2012/4/17 Philippe A. <futhar...@gmail.com> > Hello, > > I am writing a web service and a corresponding client. If I put my > username token inside a SignedEncryptedSupportingTokens assertion, the > server will systematically produce an exception upon receiving requests.: > > org.apache.axis2.AxisFault: Unexpected signature > at > org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) > at > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99) > at org.apache.axis2.engine.Phase.invoke(Phase.java:318) > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:254) > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160) > at > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173) > at > org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:266) > at > org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281) > at > org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187) > at > org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > Caused by: org.apache.rampart.RampartException: Unexpected signature > at > org.apache.rampart.PolicyBasedResultsValidator.validateEncrSig(PolicyBasedResultsValidator.java:226) > at > org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:132) > at org.apache.rampart.RampartEngine.process(RampartEngine.java:308) > at > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) > ... 11 more > > Since Rampart seems to be always encrypting the username token, I decided > to use SignedSupportingTokens for now. But I don't really like doing that > as I feel my policy risks not producing the desired result if I change > client technology. > > This is with rampart 1.5.2 + axis 1.5.6. >
The ws-securitypolicy 1.2 standard seem to allow the username token to be encrypted even if it is listed as a sp:SupportingToken. 760 When the UsernameToken is to be encrypted it SHOULD be listed as a 761 SignedEncryptedSupportingToken (Section 8.5), EndorsingEncryptedSupportingToken (Section 8.6) or 762 SignedEndorsingEncryptedSupportingToken (Section 8.7). 3807 3. A wsse:UsernameToken may be encrypted when a transport binding is not being used 3808 (Section 5.3.1). However, I strongly believe that listing the username token under sp:SignedEncryptedSupportingToken should not fault. -- Philippe
