Hi, IMHO, in Rampart when we want to use the certificate which was used to sign the request ( the client's X509 certificate in your case ) to do the encryption in the response, we specify the <ramp:encryptionUser> parameter as
<encryptionUser>useReqSigCert</encryptionUser>. For this to work, the request must carry a signature signed using the client's cert. In your case, you don't have any signed parts or signed elements defined. But the policy states to include the time stamp and the time stamp will be signed using the clients certificate. As the policy states IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient in the recipient token , the binary token will be included in the soap request. So I think your scenario should work when encryptionUser is set to useReqSigCert. Btw, two policies in the WSDL and the services.xml are quite different. WSDL contains a policy which is applied to two bindings and which is a symmetric binding. It also requires a UsernameToken as a signed supporting token. The policy defined in the services.xml is Asymmetric binding with no supporting tokens. Anyway I think you are talking about the policy in the services.xml. Regards, Nandana On 10/11/07, Dobri Kitipov <[EMAIL PROTECTED]> wrote: > > Hi everybody, > We want to test the following scenario using Rampart SNAPSHOT. We have a > service that defines Asymetric binding (I am applying the WSDL and the > services.xml). What we want to achieve is not to store the clients' public > keys (PK) at server side. We do not want to spend memory resources to save > all clients' PK which can be of great amount. That's why we want to use > X509 > in order clients to exchange public PKs with the service. My understanding > is that in this case we do not need to specify the <ramp:encryptionUser> > into the services.xml, because the client provides the X509 sent with the > SOAP. The problem is that we receive the following exception when there is > no <ramp:encryptionUser> specified: > > com.mycompany.wsstack.client.api.WSClientException: > org.apache.axis2.AxisFault: Encryption user not specified (The context is > created by the initiating party) > at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive( > WSStaxClientImpl.java:133) > at com.mycompany.wsstack.samples.SampleSymClient.invokeWebService( > SampleSymClient.java:67) > at com.mycompany.wsstack.samples.SampleSymClient.main( > SampleSymClient.java:29) > Caused by: org.apache.axis2.AxisFault: Encryption user not specified (The > context is created by the initiating party) > at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext( > Utils.java:486) > at > org.apache.axis2.description.OutInAxisOperationClient.handleResponse( > OutInAxisOperation.java:343) > at org.apache.axis2.description.OutInAxisOperationClient.send( > OutInAxisOperation.java:389) > at org.apache.axis2.description.OutInAxisOperationClient.executeImpl( > OutInAxisOperation.java:211) > at org.apache.axis2.client.OperationClient.execute( > OperationClient.java > :163) > at org.apache.axis2.client.ServiceClient.sendReceive( > ServiceClient.java > :528) > at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive( > WSStaxClientImpl.java:129) > ... 2 more > > The WSDL of the service is: > > <?xml version="1.0" encoding="UTF-8"?> > <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > xmlns:mime=" > http://schemas.xmlsoap.org/wsdl/mime/"; xmlns:ns0=" > http://pojo.wsstack.mycompany.com"; xmlns:soap12=" > http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:http=" > http://schemas.xmlsoap.org/wsdl/http/"; xmlns:ns1=" > http://org.apache.axis2/xsd"; xmlns:wsaw=" > http://www.w3.org/2006/05/addressing/wsdl"; xmlns:xs=" > http://www.w3.org/2001/XMLSchema"; xmlns:soap=" > http://schemas.xmlsoap.org/wsdl/soap/"; targetNamespace=" > http://pojo.wsstack.mycompany.com";> > <wsdl:documentation>HelloPojo</wsdl:documentation> > <wsdl:types> > <xs:schema xmlns:ns="http://pojo.wsstack.mycompany.com"; > attributeFormDefault="qualified" elementFormDefault="qualified" > targetNamespace="http://pojo.wsstack.mycompany.com";> > <xs:element name="sayHello"> > <xs:complexType> > <xs:sequence> > <xs:element minOccurs="0" name="name" > nillable="true" type="xs:string"/> > </xs:sequence> > </xs:complexType> > </xs:element> > <xs:element name="sayHelloResponse"> > <xs:complexType> > <xs:sequence> > <xs:element minOccurs="0" name="return" > nillable="true" type="xs:string"/> > </xs:sequence> > </xs:complexType> > </xs:element> > </xs:schema> > </wsdl:types> > <wsdl:message name="sayHelloRequest"> > <wsdl:part name="parameters" element="ns0:sayHello"/> > </wsdl:message> > <wsdl:message name="sayHelloResponse"> > <wsdl:part name="parameters" element="ns0:sayHelloResponse"/> > </wsdl:message> > <wsdl:portType name="HelloPojoPortType"> > <wsdl:operation name="sayHello"> > <wsdl:input message="ns0:sayHelloRequest" > wsaw:Action="urn:sayHello"/> > <wsdl:output message="ns0:sayHelloResponse" > wsaw:Action="urn:sayHelloResponse"/> > </wsdl:operation> > </wsdl:portType> > <wsdl:binding name="HelloPojoHttpBinding" > type="ns0:HelloPojoPortType"> > <http:binding verb="POST"/> > <wsdl:operation name="sayHello"> > <http:operation location="HelloPojo/sayHello"/> > <wsdl:input> > <mime:content