > </wsp:ExactlyOne> > <ramp:RampartConfig > xmlns:ramp="http://ws.apache.org/rampart/policy";> > <ramp:user>service</ramp:user> > > <ramp:encryptionUser>client</ramp:encryptionUser> > > <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass> > > <ramp:signatureCrypto> > <ramp:crypto > provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> > </ramp:crypto> > </ramp:signatureCrypto> > </ramp:RampartConfig> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > 1st client policy: > > <wsp:Policy wsu:Id="UTOverTransport" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <!-- <sp:HttpsToken > RequireClientCertificate="false"/> --> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > </wsp:Policy> > </sp:TransportBinding> > <ramp:RampartConfig > xmlns:ramp="http://ws.apache.org/rampart/policy";> > <ramp:user>client</ramp:user> > <ramp:encryptionUser>service</ramp:encryptionUser> > > <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass> > <ramp:signatureCrypto> > <ramp:crypto > provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> > </ramp:crypto> > </ramp:signatureCrypto> > </ramp:RampartConfig> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > 2nd Client policy: > > <wsp:Policy wsu:Id="SigOnly" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> > <wsp:Policy> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > <wsp:Policy> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:TripleDesRsa15/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:AsymmetricBinding> > <ramp:RampartConfig > xmlns:ramp="http://ws.apache.org/rampart/policy";> > <ramp:user>client</ramp:user> > > <ramp:encryptionUser>service</ramp:encryptionUser> > > <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass> > > <ramp:signatureCrypto> > <ramp:crypto > provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> > </ramp:crypto> > </ramp:signatureCrypto> > </ramp:RampartConfig> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > When I am running the 2nd client its working fine, since second client's > policy matches the service's <ExactlyOne>'s first element, and if I am > running the 1'st client I am getting the error > "org.apache.axis2.AxisFault: Message is not signed" > > In service if I am switching the policy sequences, then the 1'st client > works fine and second client gives error. > > As per sepecification it should work for both client, Can anybody tell me > what I am doing wrong? > > Thanks in advance, > Amitesh > -- View this message in context: http://www.nabble.com/AXIS2---Security-Policy-Problem-tp24314266p24358644.html Sent from the Axis - User mailing list archive at Nabble.com.
