Hi Nandana, Thanks for your reply. I will try the alternative way you have suggested. However, does Axis2/Rampart will support this feature in future?
Thanks, Amitesh Nunny wrote: > > Hi Amitesh, > Axis2/Rampart doesn't support policy alternatives, which is the > feature you are referring to. When multiple policy alternatives present, > it > will only honor the first alternative. That is why your experiencing this > behavior. One work around would be to have multiple bindings with these > alternative policies and clients can choose which binding to talk to. > > thanks, > Nandana > > On Mon, Jul 6, 2009 at 9:53 PM, amiteshksingh > <[email protected]>wrote: > >> >> Is anyone done this before? It seems bug to me, however I am not sure >> becaue >> I am new to AXIS2. >> >> >> >> amiteshksingh wrote: >> > >> > Hi, >> > >> > I have one Service which contains two separate policy for two different >> > clients using the <sp:ExactlyOne> policy operator as given below >> > Service Policy: >> > <wsp:Policy wsu:Id="SgnOnlyAnonymous" >> > >> > xmlns:wsu=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> " >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >> > xmlns:wsa=" >> http://schemas.xmlsoap.org/ws/2004/08/addressing"; >> > xmlns:sp=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:ExactlyOne> >> > <wsp:All> >> > <wsp:ExactlyOne> >> > <sp:AsymmetricBinding >> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:Policy> >> > <sp:InitiatorToken> >> > <wsp:Policy> >> > <sp:X509Token >> > sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient >> "> >> > >> <wsp:Policy> >> > >> <sp:RequireThumbprintReference/> >> > >> <sp:WssX509V3Token10/> >> > >> </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:InitiatorToken> >> > <sp:RecipientToken> >> > <wsp:Policy> >> > <sp:X509Token >> > sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> >> > >> <wsp:Policy> >> > >> <sp:RequireThumbprintReference/> >> > >> <sp:WssX509V3Token10/> >> > >> </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:RecipientToken> >> > <sp:AlgorithmSuite> >> > <wsp:Policy> >> > >> <sp:TripleDesRsa15/> >> > </wsp:Policy> >> > </sp:AlgorithmSuite> >> > <sp:Layout> >> > <wsp:Policy> >> > <sp:Strict/> >> > </wsp:Policy> >> > </sp:Layout> >> > <sp:IncludeTimestamp/> >> > >> <sp:OnlySignEntireHeadersAndBody/> >> > </wsp:Policy> >> > </sp:AsymmetricBinding> >> > <sp:TransportBinding >> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:Policy> >> > <sp:TransportToken> >> > <wsp:Policy> >> > <!-- <sp:HttpsToken >> RequireClientCertificate="false"/> --> >> > </wsp:Policy> >> > </sp:TransportToken> >> > <sp:AlgorithmSuite> >> > <wsp:Policy> >> > <sp:Basic256/> >> > </wsp:Policy> >> > </sp:AlgorithmSuite> >> > <sp:Layout> >> > <wsp:Policy> >> > <sp:Lax/> >> > </wsp:Policy> >> > </sp:Layout> >> > <sp:IncludeTimestamp/> >> > </wsp:Policy> >> > </sp:TransportBinding> >> > </wsp:ExactlyOne> >> > <ramp:RampartConfig xmlns:ramp=" >> http://ws.apache.org/rampart/policy";> >> > <ramp:user>service</ramp:user> >> > >> <ramp:encryptionUser>client</ramp:encryptionUser> >> > >> > >> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass> >> > >> > <ramp:signatureCrypto> >> > <ramp:crypto >> > provider="org.apache.ws.security.components.crypto.Merlin"> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> >> > </ramp:crypto> >> > </ramp:signatureCrypto> >> > </ramp:RampartConfig> >> > </wsp:All> >> > </wsp:ExactlyOne> >> > </wsp:Policy> >> > >> > 1st client policy: >> > >> > <wsp:Policy wsu:Id="UTOverTransport" >> > xmlns:wsu=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> " >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:ExactlyOne> >> > <wsp:All> >> > <sp:TransportBinding >> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:Policy> >> > <sp:TransportToken> >> > <wsp:Policy> >> > <!