Thanks!
Now I just have one question left: if we want to customize verification to
perform additional checks, what is the best way to do it? For example, if we
want to check the signer certificate's validity dates and revocation
status... Should we use an additional handler ?
From: "Ruchith Fernando" <[EMAIL PROTECTED]>
Reply-To: [email protected]
To: [email protected]
Subject: Re: Axis2: Checking signed SOAP requests with Rampart...
Date: Wed, 14 Jun 2006 10:06:06 +0530
Hi,
You have a slight typo in the rampart configuration parameter.
<parameter name="InFlowSecurity">
The above should change to <parameter name="InflowSecurity">
Note that the third letter of the parameter name is lower case 'f'.
Also since you only expect Timestamp and Signature (and no encryption)
the action/items should not have 'Encrypt' in it. Therefore it should
change to:
<items>Timestamp Signature</items>
Thanks,
Ruchith
---------- Forwarded message ----------
From: Johan Roch <[EMAIL PROTECTED]>
Date: Jun 13, 2006 9:17 PM
Subject: Axis2: Checking signed SOAP requests with Rampart...
To: [email protected]
Hello,
I would like to check security for incoming soap requests at server side
using the Rampart module(Axis 2). I have an existing client that sends
signed SOAP requests(no encryption).
The problem is that the signature is never checked. I can see this in the
log(debug level):
DEBUG - Phase.invoke(372) | Invoking phase "Security"
DEBUG - Phase.invoke(379) | Invoking Handler 'SecurityInHandler' in Phase
'Security'
DEBUG - WSDoAllReceiver.processMessage(92) | WSDoAllReceiver: enter
invoke()
DEBUG - Phase.invoke(392) | Checking post-conditions for phase "Security"
DEBUG - Phase.invoke(362) | Checking pre-condition for Phase "PreDispatch"
DEBUG - Phase.invoke(372) | Invoking phase "PreDispatch"
DEBUG - Phase.invoke(379) | Invoking Handler 'AddressingFinalInHandler' in
Phase 'PreDispatch'
DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Final IN
handler ...
DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding
to
WS-Addressing Final
DEBUG - Phase.invoke(379) | Invoking Handler
'AddressingSubmissionInHandler'
in Phase 'PreDispatch'
DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Submission
IN handler ...
DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding
to
WS-Addressing Submission
It seems that the handler is invoked but the security headers are not
found.
Is there something wrong with my request below?
Thx in advance.
Johan.
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
mustUnderstand="1" soapenv:actor="">
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="Id-ref2VerifySignature"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>MIIDjjCCAnagAwIBAgILAQAAAAABAxNSI6QwDQYJKoZIhvcNAQEFBQAwJTELMAkGA1UEBhMCQkUx
FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0EwHhcNMDUwNDA1MTcwNDM5WhcNMDYwNDA1MTcwNDM5WjBE
MQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHRlJOQi5CRTEUMBIGA1UEChMLNDA5LjM1Ny4zMjExDTAL
BgNVBAsTBEZSTkIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp1VEDpvYhctJp+agiQdpzsWsC6zI
nIUo7EkrIGQEbrI1COcvLIsQp3CN10sHAhOkFIu0A+H+onJ2XgTEt2FAhwIDAQABo4IBZjCCAWIw