type="text/xml" part="sayHello"/> > </wsdl:input> > <wsdl:output> > <mime:content type="text/xml" part="sayHello"/> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="User defined"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SymmetricBinding xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > <wsp:Policy> > <sp:WssX509V3Token10/> > <sp:RequireDerivedKeys/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:Wss10 xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Policy> > <sp:MustSupportRefKeyIdentifier/> > <sp:MustSupportRefIssuerSerial/> > </sp:Policy> > </sp:Wss10> > <sp:SignedSupportingTokens xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:UsernameToken sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always > "/> > </wsp:Policy> > </sp:SignedSupportingTokens> > <sp:SignedParts xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> > <sp:EncryptedParts xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > </sp:EncryptedParts> > <sp:SignedElements xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> > <sp:EncryptedElements xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > <wsdl:service name="HelloPojo"> > <wsdl:port name="HelloPojoSOAP11port_http" > binding="ns0:HelloPojoSOAP11Binding"> > <soap:address location=" > http://localhost:8082/wsstack/services/HelloPojo"/> > </wsdl:port> > <wsdl:port name="HelloPojoSOAP12port_http" > binding="ns0:HelloPojoSOAP12Binding"> > <soap12:address location=" > http://localhost:8082/wsstack/services/HelloPojo"/> > </wsdl:port> > <wsdl:port name="HelloPojoHttpport" > binding="ns0:HelloPojoHttpBinding"> > <http:address location=" > http://localhost:8082/wsstack/services/HelloPojo"/> > </wsdl:port> > </wsdl:service> > <wsdl:binding name="HelloPojoSOAP12Binding" > type="ns0:HelloPojoPortType"> > <wsp:PolicyReference xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy"; URI="#User defined"/> > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"; > style="document"/> > <wsdl:operation name="sayHello"> > <soap:operation soapAction="urn:sayHello" style="document"/> > <wsdl:input> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > <wsdl:binding name="HelloPojoSOAP11Binding" > type="ns0:HelloPojoPortType"> > <wsp:PolicyReference xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy"; URI="#User defined"/> > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"; > style="document"/> > <wsdl:operation name="sayHello"> > <soap:operation soapAction="urn:sayHello" style="document"/> > <wsdl:input> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > </wsdl:definitions> > > > The services.xml is: > > <?xml version="1.0" encoding="UTF-8"?> > <serviceGroup> > <service name="HelloPojoAsync"> > <description>Web Service HelloPojoAsync</description> > <parameter name="ServiceClass"> > com.mycompany.wsstack.pojo.HelloPojoAsync > </parameter> > <messageReceivers> > <messageReceiver > class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" mep=" > http://www.w3.org/2004/08/wsdl/in-out"/> > </messageReceivers> > <operation name="sayHello"/> > <wsp:Policy wsu:Id="User defined" > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TripleDesRsa15/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10 xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Policy> > <sp:MustSupportRefKeyIdentifier/> > <sp:MustSupportRefIssuerSerial/> > </sp:Policy> > </sp:Wss10> > <sp:SignedSupportingTokens xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy/> > </sp:SignedSupportingTokens> > <sp:SignedParts xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> > <sp:EncryptedParts xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > </sp:EncryptedParts> > <sp:SignedElements xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> > <sp:EncryptedElements xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> > <ramp:RampartConfig xmlns:ramp=" > http://ws.apache.org/rampart/policy";> > <ramp:user>service</ramp:user> > <ramp:encryptionUser/> > <ramp:passwordCallbackClass> > com.mycompany.wsstack.pwcb.ServerPWCBHandler</ramp:passwordCallbackClass> > <ramp:signatureCrypto> > <ramp:crypto provider=" > org.apache.ws.security.components.crypto.Merlin"> > <ramp:property name=" > org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > <ramp:property name=" > org.apache.ws.security.crypto.merlin.file > ">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property> > <ramp:property name=" > org.apache.ws.security.crypto.merlin.keystore.password > ">openssl</ramp:property> > </ramp:crypto> > </ramp:signatureCrypto> > <ramp:encryptionCypto> > <ramp:crypto provider=" > org.apache.ws.security.components.crypto.Merlin"> > <ramp:property name=" > org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > <ramp:property name=" > org.apache.ws.security.crypto.merlin.file > ">D:\Downloads\Rampart\wsstack\keystores\service.jks</ramp:property> > <ramp:property name=" > org.apache.ws.security.crypto.merlin.keystore.password > ">openssl</ramp:property> > </ramp:crypto> > </ramp:encryptionCypto> > </ramp:RampartConfig> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > <module ref="addressing"/> > <module ref="rampart"/> > </service> > </serviceGroup> > > > Thank you in advance! > Dobri Kitipov >
