Hi Bhushan,
In your scenario, the policy should be like the one given below.
That is because you only need the Username token as
a supporting token for establishing the Security Context Token. So the
Username token should be in the bootstrap policy of
the secure conversation token and not in the main policy.
<wsp:Policy
wsu:Id="SecureConversation_UserNameOverTransport"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Regards,
Nandana
On Jan 24, 2008 9:24 PM, Bhushan Gupte <[EMAIL PROTECTED]> wrote:
> Hi Nandana,
>
> I am trying to merge the policy's of Sample01 and Sample04 from the "
> samples/policy".
>
> I am trying to test a policy to pass SecureConversation Token without
> using encryption certificate (X.509) as defined in policy of Sample04.
>
> As the web service URI will be on secure HTTP connection (https) can we
> have a policy with Secure Conversation Token (as we are passing multiple
> messages) and not have one more encryption layer of X509 in the policy file?
>
> I am testing with this modified policy, can you please check what I am
> missing in this:
>
> <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
>
> <wsp:ExactlyOne>
>
> <wsp:All>
>
> <sp:TransportBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>
> <wsp:Policy>
>
> <***sp:SecureConversationToken* sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
>
> <wsp:Policy>
>
> <sp:HttpsToken
> RequireClientCertificate="false"/>
>
> </wsp:Policy>
>
> </***sp:SecureConversationToken*>
>
> <sp:AlgorithmSuite>
>
> <wsp:Policy>
>
> <sp:Basic256/>
>
> </wsp:Policy>
>
> </sp:AlgorithmSuite>
>
> <sp:Layout>
>
> <wsp:Policy>
>
> <sp:Lax/>
>
> </wsp:Policy>
>
> </sp:Layout>
>
> <sp:IncludeTimestamp/>
>
> </wsp:Policy>
>
> </sp:TransportBinding>
>
> <sp:SignedSupportingTokens xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>
> <wsp:Policy>
>
> <sp:UsernameToken sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
> />
>
> </wsp:Policy>
>
> </sp:SignedSupportingTokens>
>
>
>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy";>
>
> <ramp:user>client</ramp:user>
>
> <ramp:passwordCallbackClass>
> org.apache.rampart.samples.policy.sample04
> .PWCBHandler</ramp:passwordCallbackClass>
>
> </ramp:RampartConfig>
>
>
>
> </wsp:All>
>
> </wsp:ExactlyOne>
>
> </wsp:Policy>
>
> Thanks
>
> Bhushan
>
> ***From:* Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED]<[EMAIL
> PROTECTED]>
> ]
> ***Sent:* Wednesday, January 23, 2008 10:03 PM
> ***To:* [email protected]
> ***Subject:* Re: How to stop calling PWCallback logic for authentication
> using SecureConversation
>
> Hi Bhushan,
>
> Can you post the modified policy you are using for this scenario so we
> can debug and see ?
>
> In real project scenario the PWCallback class will contain calls to LDAP
> for authentication and the whole purpose we are trying to implement
> WS-SecureConversation in addition to WS-Security is that we can to Secure
> Conversation between messages and not have to do LDAP authentication for
> every message.
>
> Yes, I also wonder why we need to call the PWCallback once a SCT is
> established.
>
> Thanks,
> Nandana
>
>
>
>
> Bhushan Gupte
>
> * ****[1]* OMElement response = client.sendReceive
> (getPayload("Hello
>
> world1"));
>
> System.out.println("Response 1 : " + response);
>
> response = client.sendReceive(getPayload("Hello world2"));
>
> System.out.println("Response 2 : " + response);
>
> response = client.sendReceive(getPayload("Hello world3"));
>
> System.out.println("Response 3 : " + response);
>
> ***[2]* for (int i = 0; i < callbacks.length; i++) {
>
> WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
>
> String id = pwcb.getIdentifer();
>
> if("client".equals(id)) {
>
> pwcb.setPassword("apache");
>
> } else if("service".equals(id)) {
>
> pwcb.setPassword("apache");
>
> }
>
> }
>
>
--
Nandana Mihindukulasooriya
Software Engineer
WSO2 inc.
http://nandana83.blogspot.com/
http://nandanasm.wordpress.com/