RAYDVR0gBD0wOzA5BgdgOAEBAQMDMC4wLAYIKwYBBQUHAgEWIGh0dHA6Ly9yZXBvc2l0b3J5LmVp
ZC5iZWxnaXVtLmJlMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBT1Qdziis6XVgXoU2dG1/RP
Z7J2DzAdBgNVHQ4EFgQUXiuc2/NDXnAqbnoTGE1JHzTX0VAwPQYDVR0fBDYwNDAyoDCgLoYsaHR0
cDovL2NybC5laWQuYmVsZ2l1bS5iZS9nb3Zlcm5tZW50MjAwNS5jcmwwCQYDVR0TBAIwADARBglg
hkgBhvhCAQEEBAMCBLAwbQYIKwYBBQUHAQEEYTBfMDUGCCsGAQUFBzAChilodHRwOi8vY2VydHMu
ZWlkLmJlbGdpdW0uYmUvYmVsZ2l1bXJzLmNydDAmBggrBgEFBQcwAYYaaHR0cDovL29jc3AuZWlk
LmJlbGdpdW0uYmUwDQYJKoZIhvcNAQEFBQADggEBABOqebsV63FaY1Ekf5TS9WufW4+zJRe3BOZs
ZUGPMFUJs65nWsjlzMtOHS3wfyReq01uIG2HQkZ0XK+/NJ56Xh+xJNywgbo9mxRhCBgTUqSM/feT
uYPrZAB1O7QHEH4PLoDNtJtZ8+Zz+GXfARLS5AMSfjqtxwvj4+Pgt6HAuxHb/4mDS1C4xFQNZhZR
+XkFtFku1AjN9cXQMFN6vtmYKhwduPj6yxtE4wmnZ559V9DyFLi/feonoA1/H1vIwAGWbhYIjEDG
yApoBEBoGkpHvoWeoQRWwiRf9WGIbLZ5Mcq1SFGPF06+4kkYmJUnPNtXT3yO2hHBP8c4ftXsrgHu
iBo=</wsse:BinarySecurityToken><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
/>
<ds:Reference URI="#id-21826773">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>iLwjzNrDGK562cdtEMfDi0mALgM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
gLziQrLd7oAAxd67IChIDKgImRuPbKrLe0ZuyIa+fFesfrZFuCc643Q6lfTMs0rXXYEU3btQdEpQ
CQObiTCH1A==
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1899108">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-8047015"><wsse:Reference URI="#Id-ref2VerifySignature"
/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsu:Created>2006-06-13T15:31:03Z</wsu:Created><wsu:Expires>2006-06-13T15:31:03Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-21826773"><fphp100
xmlns="http://fsb.belgium.be/prove";><ns1:fphp100
xmlns:ns1="http://fsb.belgium.be/prove/fphp100";><ns2:notary
xmlns:ns2="http://fsb.belgium.be/prove/notary";><ns2:office_id>217063</ns2:office_id><ns2:lang>fr</ns2:lang><ns2:nrn>60052301706</ns2:nrn><ns2:num_kbo_not>0477430931</ns2:num_kbo_not><ns2:num_kbo_fed>0409357321</ns2:num_kbo_fed></ns2:notary><ns1:person><ns1:last_name>r</ns1:last_name><ns1:birth_date_year>1977</ns1:birth_date_year></ns1:person></ns1:fphp100></fphp100></soapenv:Body></soapenv:Envelope>
Services.xml:
<serviceGroup>
<service name="findPerson">
<messageReceivers>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-out";
class="com.notary.fphp.FindPersonMessageReceiverInOut"/>
</messageReceivers>
<parameter name="ServiceClass" locked="false">
com.notary.fphp.FindPersonSkeleton
</parameter>
<parameter name="InFlowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<signaturePropFile>interop.properties</signaturePropFile>
</action>
</parameter>
<operation name="fphp100"
mep="http://www.w3.org/2004/08/wsdl/in-out";>
<actionMapping>http://fsb.belgium.be/prove/fphp100</actionMapping>
</operation>
<operation name="testSOAPFault"
mep="http://www.w3.org/2004/08/wsdl/in-out";>
<actionMapping>http://fsb.belgium.be/prove/testSOAPFault</actionMapping>
</operation>
<operation name="ping" mep="http://www.w3.org/2004/08/wsdl/in-out";>
<actionMapping>http://fsb.belgium.be/prove/ping</actionMapping>
</operation>
</service>
</serviceGroup>
interop.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.file=D:/WebServices/keystore/testKeystore
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
