Hi Dobri,
Anyway I am a little bit new to all that WS security stuff, so excuse
> me if I do not understand correct some things.
> Ok, it is a little bit away from the topic, but will be enough for
> symmetric binding to add only timestamp?
IMHO, this depends on what kind of protection you want.
Only timestamp will able to prevent replay attacks to
some extent as it is signed and no one can tamper the
creation and expiration time. But if you look at how
symmetric binding works, I don't think there is much
security if only a timestamp is used.
When a symmetric binding is used, a random ephemeral key is
created by the initiator. Encrypted key is then created
encrypting the ephemeral key for recipients certificate.
This encrypted key is used to sign and encrypt the desired
message elements between client and the server. So
as you can see, here only the server or the recipient
needs to get authenticated. Client doesn't need to
have any claims ( certificate, token ) in order to communicate
with the server. For this reason, this also called as anonymous
configuration as server is communicating with anonymous
clients. But still, if the message is properly signed and
encrypted, no one can tamper it or read it in the transit
as only the recipient can decrypt the encrypted key.
This will prevent man in the middle kind of attacks.
Clients can be sure that the requests and responses are
not disclosed or tampered.
But what if you want both the clients and the server
to get authenticated using symmetric binding so that
you don't want anonymous clients to access your service.
Then you can add a supporting token to make sure that
clients also provide necessary claims to authenticate
them selves.
"Unexpected encrypted data found, no encryption required" - what
> does it mean? Why this is thrown?
This is due to a bug in Rampart but now it is fixed. The empty reference
list
after the first derived key is the one which is causing the problem. And now
Rampart doesn't create empty reference lists when there is nothing to
encrypt
and the validator also can handle empty reference lists correctly.
See JIRA RAMPART-92 [1] anf JIRA RAMPART-104 [2] . Can you take a check
out from the Rampart trunk and retry this policy. This should work properly.
<wsc:DerivedKeyToken
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="derivedKeyId-21657019">
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#EncKeyId-31478058"/>
> </wsse:SecurityTokenReference>
> <wsc:Length>16</wsc:Length>
>
> <wsc:Nonce>NQxv+tVJKNDpWUC4T9CF5A==</wsc:Nonce>
> <wsc:Offset>0</wsc:Offset>
> </wsc:DerivedKeyToken>
> <xenc:ReferenceList/>
>
>
> Can you tell me what is the problem from your point of view? Do you
> think I should post the JIRA request?
I think you should create a JIRA for the issue "Cannot find Reference in
Manifest",
you mentioned in the first mail, so that we can fix it.
Regards,
Nandana
[1] http://issues.apache.org/jira/browse/RAMPART-92
[2] http://issues.apache.org/jira/browse/RAMPART-104
>
> Thank you in advance!
> Dobri
>
>
> On Nov 9, 2007 2:19 PM, Nandana Mihindukulasooriya
> <[EMAIL PROTECTED] > wrote:
> > Hi Dobri,
> > I came across the same problem when there is an empty signature
> element
> > in
> > the message. That is if there are no references in the signature
> element,
> > xmlsec
> > can't process that signature. Looking at the policy, we can see it is
> the
> > case here.
> > So can you post your soap request ? Can you put JIRA [1] if this is the
> > case. This
> > can be fixed in Rampart. We can simply avoid creating a signature when
> there
> > is
> > nothing to sign.
> > BTW, I have a small problem about your policy. As it seems this
> policy
> > doesn't
> > provide any security at all. No integrity or confidentiality
> protections,
> > no timestamp
> > and no supporting tokens.
> >
> > Regards,
> > Nandana
> >
> > [1] - http://issues.apache.org/jira/browse/Rampart
> >
> > On Nov 9, 2007 4:54 PM, Dobri Kitipov <[EMAIL PROTECTED]>
> > wrote:
> >
> >
> > > Hi everybody,
> > > I know this is a question that has been already asked in this mailing
> > > list but there is no answer to it.
> > > My environment is based on Axis2 1.3, Rampart 1.3. and
> > > xmlsec-1.4.1.jar. What I am testing is the symmetric binding.
> > > The problem is that I am receiving the following exception when
> > > invoking the service:
> > >
> > > 2007-11-09 11:58:24 (axis2_test.log) 09:11:2007 11:58:24,406
> > > [http-8081-Processor24] (AxisServlet.java:159) ERROR
> > > org.apache.axis2.transport.http.AxisServlet - Cannot find Reference
> > > in Manifest
> > > 2007-11-09 11:58:24 (axis2_test.log) org.w3c.dom.DOMException:
> Cannot
> > > find Reference in Manifest
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(
> > > SignatureProcessor.java:161)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.ws.security.processor.SignatureProcessor.handleToken(
> > > SignatureProcessor.java:85)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > > WSSecurityEngine.java:284)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
> > > WSSecurityEngine.java:206)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader (
> > > WSSecurityEngine.java:159)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.rampart.RampartEngine.process(RampartEngine.java:127)
> > > 2007-11-09 11:58:24 (axis2_test.log) at
> > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java
> :85)
> > > etc.........
