Hi again, I update my previous email:
I have hust achieved to sign or encrypt more than one element with rampart basic configuration. They have to be defined in the same setEncriptionParts function separated by ";". So the first question is resolved. I found some more issues: I found a strange behaviour in my service policy: I'm trying to encrypt ServiceGroupId and some of my payload elements. For example, in my service policy I have: sp:EncryptedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:XPath>descendant::ns3:getPatientsResponse</sp:XPath> </sp:EncryptedElements> If the client sends elements defined with that prefix, there's no problem when decrypting them in the service. But when I need to encrypt elements like that, to send them back to the client, I have the exception: java.lang.RuntimeException: org.jaxen.UnresolvableException: Cannot resolve namespace prefix 'ns3'. However, for other operations it has no problem. I have one that returns the same data as the one above and it works perfect. The only difference in the response, is the name of the operation. I have this operations: validateUser (In-Only OK) logout (In-Only OK) getOntologyFindings getOntologyFindingsByConcept (OK) getOntologyAbstractParameters getOntologyAbstractParametersByType (OK, returns the same data as the previous one) getOntologyPrimitiveParameters getOntologyPrimitiveParametersByType (OK, returns the same data as the previous one) getOntologyUnits getOntologySignals getOntology getOntologyConceptTree (OK) getPatients getPatientsByType (OK, returns the same data as the previous one) getMonitoringStages (OK) getDetailedMontoringStages (OK) getMonitoringConfigurations (OK) getDataQueryConfig (OK) getAbstractParameterData (OK) getPrimitiveParameterData (OK) getSignalData (OK) Operations with not (OK) throw the exception described above. You can see that when the names are almos the same (as getPatients and getPatientsByType), the longer works OK but the shorter doesn't. For some other, even if their names are different, it doesn't work. In the case of encrypting ServiceGroupID, it says it cannot resolve prefix 'axis2'. With other elements such as addressing headers and timestamp there is no problem. What can cause the exception? For some operations, I have a response like this: <ns3:getPrimitiveDataResponse xmlns:ns3="http://op_messages.medici_link/xsd";> <parameterData xmlns="http://op_messages.medici_link/xsd";> <annotations xmlns="http://external.communication_data_model.medici_link/xsd"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:nil="true" /> <dataSegments xmlns="http://external.communication_data_model.medici_link/xsd";> <beginMsec>1186069490203</beginMsec> <endMsec>1186069490203</endMsec> <data> <xop:Include href="cid:1.urn:uuid:[EMAIL PROTECTED]" xmlns:xop="http://www.w3.org/2004/08/xop/include"; /> </data> </dataSegments> </parameterData> </ns3:getPrimitiveDataResponse> and I want to sign and encrypt annotations and dataSegments so I put that in the policy but none of them are encrypted nor signed and neither I get any exception.It seems that rampart isn't able to find them. I tried identifying them in the policy with descendant::ns3:dataSegments and descendant::dataSegments. Thanks, Jorge Fernández Jorge Fernandez <[EMAIL PROTECTED]> escribió: Hi all, I'm having some issues with security configuration and I need some clarifications because I'm just learning and I've been for a while with it. If anybody could help me it would be great. I'm using policy at my service, trying to force the client to send SKI certificate reference so I have <sp:RequireKeyIdentifierReference/> assertion in both Initiator Token and RecipientToken and <sp:MustSupportRefKeyIdentifier/>. In the client, I'm sending IssuerSerial references but in the service policy I haven't got MustSupportIssuerSerialReference, so I think the service should reject the request but it doesn't. Am I right? Also, I expected that the service should send SKI reference always, but, for the encryption key it sends IssuerSerial reference. Can