[
https://issues.apache.org/jira/browse/RAMPART-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542434
]
Paul Anderson commented on RAMPART-111:
---------------------------------------
Looking at the code and experimenting, the answer is that it half works, but
only if you get the config exactly as Rampart expects, and Rampart's
expectations seem a little odd (*)
IncludeToken MUST be Never.
<sp:RequireIssuerSerialReference/>, <sp:RequireKeyIdentifierReference/> seem to
be ignored in the binding.
Rampart looks only at Wss11 or Wss10 'MustSupport', and takes
<sp:MustSupportRefKeyIdentifier/> if it's there; if not, it checks
<sp:MustSupportRefIssuerSerial/> - order is not important.
Then it works, BUT only if the use of SignedSupportingTokens is not specified
in the policy.
The problem is that if you enable SignedSupportingTokens at the same time as
Never, no certificate reference is sent at all.
Only Always etc work, and then the cert is sent OK as BinarySecurityToken.
(*) Surely MustSupport is just a declaration of what both ends of the
communication need to implement? Should it not be the RequireXReference that
specifies which key identifier to use for a binding?
Also, a literal cert (BinarySecurityToken) is always sent if the Include is not
'Never'. Is this right? Or for Once, Always, etc, can a reference be enough?
> Rampart won't send certificate serial + issuer. Only either BinaryToken or
> Identity, but not always as it should
> ----------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-111
> URL: https://issues.apache.org/jira/browse/RAMPART-111
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.3
> Environment: JDK6 on RHEL3, in Synapse 1.1
> Reporter: Paul Anderson
> Assignee: Nandana Mihindukulasooriya
> Attachments: RAMPART-111.patch
>
>
> Usually, Rampart seems to send BinaryToken (literal certificate) with
> messages when you specify a signed body and/or signed username token.
> I need to get Rampart to use Key Identifier or Issuer/Serial No. instead, and
> preferably when UsernameToken's enabled too.
> But I found:
> - If I use signed supporting tokens (username) then Rampart will always send
> only a literal BinaryToken.
> - If I disable username token, set Body to be signed, and set InitiatorToken
> Never in my WS-Policy, Rampart sends the key identity as token reference for
> WS-Security signing.
> But it always does this, even if I try to specify Issuer/Serial as the token
> reference by including
> <ramp:signatureKeyIdentifier>IssuerSerial</ramp:signatureKeyIdentifier>
> and/or
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
> or Never or AlwaysToRecipient
> <wsp:Policy>
> <sp:RequireIssuerSerialReference/>
> <!--<sp:RequireKeyIdentifierReference/>-->
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> These seemed to have no effect:
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> Putting the lines in the RecipientToken as well seemed to have no effect.
> It's a problem for me because on the recipient side I have to be specific
> about what form the certificate key will come in, and I have 2 WS clients for
> the same service. I don't want to deploy the service twice just because
> Rampart can only send BinaryToken.
> I hope there's a nightly build of Axis2 or Rampart alone that I can use to
> check any fix. Maybe I've misunderstood, and these are undocumented features
> and not a bug.. Maybe Rampart works OK for SymmetricBinding - I'm using
> Asymmetric.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
