Hi Tirtza,
What is the header you need to sign ? You should provide the name and
the namespace of the header you want to sign.
eg.
<sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Header sp:Name="Action" sp:Namespace="
http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
</sp:SignedParts>
sp:Name is optional but the sp:Namespace is mandatory. If the sp:Name is not
given all the soap
headers with the given namespace will be signed.
Regards,
Nandana
On 10/18/07, Tirtza Bernstein <[EMAIL PROTECTED]> wrote:
>
> Thank you very much. I need the header signed. When I change it to
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <sp:Header/>
> </sp:SignedParts>
> I get a NullPointerException because I need a namespace included.
> What namespace should I add?
> My result soap header needs to look like this
>
>
> <soapenv:Header>
> <wsse:Security xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soapenv:mustUnderstand="1"><wsse:BinaryS
> ecurityToken xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> EncodingType="http://docs.oasis-open.org/w
> ss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
> ile-1.0#X509v3"
> wsu:Id="CertId-5042131">MIIDTDCCArWgAwIBAgIBBTANBgkqhkiG9w0BAQQFADBwMQswCQYDVQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xGz
>
> AZBgNVBAoTEk5vbWFkIFNvZnR3YXJlIEx0ZDEMMAoGA1UECxMDTlBTMRQwEgYDVQQDEwtXZWJTZXJ2aWNlczAeFw0wNzA3MjUxMTIyMjJaFw0wODA3MjQxMTIyMjJaMGQxCzAJBgNVBAYTAlVTMQsw
> CQYDVQQIEwJOSjEPMA0GA1UEBxMGTmV3YXJrM*********************rest of
> certificate id **********</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="Signature-24430720">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod<http://www.w3.org/2001/10/xml-exc-c14n#%22%3E%3C/ds:CanonicalizationMethod>
> >
> <ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod<http://www.w3.org/2000/09/xmldsig#rsa-sha1%22%3E%3C/ds:SignatureMethod>
> >
> <ds:Reference URI="#id-19475765">
> <ds:Transforms>
> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform<http://www.w3.org/2001/10/xml-exc-c14n#%22%3E%3C/ds:Transform>
> >
> </ds:Transforms>
> <ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod<http://www.w3.org/2000/09/xmldsig#sha1%22%3E%3C/ds:DigestMethod>
> >
> <ds:DigestValue>AGcqQst2YH+aiHx+FPrIvl5oEtY=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
> BFlqCgd6xiu57hahZ2GoeAgIbKdmrmvCnvoxuQhSXXXOdyMWMOBUSVY59e8WWyyjVEUMn4s2gDpF
>
> ORoRvlTzen6pMojPLEdD0KbBa9RATyINBtN9qxZmj8Qgs6eYzKXzeuan5+1mLV11MANbV8cjSIx0
> nfm16bYcct0tBVBjWcc=
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-1777337">
> <wsse:SecurityTokenReference xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STRId-18753567"><w
> sse:Reference URI="#CertId-5042131" ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";></wsse:Reference<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3%22%3E%3C/wsse:Reference>
> ></wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soapenv:Header>
>
> ------------------------------
> *From:* Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED]
> *Sent:* Thursday, October 18, 2007 4:23 PM
> *To:* [email protected]
> *Subject:* Re: Rampart signature
>
> Hi Tirtza,
> It seems something like this would will work for you. You have to
> specify what should be signed within the
> <sp:SignedParts></sp:SignedParts>.
>
> <wsp:Policy wsu:Id="MutualCertificate10Sign_IPingService_policy"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsa=" http://schemas.xmlsoap.org/ws/2004/08/addressing";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> ">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <sp:Body/>
> </sp:SignedParts>
> <sp:Wss10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> ">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss10>
> <sp:Trust10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy";>
> <ramp:user>XXX</ramp:user>
> <ramp:passwordCallbackClass>
> com.wso2.interop.wcf.wss10.WSS10Client</ramp:passwordCallbackClass>
> <ramp:signatureCrypto>
> <ramp:crypto provider="
> org.apache.ws.security.components.crypto.Merlin ">
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.file ">keys/sec.jks</ramp:property>
> <ramp:property name="
> org.apache.ws.security.crypto.merlin.keystore.password
> ">password</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> Regards,
> Nandana
>
>
>
>
> On 10/18/07, Tirtza Bernstein <[EMAIL PROTECTED]> wrote:
> >
> > It look slike you are using axis1. I need a solution for axis2.
> > I have Rampart set up properly I just need a policy.xml which will allow
> > me to send a client certificate. (no encryption and no timestamp)
> >
> > Does anyone have a policy.xml that defines this?
