Re: Rampart: UsernameToken and X.509 certificates

Tue, 19 Mar 2013 15:43:45 -0700 

Hi Nathan,

Can you please try the attached patch with the rampart trunk and see
if you still have the same issue.

Thanks,
Ruchith

On Mon, Mar 18, 2013 at 1:12 AM, Nathan Clement
<nathan.a.clem...@hotmail.com> wrote:
> Hi,
>
> I'm trying to use a UsernameToken with a hashed password and an X.509 token
> for signatures.  My policy file is below - it contains both sp:UsernameToken
> and sp:X509Token.  No encryption should be performed in this scenario and we
> are using HTTPS for transport.
>
> I get the following exception when using this policy file:
>
> Caused by: org.apache.rampart.RampartException: Encryption user not
> specified (The context is created by the initiating party)
>     at
> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1308)
>     at
> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1296)
>     at
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:538)
>     at
> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:90)
>     at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
>     at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
>
> With the help of SVN blame, I found that a change was made in
> https://issues.apache.org/jira/browse/RAMPART-106 that forces the
> UsernameToken to be encrypted (BindingBuilder:428 in the current trunk).
>
> I found the following in the WS-Security UsernameToken profile:
>
> /wsse:UsernameToken/wsse:Password
> This optional element provides password information (or equivalent such as a
> hash). It is RECOMMENDED that this element only be passed when a secure
> transport (e.g. HTTP/S) is being used or if the token itself is being
> encrypted.
>
>
> We are using HTTPS for transport, so encryption of the token doesn't seem to
> be necessary.  Is there something I'm missing, or should the logic from
> RAMPART-106 only apply in certain situations?
>
> Thanks,
>
> Nathan
>
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:Policy wsu:Id="UTOverTransport"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>             xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
>   <wsp:ExactlyOne>
>     <wsp:All>
>       <sp:SignedSupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>         <wsp:Policy>
>           <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>             <wsp:Policy>
>               <sp:HashPassword/>
>             </wsp:Policy>
>           </sp:UsernameToken>
>         </wsp:Policy>
>       </sp:SignedSupportingTokens>
>
>       <sp:AsymmetricBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>         <wsp:Policy>
>           <sp:InitiatorToken>
>             <wsp:Policy>
>               <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>                 <wsp:Policy>
>                   <sp:RequireThumbprintReference/>
>                   <sp:WssX509V3Token10/>
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:InitiatorToken>
>
>           <sp:RecipientToken>
>             <wsp:Policy>
>               <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>                 <wsp:Policy>
>                   <sp:RequireThumbprintReference/>
>                   <sp:WssX509V3Token10/>
>                 </wsp:Policy>
>               </sp:X509Token>
>             </wsp:Policy>
>           </sp:RecipientToken>
>
>           <sp:AlgorithmSuite>
>             <wsp:Policy>
>               <sp:Basic256Sha256/>
>             </wsp:Policy>
>           </sp:AlgorithmSuite>
>
>           <sp:Layout>
>             <wsp:Policy>
>               <sp:Strict/>
>             </wsp:Policy>
>           </sp:Layout>
>
>           <sp:IncludeTimestamp/>
>           <sp:OnlySignEntireHeadersAndBody/>
>         </wsp:Policy>
>       </sp:AsymmetricBinding>
>
>       <sp:Wss11
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>         <wsp:Policy>
>           <sp:MustSupportRefKeyIdentifier/>
>           <sp:MustSupportRefIssuerSerial/>
>         </wsp:Policy>
>       </sp:Wss11>
>
>       <sp:SignedParts
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>         <sp:Body/>
>         <sp:Header Name="Messaging"
> Namespace="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/";
> />
>         <sp:Attachments />
>       </sp:SignedParts>
>     </wsp:All>
>   </wsp:ExactlyOne>
> </wsp:Policy>
>
>



-- 
http://ruchith.org

Attachment: ut_encr.patch
Description: Binary data

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to