Re: Loading external WSS Policy by Rampart

[Thomas Fielenbach]

Am 24.02.2011 13:57, schrieb Thilina Mahesh Buddhika:
Do you see any errors during the service deployment when an external 
policy reference is used?

I guess, the policy is not properly attached to the service which is 
the most probable reason for the Must Understand check failed error.

Thanks,
Thilina

On Thu, Feb 24, 2011 at 5:03 PM, Thomas Fielenbach 
<fielenb...@fb5.uni-siegen.de <mailto:fielenb...@fb5.uni-siegen.de>> 
wrote:

    Hi all,

    Currently I'm working on securing messages with rampart. Therefore
    I just add Username/Pass/Timestamp in a policy. This works all
    fine (at client and at server-side) using a code first approach
    and defining the policy as well as the rampart-config in the
    services.xml.
    services.xml (partially):
    <service name="UserNameTokenService">
    <parameter name="ServiceClass" locked="false">unt.UserNameToken
    </parameter>
    <operation name="add">
    <messageReceiver
    class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
    </operation>
    <module ref="rampart" />
    <wsp:Policy wsu:Id="UsernameTokenOverHTTP"
    ...
    <sp:SignedSupportingTokens
                     
     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
    <wsp:Policy>
    <sp:UsernameToken
                             
     sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
    />
    </wsp:Policy>
    </sp:SignedSupportingTokens>
    <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
    <ramp:passwordCallbackClass>unt.PWCBHandler</ramp:passwordCallbackClass>
    </ramp:RampartConfig>
    </wsp:All>
    ...

    When I want to use contract first and load a policy document from
    an external source (e.g.
    http://ip:port/axis2/external-policy.xml), the Axis2-framework
    responds with "
    Exception in thread "main" org.apache.axis2.AxisFault: Must
    Understand check failed for header
    
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
    : Security    at
    
org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:446)
    ..."

    The (relevant) part of the WSDL:
    <wsdl:portType name="UserNameTokenExternalPolicyServicePortType">
    <wsdl:operation name="add">
    <wsdl:input message="ns:addRequest" wsaw:Action="urn:add">
    </wsdl:input>
    <wsdl:output message="ns:addResponse" wsaw:Action="urn:addResponse">
    </wsdl:output>
    </wsdl:operation>
    <wsp:PolicyReference
    URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS";
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
    </wsdl:portType>

    The services.xml is the same like above but wss- policy is
    deleted. I have tried to define the rampart-config 1) in the
    services.xml 2) in the external-policy.xml, but both times the
    error stated above occurs.

    Tracking the request with TCPMon shows that the client sends a
    valid request to the server.

    Is it generally possbile to use references to policies with
    rampart? If so, how do I have to change my code for that?

    Thanks in advance & Best regards


    -- 
    *************************
    Universität Siegen
    Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
    Hölderlinstr. 3
    57068 Siegen

    Raum: H-C 8329/3
    Tel.: +49-271-740-3041
    Fax: +49-271-740-3444
    Mail: fielenb...@fb5.uni-siegen.de
    <mailto:fielenb...@fb5.uni-siegen.de>

    Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
    *************************


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org
    <mailto:java-user-unsubscr...@axis.apache.org>
    For additional commands, e-mail: java-user-h...@axis.apache.org
    <mailto:java-user-h...@axis.apache.org>




--
Thilina Mahesh Buddhika
http://blog.thilinamb.com
Hi,

There is no error occuring during deployment. Web Service is available, 
rampart is engaged as module and there are no exceptions during 
deployment (AXIS2 as webapp in a tomcat).

Thats the question. Is axis2/rampart capable of reading an external 
policy  (here available in the tomcat)? In my wsdl the policy is bound 
to the portType with: <wsp:PolicyReference 
URI="http://localhost:7080/axis2/external-policy.xml#TS_AUTH-UNT-PASS"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>

 Moreover there is the question where/how I have to define the 
rampart-configs? Normally this would be placed directly in the policy 
defined in the services.xml but maybe thats not a feasible approach if 
the policy is placed externally.

Best regards
Thomas

--
*************************
Universität Siegen
Institut: Wirtschaftsinformatik, Bereich: IT-Sicherheit
Hölderlinstr. 3
57068 Siegen

Raum: H-C 8329/3
Tel.: +49-271-740-3041
Fax: +49-271-740-3444
Mail: fielenb...@fb5.uni-siegen.de

Web: http://www.uni-siegen.de/fb5/itsec/index.html?lang=de
*************************