I use rampart 1.4 sample policy/sample02 and deployed in Tomcat and run client.
Stack:
2009-02-14 11:02:24,819 [http-8080-1] INFO
org.apache.xml.security.signature.Reference - Verification successful for URI
"#Id-33320514"
2009-02-14 11:02:24,819 [http-8080-1] INFO
org.apache.xml.security.signature.Reference - Verification successful for URI
"#Timestamp-9838079"
2009-02-14 11:02:24,866 [http-8080-1] ERROR org.apache.axis2.engine.AxisEngine
- The certificate used for the signature is not trusted
org.apache.axis2.AxisFault: The certificate used for the signature is not
trusted
at
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:166)
at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
at
org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: org.apache.rampart.RampartException: The certificate used for the
signature is not trusted
at
org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:174)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:204)
at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 19 more
2009-02-14 11:02:24,897 [http-8080-1] INFO
org.apache.axis2.transport.http.AxisServlet - org.apache.axis2.AxisFault:
Error in extracting message
properties
2009-02-14 11:06:47,945 [http-8080-1] INFO
org.apache.xml.security.signature.Reference - Verification successful for URI
"#Id-33320514"
2009-02-14 11:06:47,945 [http-8080-1] INFO
org.apache.xml.security.signature.Reference - Verification successful for URI
"#Timestamp-9838079"
service.xml
<service name="SignedHeaderBody">
<description>
Podpisemo header in body, ni pa kriptiran
</description>
<operation name="echo">
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<operation name="sestej">
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<parameter name="ServiceClass"
locked="false">rampart1_4.sample02.service.PojoService</parameter>
<module ref="rampart" />
<module ref="addressing" />
policy ...
</service>
policy config:
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>client</ramp:user>
<ramp:encryptionUser>service</ramp:encryptionUser>
<ramp:passwordCallbackClass>rampart1_4.sample02.client.SecurityHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">E:/IDE/eclipse-BIRT/eclipse/workspace/Axis2/client_conf_02/client.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
<!-- pass=apache -->
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Is there any additional configuration in axis2 for rampart, I only include
module <module ref="rampart"/>
Regards, Tomaz
Nandana Mihindukulasooriya wrote:
> Can you post the full tomcat stack trace ? Expected behavior is to send
> a SOAP Fault in this scenario. Seems something goes wrong in the fault flow.
>
> thanks,
> nandana
>
> 2009/2/14 TomazM <[email protected]
> <mailto:[email protected]>>
>
> I want it to return an XML that shows the SOAP Fault returned, so
> the client understand, how can I achieve this?
>
> I have situation:
> java 1.6_10
> Tomcat 6.0.18
> axis2_1_4
> rampart 1.4
>
> Client send soap message with wrong signed key and rampart return
> the response is html, more precisely I get Tomcat response:
>
> HTTP Status 500
> The server encountered an internal error () that prevented it from
> fulfilling this request.
>
>
> In axis2 log:
>
> ERROR org.apache.axis2.engine.AxisEngine - The certificate used for
> the signature is not trusted
>
>
> Is there any configuration of service or rampart to return SOAP xml
> message with fault response:'The certificate used for the signature
> is not
> trusted' or fault_code so the client could read this message?
>
>
> Regards, Tomaz
>
>
>
>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
begin:vcard
fn:Tomaz Majerhold
n:Majerhold;Tomaz
org:ARNES, Slovenian NREN;Development team
adr:;;Jamova 39;Ljubljana;Ljubljana;1000;Slovenia
email;internet:[email protected]
title:Developer
tel;work:+386 14798930
tel;fax:+386 1 479 88 99
tel;home:+386 1425 38 01
tel;cell:+386 40757229
url:http://www.arnes.si/
version:2.1
end:vcard