I force it to use always SKI reference? In the client, I'm signing Timestamp and Body, but in the message I can only see Timestamp signature. Where is Body signature? Does rampart sign only one of them? The last problem is that when I replace signedParts by signedElements assertion, I can access the service but the WSDL is not generated (when useOriginalwsdl is false) because it throws an exception: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "sp" at [row,col {unknown-source}]: [1,1040] I'm sending configurations and messages generated below. Can anybody point me in the right direction? Thanks in advance, Jorge Fernández public static OutflowConfiguration getOutflowConfiguration(){ OutflowConfiguration ofc = new OutflowConfiguration(); ofc.setActionItems("Timestamp Signature Encrypt"); ofc.setUser("client1"); ofc.setPasswordCallbackClass("client.PWCBHandler"); ofc.setSignaturePropFile("client1.properties"); ofc.setSignatureKeyIdentifier(WSSHandlerConstants.ISSUER_SERIAL); ofc.setEncryptionKeyIdentifier(WSSHandlerConstants.ISSUER_SERIAL); ofc.setEncryptionUser("medici-link"); ofc.setSignatureParts("{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;";); ofc.setSignBody(); ofc.setEncryptBody(); return ofc; } POST /axis2/services/Medici_Link HTTP/1.1 Content-Type: application/soap+xml; charset=UTF-8; action="urn:validateSystem" User-Agent: Axis2 Host: 127.0.0.1:8082 Transfer-Encoding: chunked e38 <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="true"> <xenc:EncryptedKey Id="EncKeyId-3916915"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=CA,OU=X1,O=X2,L=Santiago,ST=Coruna,C=ES</ds:X509IssuerName> <ds:X509SerialNumber>14</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>dr/IpAm4eczqbtJBxypHAPWwtDLdU6AveSBEvKLqWkxj770t8XTm5GrZsvgALxINEVU5lZL/v9QxDGu9I6CTH5JxkmBzWDtVmDWxD4hAkfjHtBiwfhUm227OlENApZqNCi9/zbQqvirl9e0IH65zm18IO0/LLGc/mDhH3Hu5YR8=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncDataId-29056009" /> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-33431531"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <ds:Reference URI="#Timestamp-15293014"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>KHfeVCmFYGNhDXhFYAssmRV7DPo=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Q1x8bI4520lAzba8m2c6aUP1f+dwApAjGWVAonkFwb//JdZa7pURoQP5fS1sjONegdx6Yc9oQiki3yuP7RJ8ieHbWt44Im5M9w5e0pba+nDR0xAm0OB+01ndy6NZ3v9dJ4puhk6Mew93VQTXPmBDaVd2Y3pmZ3/Tqt2mPtdjO4A=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-17905186"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-22566565"> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=CA,OU=X1,O=X2,L=Santiago,ST=Coruna,C=ES</ds:X509IssuerName> <ds:X509SerialNumber>12</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-15293014"> <wsu:Created>2007-08-01T14:28:33.796Z</wsu:Created> <wsu:Expires>2007-08-01T14:33:33.796Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> <wsa:To>http://localhost:8082/axis2/services/Medici_Link</wsa:To> <wsa:MessageID>urn:uuid:523839FBFE69D5BF4B1185978513264</wsa:MessageID> <wsa:Action>urn:validateSystem</wsa:Action> </soapenv:Header> <soapenv:Body> <xenc:EncryptedData Id="EncDataId-29056009" Type="http://www.w3.org/2001/04/xmlenc#Content";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> <xenc:CipherData> <xenc:CipherValue>YhZlOStquqla9TfR/E0PU8HRCJA+WZk/EXWyVgJ+IlxEbxEyUs7S+lUm6cGtd3eTBF8R6YyYdjkF6yxSBcYNKl+NzUWjHY/4R50DFkS5/haY6JgCnP3whgKz1Z8+GpuoeiPj0qzpBjZ/TDPgVnppQxwYJwCbopqNou66WLalx3ToMrOd7vVTgc/WGUf26hrClAzDOJUpKc5t5ipAc6T+iJ8P1l6/Vy/DCsSDTbQrK6xtsGtYUBCqXqWtnbPnLsDC8CmK8wQd2r1ZZfgB65rr+12KDNlJk7XxStzdUmnZF4wRp9A8dbs3KsOmdCX/Qjt4WYG80SetalcdlsPmMefgJd8RrD7pyrtAFJMj/ky7pUX3VQBnMuvw7NdnatBdUDB5uZ+jpGEzStE+4avpmbjVZ4CwNdoU/Sk8I7POyf7+++0un/N6H66P+kUoPnndQXxI</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body> </soapenv:Envelope>0 <wsp:Policy wsu:Id="medici-link-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:RequireKeyIdentifierReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:RequireKeyIdentifierReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:IncludeTimestamp/> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> </wsp:Policy> </sp:Wss11> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:EncryptedParts> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>medici-link</ramp:user> <ramp:encryptionUser>useReqSigCert</ramp:encryptionUser> <ramp:passwordCallbackClass>medici_link.service.PWCBHandler</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">medici-link.