> >
> > ------------------------------
> > *From:* Senthivel U S [mailto:[EMAIL PROTECTED]
> > *Sent:* Thursday, October 18, 2007 1:17 PM
> > *To:* [email protected]
> > *Subject:* RE: Rampart signature
> >
> > Hi,
> >
> >
> >
> > Couple of days back I had the same problem but I could not make it using
> > rampart but solved the problem. Find below the working code. I have created
> > the stub using wsdl with Eclipse IDE.
> >
> >
> >
> > URL endPointURL = new URL("http:// ");
> >
> > EngineConfiguration config = new FileProvider("client_deploy.wsdd");
> >
> > Service service = new Service(config);
> >
> > TestSoapStub stub = new TestSoapStub(endPointURL, service);
> >
> >
> >
> > stub._setProperty(WSHandlerConstants.ACTION,
> > WSHandlerConstants.SIGNATURE);
> >
> > stub._setProperty(WSHandlerConstants.SIG_PROP_FILE,
> > "client_crypto.properties");
> >
> > stub._setProperty(WSHandlerConstants.USER, "client");
> >
> > stub._setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,"
> > com.unistream.client.ServiceSecurityHandler");
> >
> > stub._setProperty(WSHandlerConstants.SIG_KEY_ID
> > ,"DirectReference");
> >
> >
> >
> > stub.login(userID,password);
> >
> >
> >
> > client.deploy.wsdd file (just copy the same contents)
> >
> >
> >
> > <deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java="
> > http://xml.apache.org/axis/wsdd/providers/java";>
> >
> > <transport name="http" pivot="java:
> > org.apache.axis.transport.http.HTTPSender"/>
> >
> > <globalConfiguration >
> >
> > <requestFlow >
> >
> > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
> >
> > </handler>
> >
> > </requestFlow >
> >
> > </globalConfiguration >
> >
> > </deployment>
> >
> >
> >
> > client_crypto.properties file (just copy the same contents and change
> > the keystore.password, keystore.alias, alias.password, merlin.fileaccording
> > to ur spec)
> >
> >
> >
> >
> > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> >
> > org.apache.ws.security.crypto.merlin.keystore.type=jks
> >
> > org.apache.ws.security.crypto.merlin.keystore.password=xyzabc
> >
> > org.apache.ws.security.crypto.merlin.keystore.alias=client
> >
> > org.apache.ws.security.crypto.merlin.alias.password= xyzabc
> >
> > org.apache.ws.security.crypto.merlin.file=client.jks
> >
> >
> >
> > If you find any other better solution, please let me know.
> >
> >
> >
> > Regards,
> >
> >
> >
> > -senthil
> >
> >
> > ------------------------------
> >
> > *From:* Tirtza Bernstein [mailto:[EMAIL PROTECTED]
> > *Sent: *Wednesday, October 17, 2007 7:54 PM
> > *To:* [email protected]
> > *Subject:* Rampart signature
> >
> >
> >
> > I am using Axis2-1.3 and Rampart 1.3.
> >
> > I am the client and my requests need to be signed.
> >
> >
> >
> > My axis.client.xml includes the following
> >
> >
> >
> > <module ref="rampart" />
> >
> >
> >
> > <parameter name="OutflowSecurity">
> > <action>
> > <items>Signature</items>
> > <user>wally</user>
> > <signaturePropFile>crypto.properties</signaturePropFile>
> > <passwordCallbackClass>net.idt.svp.security.PWCallback
> > </passwordCallbackClass>
> > <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > </action>
> > </parameter>
> >
> >
> >
> > <parameter name="InflowSecurity">
> > <action>
> > <items>Signature</items>
> > <signaturePropFile>crypto.properties</signaturePropFile>
> > </action>
> > </parameter>
> >
> >
> >
> > My crypto.properties
> >
> >
> >
> >
> > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> > org.apache.ws.security.crypto.merlin.keystore.type=jks
> >
> > org.apache.ws.security.crypto.merlin.file=J:\svp_prime\trunk\security\test.jks
> > org.apache.ws.security.crypto.merlin.keystore.password=pswd
> >
> > My Client includes the following:
> >
> > _serviceClient.getOptions().setTo(new
> > org.apache.axis2.addressing.EndpointReference(targetEndpoint));
> >
> > _serviceClient.getOptions().setUseSeparateListener(useSeparateListener);
> >
> >
> >
> > StAXOMBuilder builder = new
> > StAXOMBuilder("resources/policy.xml");
> >
> > Policy clientPolicy = PolicyEngine.getPolicy(
> > builder.getDocumentElement());
> > _serviceClient.getOptions().setProperty(
> > RampartMessageData.KEY_RAMPART_POLICY, clientPolicy);
> > _serviceClient.engageModule("rampart");
> >
> > My problem is that I have no clue how to set up the policy.xml.
> > Rampart's examples do not include an example of pure signature only (no
> > timestamp).
> >
> >
> >
> >
> >
> > Can someone supply me with an example?
> >
> > Thanks.
> >
>
>
