Hi Ruchith,
Thanks yet again for your help π Nathan Sent from Windows Mail From: Ruchith Fernando Sent: β22β βMarchβ β2013 β11β:β06β βAM To: java-dev@axis.apache.org Subject: Re: Rampart: UsernameToken and X.509 certificates Hi Nathan, Sounds good. I don't think we need a JIRA for this. I will check in this change. Thanks, Ruchith On Thu, Mar 21, 2013 at 6:13 PM, Nathan Clement <nathan.a.clem...@hotmail.com> wrote: > Hi Ruchith, > > Thanks for the patch. I applied it and it solved my problem - I no longer > get an exception in this case. Is there a JIRA for this? > > Thanks, > > Nathan > > Date: Tue, 19 Mar 2013 18:43:19 -0400 > Subject: Re: Rampart: UsernameToken and X.509 certificates > From: ruchith.ferna...@gmail.com > To: java-dev@axis.apache.org > > Hi Nathan, > > Can you please try the attached patch with the rampart trunk and see > if you still have the same issue. > > Thanks, > Ruchith > > On Mon, Mar 18, 2013 at 1:12 AM, Nathan Clement > <nathan.a.clem...@hotmail.com> wrote: >> Hi, >> >> I'm trying to use a UsernameToken with a hashed password and an X.509 >> token >> for signatures. My policy file is below - it contains both >> sp:UsernameToken >> and sp:X509Token. No encryption should be performed in this scenario and >> we >> are using HTTPS for transport. >> >> I get the following exception when using this policy file: >> >> Caused by: org.apache.rampart.RampartException: Encryption user not >> specified (The context is created by the initiating party) >> at >> >> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1308) >> at >> >> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1296) >> at >> >> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:538) >> at >> >> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:90) >> at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147) >> at >> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) >> >> With the help of SVN blame, I found that a change was made in >> https://issues.apache.org/jira/browse/RAMPART-106 that forces the >> UsernameToken to be encrypted (BindingBuilder:428 in the current trunk). >> >> I found the following in the WS-Security UsernameToken profile: >> >> /wsse:UsernameToken/wsse:Password >> This optional element provides password information (or equivalent such as >> a >> hash). It is RECOMMENDED that this element only be passed when a secure >> transport (e.g. HTTP/S) is being used or if the token itself is being >> encrypted. >> >> >> We are using HTTPS for transport, so encryption of the token doesn't seem >> to >> be necessary. Is there something I'm missing, or should the logic from >> RAMPART-106 only apply in certain situations? >> >> Thanks, >> >> Nathan >> >> <?xml version="1.0" encoding="UTF-8"?> >> <wsp:Policy wsu:Id="UTOverTransport" >> >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >> <wsp:ExactlyOne> >> <wsp:All> >> <sp:SignedSupportingTokens >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> <sp:UsernameToken >> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> >> <wsp:Policy> >> <sp:HashPassword/> >> </wsp:Policy> >> </sp:UsernameToken> >> </wsp:Policy> >> </sp:SignedSupportingTokens> >> >> <sp:AsymmetricBinding >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> <sp:InitiatorToken> >> <wsp:Policy> >> <sp:X509Token >> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> >> <wsp:Policy> >> <sp:RequireThumbprintReference/> >> <sp:WssX509V3Token10/> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:InitiatorToken> >> >> <sp:RecipientToken> >> <wsp:Policy> >> <sp:X509Token >> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> >> <wsp:Policy> >> <sp:RequireThumbprintReference/> >> <sp:WssX509V3Token10/> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:RecipientToken> >> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256Sha256/> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> >> <sp:Layout> >> <wsp:Policy> >> <sp:Strict/> >> </wsp:Policy> >> </sp:Layout> >> >> <sp:IncludeTimestamp/> >> <sp:OnlySignEntireHeadersAndBody/> >> </wsp:Policy> >> </sp:AsymmetricBinding> >> >> <sp:Wss11 >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:Policy> >> <sp:MustSupportRefKeyIdentifier/> >> <sp:MustSupportRefIssuerSerial/> >> </wsp:Policy> >> </sp:Wss11> >> >> <sp:SignedParts >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <sp:Body/> >> <sp:Header Name="Messaging" >> Namespace="http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/"; >> /> >> <sp:Attachments /> >> </sp:SignedParts> >> </wsp:All> >> </wsp:ExactlyOne> >> </wsp:Policy> >> >> > > > > -- > http://ruchith.org > > > --------------------------------------------------------------------- To > unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional > commands, e-mail: java-dev-h...@axis.apache.org -- http://ruchith.org --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org