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:signatureCrypto> <ramp:encryptionCypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">medici-link.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:encryptionCypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/soap+xml; action="urn:validateSystem";charset=UTF-8 Transfer-Encoding: chunked Date: Wed, 01 Aug 2007 14:28:40 GMT 11b5 <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="true"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-27859243"> <wsu:Created>2007-08-01T14:28:40.093Z</wsu:Created> <wsu:Expires>2007-08-01T14:33:40.093Z</wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey Id="EncKeyId-11702064"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=CA,OU=X1,O=X2,L=Santiago,ST=Coruna,C=ES</ds:X509IssuerName> <ds:X509SerialNumber>12</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>Tvs2CbLiLz7GYXWJDL/infWAL5LnogIV4BJBBU/8hY7qP+NOEa9UYjDG44/qrvqzpfichGeMT2Iw/strhTsBO7Bghqf7vIUo05nu5ABNHba0NMR5WUn0bfuHvA/Ha0UmnobSTQjAHrkzKG+syVaplXOW/LfTitOpwIZpm2qpCoI=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncDataId-11755554" /> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-32885718"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <ds:Reference URI="#Id-11755554"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>+y2+OfUJL3d0Mw42EbKMvdIInL8=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-27859243"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>f0oJfTZttlBvWt14AaJwlJZ59sQ=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SolCHPlgaSTGsU4YBtAYFttFNsBZcXmrlyv1+6i/h+ZROCgpCII8ADVvkWkl+/H/gnYgwlFV7q9UIZon8BdKU2uIqr1MtO9+PvX3wMFJ9/j2bhsMpiedB43TjVf1S4+aBuq84CjpRRAx772bVKAJj1GdIuvQ949aH8qORtiEHGY=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-13889929"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-9869406"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>y04CDWZeR2reLTliC8uk7coJw1k=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> <wsa:ReplyTo> <wsa:Address>http://www.w3.org/2005/08/addressing/none</wsa:Address> <wsa:ReferenceParameters> <axis2:ServiceGroupId xmlns:axis2="http://ws.apache.org/namespaces/axis2";>urn:uuid:98F28CD7CAF64DA9A81185978519823</axis2:ServiceGroupId> </wsa:ReferenceParameters> </wsa:ReplyTo> <wsa:MessageID>urn:uuid:98F28CD7CAF64DA9A81185978519839</wsa:MessageID> <wsa:Action>urn:validateSystem</wsa:Action> <wsa:RelatesTo>urn:uuid:523839FBFE69D5BF4B1185978513264</wsa:RelatesTo> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Id-11755554"> <xenc:EncryptedData Id="EncDataId-11755554" Type="http://www.w3.org/2001/04/xmlenc#Content";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; /> <xenc:CipherData> <xenc:CipherValue>AQikCau4Nj4f4bH3U9mDUjf0c8FhzqoZNnxS61YXuCZVS/NTHHFz/DdR5tYQ4l89mdSegQTllIf4/T1Jdd2rWVql7NedolFei8ibVKrDu0TkNSCD406xQU1ep/j/4U2ZP/pwQ9dDnkQdiG6OiDduviS6kue1yr4VZJbjr4ihMGsAVXmf87sXZfi755fv8pbmQGoOomNnb4qoAdv8M95UcQdsmZx0Vd4RRdeyPGSjLusFUnVSeM7OqE5HT3VMBKUqAmTVj/bkYYKddad6QRe5vt9jZ/Ywkbr9104v5+3nGIiWlk41 yTElrC+FaY92xQ6heGzszim+X/EyE7ulxJTS+tPtARUq3L5wd429MgsSoxt4Qw1mFnK9YRTnBUlV NJx8SV5JvhCs3DxQy5B7j11fVdxcVUTOBva9i0x+OCuxqMeALsJb/r+Yy/Ou2hIX/NGLQcP9mWIW NxyVo8+Qn+H9rIts2nquCjkvi08CzM2dTxngz0DAosQn4IROouXyqXbrkaAZoLglNrfWxqHobMJF BVtszlh96FiBAkjSIyOPd3KGVKEBrT4bSRXlH/jW8z8t</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body> </soapenv:Envelope> 0 --------------------------------- Sé un Mejor Amante del Cine ¿Quieres saber cómo? ¡Deja que otras personas te ayuden! . --------------------------------- Sé un Mejor Amante del Cine ¿Quieres saber cómo? ¡Deja que otras personas te ayuden!.
