I have been able to put sp:UsernameToken inside
sp:SignedEncryptedSupportingTokens. I do not know what I did wrong
initially.
Here's what I have now.
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
"/>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
This is with Axis 1.5.6 + Rampart 1.5.2.
2012/4/18 Philippe A. <futhar...@gmail.com>
>
>
> 2012/4/17 Philippe A. <futhar...@gmail.com>
>
> Hello,
>>
>> I am writing a web service and a corresponding client. If I put my
>> username token inside a SignedEncryptedSupportingTokens assertion, the
>> server will systematically produce an exception upon receiving requests.:
>>
>> org.apache.axis2.AxisFault: Unexpected signature
>> at
>> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
>> at
>> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:99)
>> at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
>> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:254)
>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
>> at
>> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173)
>> at
>> org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:266)
>> at
>> org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
>> at
>> org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
>> at
>> org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>> at java.lang.Thread.run(Thread.java:662)
>> Caused by: org.apache.rampart.RampartException: Unexpected signature
>> at
>> org.apache.rampart.PolicyBasedResultsValidator.validateEncrSig(PolicyBasedResultsValidator.java:226)
>> at
>> org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:132)
>> at
>> org.apache.rampart.RampartEngine.process(RampartEngine.java:308)
>> at
>> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
>> ... 11 more
>>
>> Since Rampart seems to be always encrypting the username token, I decided
>> to use SignedSupportingTokens for now. But I don't really like doing that
>> as I feel my policy risks not producing the desired result if I change
>> client technology.
>>
>> This is with rampart 1.5.2 + axis 1.5.6.
>>
>
> The ws-securitypolicy 1.2 standard seem to allow the username token to be
> encrypted even if it is listed as a sp:SupportingToken.
>
> 760 When the UsernameToken is to be encrypted it SHOULD be listed as a
> 761 SignedEncryptedSupportingToken (Section 8.5),
> EndorsingEncryptedSupportingToken (Section 8.6) or
> 762 SignedEndorsingEncryptedSupportingToken (Section 8.7).
>
> 3807 3. A wsse:UsernameToken may be encrypted when a transport binding is
> not being used
> 3808 (Section 5.3.1).
>
> However, I strongly believe that listing the username token under
> sp:SignedEncryptedSupportingToken should not fault.
>
> --
> Philippe
>
>
--
Philippe