-- <sp:HttpsToken >> RequireClientCertificate="false"/> --> >> > </wsp:Policy> >> > </sp:TransportToken> >> > <sp:AlgorithmSuite> >> > <wsp:Policy> >> > <sp:Basic256/> >> > </wsp:Policy> >> > </sp:AlgorithmSuite> >> > <sp:Layout> >> > <wsp:Policy> >> > <sp:Lax/> >> > </wsp:Policy> >> > </sp:Layout> >> > <sp:IncludeTimestamp/> >> > </wsp:Policy> >> > </sp:TransportBinding> >> > <ramp:RampartConfig xmlns:ramp=" >> http://ws.apache.org/rampart/policy";> >> > <ramp:user>client</ramp:user> >> > >> <ramp:encryptionUser>service</ramp:encryptionUser> >> > >> > >> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass> >> > <ramp:signatureCrypto> >> > <ramp:crypto >> > provider="org.apache.ws.security.components.crypto.Merlin"> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> >> > </ramp:crypto> >> > </ramp:signatureCrypto> >> > </ramp:RampartConfig> >> > </wsp:All> >> > </wsp:ExactlyOne> >> > </wsp:Policy> >> > >> > 2nd Client policy: >> > >> > <wsp:Policy wsu:Id="SigOnly" >> > xmlns:wsu=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> " >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >> > <wsp:ExactlyOne> >> > <wsp:All> >> > <sp:AsymmetricBinding >> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:Policy> >> > <sp:InitiatorToken> >> > <wsp:Policy> >> > <sp:X509Token >> > sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient >> "> >> > >> <wsp:Policy> >> > >> <sp:RequireThumbprintReference/> >> > >> <sp:WssX509V3Token10/> >> > >> </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:InitiatorToken> >> > <sp:RecipientToken> >> > <wsp:Policy> >> > <sp:X509Token >> > sp:IncludeToken=" >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> >> > >> <wsp:Policy> >> > >> <sp:RequireThumbprintReference/> >> > >> <sp:WssX509V3Token10/> >> > >> </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:RecipientToken> >> > <sp:AlgorithmSuite> >> > <wsp:Policy> >> > >> <sp:TripleDesRsa15/> >> > </wsp:Policy> >> > </sp:AlgorithmSuite> >> > <sp:Layout> >> > <wsp:Policy> >> > <sp:Strict/> >> > </wsp:Policy> >> > </sp:Layout> >> > <sp:IncludeTimestamp/> >> > >> <sp:OnlySignEntireHeadersAndBody/> >> > </wsp:Policy> >> > </sp:AsymmetricBinding> >> > <ramp:RampartConfig xmlns:ramp=" >> http://ws.apache.org/rampart/policy";> >> > <ramp:user>client</ramp:user> >> > >> <ramp:encryptionUser>service</ramp:encryptionUser> >> > >> > >> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass> >> > >> > <ramp:signatureCrypto> >> > <ramp:crypto >> > provider="org.apache.ws.security.components.crypto.Merlin"> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> >> > <ramp:property >> > >> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> >> > </ramp:crypto> >> > </ramp:signatureCrypto> >> > </ramp:RampartConfig> >> > </wsp:All> >> > </wsp:ExactlyOne> >> > </wsp:Policy> >> > >> > When I am running the 2nd client its working fine, since second >> client's >> > policy matches the service's <ExactlyOne>'s first element, and if I am >> > running the 1'st client I am getting the error >> > "org.apache.axis2.AxisFault: Message is not signed" >> > >> > In service if I am switching the policy sequences, then the 1'st client >> > works fine and second client gives error. >> > >> > As per sepecification it should work for both client, Can anybody tell >> me >> > what I am doing wrong? >> > >> > Thanks in advance, >> > Amitesh >> > >> >> -- >> View this message in context: >> http://www.nabble.com/AXIS2---Security-Policy-Problem-tp24314266p24358644.html >> Sent from the Axis - User mailing list archive at Nabble.com. >> >> > > -- View this message in context: http://www.nabble.com/AXIS2---Security-Policy-Problem-tp24314266p24418988.html Sent from the Axis - User mailing list archive at Nabble.com.
