Here is the SignedParts node I have in my policy.xml for Rampart 1.3 <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:SignedParts> Can you display the policy.xml so we can compare to the Rampart 1.3 Examples?
Thanks/ M- ----- Original Message ----- From: Nandana Mihindukulasooriya To: [email protected] Sent: Monday, December 17, 2007 7:10 AM Subject: Re: Rampart Issues with EncryptBeforeSigning Hi Harsha, 1) When I set <EncryptedParts> and <SignedParts> to <Body>, <ReferenceList> gets added as a direct child of the <wsse:Security> header. However, when I use <SignBeforeEncrypting>, <ReferenceList> gets added to <EncryptedKey>. Why this difference? This is because Rampart processes the elements in the security header in the order they appear in the security header. So the signature to be correctly verified, SignBeforeEncrypt case : Reference List must appear before the Signature element. ( so the signature is verified over decrypted elements ). EncryptBeforeSign case : Signature must appear before the Reference List element. ( so the signature is verified over encrypted elements ). So in the sign before encrypt case we can add the reference list to encrypted key as a internal reference. But in the encrypt before sign case, we have to use external reference as the reference list have to go after the signature element. 2) When I set <EncryptedParts> and <SignedParts> to some header, Rampart does the encryption correctly, but doesn't sign. I dug into the code and found that after the message is encrypted the original nodes are no longer there (because they have been replaced by <EncryptedData> elements) and therefore, the signing function can't find any nodes to sign. Can you please raise a JIRA in Rampart with the policy you used ? Thanks, Nandana Regards, Harsha --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
