Hi, Sorry about the delay in my response.
You can get hold of the security processing results in another handler or at the service. And the certificate information is available in the results. This [1] is an example that shows how to get the security processing results from the message context. Thanks, Ruchith [1] http://www.wso2.net/kb/169 On 6/16/06, Johan Roch <[EMAIL PROTECTED]> wrote:
Thanks! Now I just have one question left: if we want to customize verification to perform additional checks, what is the best way to do it? For example, if we want to check the signer certificate's validity dates and revocation status... Should we use an additional handler ? >From: "Ruchith Fernando" <[EMAIL PROTECTED]> >Reply-To: [email protected] >To: [email protected] >Subject: Re: Axis2: Checking signed SOAP requests with Rampart... >Date: Wed, 14 Jun 2006 10:06:06 +0530 > >Hi, > >You have a slight typo in the rampart configuration parameter. > >> <parameter name="InFlowSecurity"> > >The above should change to <parameter name="InflowSecurity"> >Note that the third letter of the parameter name is lower case 'f'. > >Also since you only expect Timestamp and Signature (and no encryption) >the action/items should not have 'Encrypt' in it. Therefore it should >change to: ><items>Timestamp Signature</items> > >Thanks, >Ruchith > >---------- Forwarded message ---------- >From: Johan Roch <[EMAIL PROTECTED]> >Date: Jun 13, 2006 9:17 PM >Subject: Axis2: Checking signed SOAP requests with Rampart... >To: [email protected] > > > >Hello, > >I would like to check security for incoming soap requests at server side >using the Rampart module(Axis 2). I have an existing client that sends >signed SOAP requests(no encryption). >The problem is that the signature is never checked. I can see this in the >log(debug level): > >DEBUG - Phase.invoke(372) | Invoking phase "Security" >DEBUG - Phase.invoke(379) | Invoking Handler 'SecurityInHandler' in Phase >'Security' >DEBUG - WSDoAllReceiver.processMessage(92) | WSDoAllReceiver: enter >invoke() >DEBUG - Phase.invoke(392) | Checking post-conditions for phase "Security" >DEBUG - Phase.invoke(362) | Checking pre-condition for Phase "PreDispatch" >DEBUG - Phase.invoke(372) | Invoking phase "PreDispatch" >DEBUG - Phase.invoke(379) | Invoking Handler 'AddressingFinalInHandler' in >Phase 'PreDispatch' >DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Final IN >handler ... >DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding >to >WS-Addressing Final >DEBUG - Phase.invoke(379) | Invoking Handler >'AddressingSubmissionInHandler' >in Phase 'PreDispatch' >DEBUG - AddressingInHandler.invoke(71) | Starting WS-Addressing Submission >IN handler ... >DEBUG - AddressingInHandler.invoke(87) | No Headers present corresponding >to >WS-Addressing Submission > > >It seems that the handler is invoked but the security headers are not >found. >Is there something wrong with my request below? > >Thx in advance. >Johan. > ><?xml version='1.0' encoding='utf-8'?><soapenv:Envelope >xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; >xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >xmlns:xsd="http://www.w3.org/2001/XMLSchema";> ><soapenv:Header> ><wsse:Security >xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; >mustUnderstand="1" soapenv:actor=""> ><wsse:BinarySecurityToken >xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; >wsu:Id="Id-ref2VerifySignature" >EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>MIIDjjCCAnagAwIBAgILAQAAAAABAxNSI6QwDQYJKoZIhvcNAQEFBQAwJTELMAkGA1UEBhMCQkUx >FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0EwHhcNMDUwNDA1MTcwNDM5WhcNMDYwNDA1MTcwNDM5WjBE >MQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHRlJOQi5CRTEUMBIGA1UEChMLNDA5LjM1Ny4zMjExDTAL >BgNVBAsTBEZSTkIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp1VEDpvYhctJp+agiQdpzsWsC6zI >nIUo7EkrIGQEbrI1COcvLIsQp3CN10sHAhOkFIu0A+H+onJ2XgTEt2FAhwIDAQABo4IBZjCCAWIw >RAYDVR0gBD0wOzA5BgdgOAEBAQMDMC4wLAYIKwYBBQUHAgEWIGh0dHA6Ly9yZXBvc2l0b3J5LmVp >ZC5iZWxnaXVtLmJlMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBT1Qdziis6XVgXoU2dG1/RP >Z7J2DzAdBgNVHQ4EFgQUXiuc2/NDXnAqbnoTGE1JHzTX0VAwPQYDVR0fBDYwNDAyoDCgLoYsaHR0 >cDovL2NybC5laWQuYmVsZ2l1bS5iZS9nb3Zlcm5tZW50MjAwNS5jcmwwCQYDVR0TBAIwADARBglg >hkgBhvhCAQEEBAMCBLAwbQYIKwYBBQUHAQEEYTBfMDUGCCsGAQUFBzAChilodHRwOi8vY2VydHMu >ZWlkLmJlbGdpdW0uYmUvYmVsZ2l1bXJzLmNydDAmBggrBgEFBQcwAYYaaHR0cDovL29jc3AuZWlk >LmJlbGdpdW0uYmUwDQYJKoZIhvcNAQEFBQADggEBABOqebsV63FaY1Ekf5TS9WufW4+zJRe3BOZs >ZUGPMFUJs65nWsjlzMtOHS3wfyReq01uIG2HQkZ0XK+/NJ56Xh+xJNywgbo9mxRhCBgTUqSM/feT >uYPrZAB1O7QHEH4PLoDNtJtZ8+Zz+GXfARLS5AMSfjqtxwvj4+Pgt6HAuxHb/4mDS1C4xFQNZhZR >+XkFtFku1AjN9cXQMFN6vtmYKhwduPj6yxtE4wmnZ559V9DyFLi/feonoA1/H1vIwAGWbhYIjEDG >yApoBEBoGkpHvoWeoQRWwiRf9WGIbLZ5Mcq1SFGPF06+4kkYmJUnPNtXT3yO2hHBP8c4ftXsrgHu >iBo=</wsse:BinarySecurityToken><ds:Signature >xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> ><ds:SignedInfo> ><ds:CanonicalizationMethod >Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> ><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; >/> ><ds:Reference URI="#id-21826773"> ><ds:Transforms> ><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> ></ds:Transforms> ><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> ><ds:DigestValue>iLwjzNrDGK562cdtEMfDi0mALgM=</ds:DigestValue> ></ds:Reference> ></ds:SignedInfo> ><ds:SignatureValue> >gLziQrLd7oAAxd67IChIDKgImRuPbKrLe0ZuyIa+fFesfrZFuCc643Q6lfTMs0rXXYEU3btQdEpQ >CQObiTCH1A== ></ds:SignatureValue> ><ds:KeyInfo Id="KeyId-1899108"> ><wsse:SecurityTokenReference >xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >wsu:Id="STRId-8047015"><wsse:Reference URI="#Id-ref2VerifySignature" >/></wsse:SecurityTokenReference> ></ds:KeyInfo> ></ds:Signature> ><wsu:Timestamp >xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsu:Created>2006-06-13T15:31:03Z</wsu:Created><wsu:Expires>2006-06-13T15:31:03Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body >xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >wsu:Id="id-21826773"><fphp100 >xmlns="http://fsb.belgium.be/prove";><ns1:fphp100 >xmlns:ns1="http://fsb.belgium.be/prove/fphp100";><ns2:notary >xmlns:ns2="http://fsb.belgium.be/prove/notary";><ns2:office_id>217063</ns2:office_id><ns2:lang>fr</ns2:lang><ns2:nrn>60052301706</ns2:nrn><ns2:num_kbo_not>0477430931</ns2:num_kbo_not><ns2:num_kbo_fed>0409357321</ns2:num_kbo_fed></ns2:notary><ns1:person><ns1:last_name>r</ns1:last_name><ns1:birth_date_year>1977</ns1:birth_date_year></ns1:person></ns1:fphp100></fphp100></soapenv:Body></soapenv:Envelope> > >Services.xml: > ><serviceGroup> > <service name="findPerson"> > <messageReceivers> > <messageReceiver >mep="http://www.w3.org/2004/08/wsdl/in-out"; >class="com.notary.fphp.FindPersonMessageReceiverInOut"/> > </messageReceivers> > <parameter name="ServiceClass" locked="false"> > com.notary.fphp.FindPersonSkeleton > </parameter> > > <parameter name="InFlowSecurity"> > <action> > <items>Timestamp Signature Encrypt</items> > ><signaturePropFile>interop.properties</signaturePropFile> > </action> > </parameter> > > <operation name="fphp100" >mep="http://www.w3.org/2004/08/wsdl/in-out";> > ><actionMapping>http://fsb.belgium.be/prove/fphp100</actionMapping> > </operation> > <operation name="testSOAPFault" >mep="http://www.w3.org/2004/08/wsdl/in-out";> > ><actionMapping>http://fsb.belgium.be/prove/testSOAPFault</actionMapping> > </operation> > <operation name="ping" mep="http://www.w3.org/2004/08/wsdl/in-out";> > ><actionMapping>http://fsb.belgium.be/prove/ping</actionMapping> > </operation> ></service> ></serviceGroup> > >interop.properties: > >org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >org.apache.ws.security.crypto.merlin.keystore.type=jks >org.apache.ws.security.crypto.merlin.keystore.password=changeit >org.apache.ws.security.crypto.merlin.file=D:/WebServices/keystore/testKeystore > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
