Hi Dumindu,Kaushalye, My point was that i am using transport binding and i still can see clear sopa text using tcpmonn.
So, Dumindu i know that i theory i couldn't b eable to do that but i actually tested this with some of the rampart policies that i attached to this mail so you can check it if you want. So is this a rampart bug? Note that this is the soap message that i was able to capture with tcpmon: POST /axis2/services/sample02 HTTP/1.1 SOAPAction: "urn:echo" User-Agent: Axis2 Host: localhost:8080 Transfer-Encoding: chunked Content-Type: text/xml; charset=UTF-8 562 <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:wsa=" http://www.w3.org/2005/08/addressing"; xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Header> <wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"><wsu:Timestamp xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-18096534"><wsu:Created>2007-05-09T14:34:09.687Z </wsu:Created><wsu:Expires>2007-05-13T01:54:09.687Z </wsu:Expires></wsu:Timestamp> <wsse:UsernameToken xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="UsernameToken-4744654"><wsse:Username>alice</wsse:Username><wsse:Password Type=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password></wsse:UsernameToken></wsse:Security><wsa:To>http://localhost:8080/axis2/services/sample02</wsa:To><wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address></wsa:ReplyTo><wsa:MessageID>urn:uuid:4B8BD96A7282DD4A491178721249469</wsa:MessageID><wsa:Action>urn:echo</wsa:Action></soapenv:Header><soapenv:Body><ns1:echoxmlns:ns1=" http://sample02.policy.samples.rampart.apache.org/xsd";><param0>Helloworld</param0></ns1:echo></soapenv:Body></soapenv:Envelope> 0 You can see the whole think + the password Thanks, Nencho 2007/5/9, Dumindu Pallewela <[EMAIL PROTECTED]>:
if the transport binding is https, you won't be able to monitor the soap messages with tcpmon in it's plain text format. Dumindu. On 5/9/07, Nencho Lupanov <[EMAIL PROTECTED]> wrote: > Hi Manjula, > > for the transport binding yes i think the same as you, > but when i monitor the soap messages with tcpmon, > the data is not encrypted, so how exactly this transport binding > thing works for the confidentiality or is this some bug in the rampart > implementation? > thanks. > > Nencho > > > 2007/5/9, Manjula Peiris <[EMAIL PROTECTED]>: > > > > hi Nencho, > > > > I think when you are sending through a Secure transport like Https the > > Encryptedelements assertion is always satisfied. So no need to encrypt > > the body again. > > > > -Manjula. > > > > > > On Tue, 2007-05-08 at 18:31 +0300, Nencho Lupanov wrote: > > > HI all, > > > > > > Is it possible to use a TransportBinding with HttpsToken in a rampart > > > security policy > > > and still encrypt the body with the Encryptedelements assertion for > > example? > > > thanks, > > > > > > Nencho > > > > >
<?xml version="1.0" encoding="UTF-8"?> <!-- ! ! Copyright 2006 The Apache Software Foundation. ! ! Licensed under the Apache License, Version 2.0 (the "License"); ! you may not use this file except in compliance with the License. ! You may obtain a copy of the License at ! ! http://www.apache.org/licenses/LICENSE-2.0 ! ! Unless required by applicable law or agreed to in writing, software ! distributed under the License is distributed on an "AS IS" BASIS, ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ! See the License for the specific language governing permissions and ! limitations under the License. !--> <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"; /> </wsp:Policy> </sp:SignedSupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>alice</ramp:user> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample02.PWCBHandler</ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