> > >
> > > Here is my services.xml:
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <serviceGroup>
> > > <service name="HelloPojo">
> > > <description>Web Service HelloPojo</description>
> > > <parameter name="ServiceClass">
> > > com.mycompany.wsstack.pojo.HelloPojo</parameter>
> > > <messageReceivers>
> > > <messageReceiver
> > > class="org.apache.axis2.rpc.receivers.RPCMessageReceiver "
> > > mep="http://www.w3.org/2004/08/wsdl/in-out"/>
> > > </messageReceivers>
> > > <operation name="sayHello"/>
> > > <wsp:Policy wsu:Id="User defined"
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy "
> > > xmlns:wsu="
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>
> > > ">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SymmetricBinding
> > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > > <wsp:Policy>
> > >
> > > <sp:ProtectionToken>
> > >
> <wsp:Policy
> > > xmlns:wsp=" http://schemas.xmlsoap.org/ws/2004/09/policy";>
> > >
> > > <sp:X509Token
> > > sp:IncludeToken="
> > >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> > >
> > > <wsp:Policy>
> > >
> > > <sp:WssX509V3Token10/>
> > >
> > > <sp:RequireDerivedKeys/>
> > >
> > > </wsp:Policy>
> > >
> > > </sp:X509Token>
> > >
> > > </wsp:Policy>
> > >
> > > </sp:ProtectionToken>
> > >
> <sp:AlgorithmSuite
> > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > >
> > > <wsp:Policy>
> > >
> > > <sp:Basic128/>
> > >
> > > </wsp:Policy>
> > >
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > >
> > > <wsp:Policy>
> > >
> > > <sp:Strict/>
> > >
> > > </wsp:Policy>
> > > </sp:Layout>
> > > </wsp:Policy>
> > > </sp:SymmetricBinding>
> > > <sp:Wss10 xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > > <sp:Policy>
> > >
> > > <sp:MustSupportRefKeyIdentifier/>
> > >
> > > <sp:MustSupportRefIssuerSerial/>
> > > </sp:Policy>
> > > </sp:Wss10>
> > > <sp:SignedSupportingTokens
> > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
> > > <wsp:Policy/>
> > > </sp:SignedSupportingTokens>
> > > <ramp:RampartConfig
> xmlns:ramp="
> > > http://ws.apache.org/rampart/policy";>
> > >
> > > <ramp:user>service</ramp:user>
> > >
> > > <ramp:encryptionUser>client</ramp:encryptionUser>
> > >
> > > <ramp:passwordCallbackClass>
> > > com.mycompany.wsstack.pwcb.PasswordCallbackHandler
> > > </ramp:passwordCallbackClass>
> > > <ramp:signatureCrypto>
> > > <ramp:crypto
> > > provider="org.apache.ws.security.components.crypto.Merlin">
> > >
> > > <ramp:property
> > > name=" org.apache.ws.security.crypto.merlin.keystore.type
> > > ">JKS</ramp:property>
> > >
> > > <ramp:property
> > > name="org.apache.ws.security.crypto.merlin.file">service.jks
> > > </ramp:property>
> > >
> > > <ramp:property
> > > name="org.apache.ws.security.crypto.merlin.keystore.password
> > > ">openssl</ramp:property>
> > > </ramp:crypto>
> > > </ramp:signatureCrypto>
> > > <ramp:encryptionCypto>
> > > <ramp:crypto
> > > provider="org.apache.ws.security.components.crypto.Merlin">
> > >
> > > <ramp:property
> > > name="org.apache.ws.security.crypto.merlin.keystore.type
> > > ">JKS</ramp:property>
> > >
> > > <ramp:property
> > > name="org.apache.ws.security.crypto.merlin.file">service.jks
> > > </ramp:property>
> > >
> > > <ramp:property
> > > name=" org.apache.ws.security.crypto.merlin.keystore.password
> > > ">openssl</ramp:property>
> > > </ramp:crypto>
> > > </ramp:encryptionCypto>
>
> > > </ramp:RampartConfig>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > > <module ref="addressing"/>
> > > <module ref="rampart"/>
> > > </service>
> > > </serviceGroup>
> > >
> > >
> > > Can someone give me some info about that problem?
> > >
> > >
> > > Thank you in advance!
> > > Dobri
> > >
> >
>
