forwarding to the list! ---------- Forwarded message ---------- From: Ruchith Fernando <[EMAIL PROTECTED]> Date: Jun 7, 2007 2:11 PM Subject: Re: A question about Rampart To: "Wang, Hailong (NIH/CIT) [C]" <[EMAIL PROTECTED]>
Hi Hailong, Please try the attached policy! Thanks, Ruchith On 6/5/07, Wang, Hailong (NIH/CIT) [C] <[EMAIL PROTECTED]> wrote:
Ruchith, Thanks very much for you quick response. I read through those samples before. One question is username for UsernameToken is same as the username for signing message. I am not very sure how to combine both of them(samples/policy/sample01 and samples/policy/sample03) together to generate a policy file for UsernameToken, Sign and Encrypt. Below is my attempt: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++ <wsp:Policy wsu:Id="SigEncrUT" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false" /> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/In cludeToken/AlwaysToRecipient" /> </wsp:Policy> </sp:SignedSupportingTokens> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/In cludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/In cludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> <sp:OnlySignEntireHeadersAndBody /> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefIssuerSerial /> </wsp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++ But I get the following error: org.apache.rampart.RampartException: Message is not signed at org.apache.rampart.PolicyBasedResultsValidator.validateEncrSig(PolicyBas edResultsValidator.java:154) at org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResul tsValidator.java:71) at org.apache.rampart.RampartEngine.process(RampartEngine.java:88) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:7 3) at org.apache.axis2.engine.Phase.invoke(Phase.java:382) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:164) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostReques t(HTTPTransportUtils.java:273) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:250) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 51) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87 0) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc essConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:685) at java.lang.Thread.run(Thread.java:595) Do you have any clue about this? Hailong -----Original Message----- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 11:39 AM To: Wang, Hailong (NIH/CIT) [C] Cc: [EMAIL PROTECTED] Subject: Re: A question about Rampart Hi, Yes! Please see the "basic" samples of Rampart to gen an idea of this with Rampart-1.0 style config. In the case of WS-Policy/SecurityPolicy config you will be able to do the above with the use of a supporting token (for the UsernameToken) in the policy shown in "samples/policy/sample03/". Please see the rampart bin distro's samples dir. Thanks, Ruchith On 6/5/07, Wang, Hailong (NIH/CIT) [C] <[EMAIL PROTECTED]> wrote: > > > > > Hi, > > > > Does Rampart support UsernameToken, Sign and Encrypt at the same time? > Thanks in advance. > > > > Hailong Wang > > National Database for Autism Research(NDAR) > > NIH/CIT/DECA (MOM CONTRACTOR) > > 9000 Rockville Pike, Bld 12A/Room 2027 > > Bethesda, MD 20892 > > Phone: 301-402-3045 > > Fax: 301-480-0028 > > Email: [EMAIL PROTECTED] > > URL: http://ndar.nih.gov > > -- www.ruchith.org www.wso2.org
-- www.ruchith.org www.wso2.org -- www.ruchith.org www.wso2.org
<?xml version="1.0" encoding="UTF-8"?> <!-- ! ! Copyright 2006 The Apache Software Foundation. ! ! Licensed under the Apache License, Version 2.0 (the "License"); ! you may not use this file except in compliance with the License. ! You may obtain a copy of the License at ! ! http://www.apache.org/licenses/LICENSE-2.0 ! ! Unless required by applicable law or agreed to in writing, software ! distributed under the License is distributed on an "AS IS" BASIS, ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ! See the License for the specific language governing permissions and ! limitations under the License. !--> <wsp:Policy wsu:Id="SigEncrUT" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:AsymmetricBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"; /> </wsp:Policy> </sp:SignedSupportingTokens> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:EncryptedParts> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>alice</ramp:user> <ramp:encryptionUser>bob</ramp:encryptionUser> <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> </ramp:crypto> </ramp:signatureCrypto> <ramp:encryptionCypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> </ramp:crypto> </ramp:encryptionCypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
