Hi everybody, I do not think my suggestion was that right. Anyway there is some problems when I try to use UsernameToken and sign it. After some research through the code (rampart and wss4j) and the SOAP messages exchanged I find that in my soap request I have the following namespace for the UsernamToken (UT):
<wsse:UsernameToken xmlns:wsu="* http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd *" wsu:Id="UsernameToken-13367741"> <wsse:Username>user</wsse:Username> <wsse:Password Type=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText ">pass</wsse:Password> </wsse:UsernameToken> then in code, in org.apache.ws.security.WSSecurityEngine (part of wss4j) I found out the following: /** * <code>wsse:UsernameToken</code> as defined by WS Security specification */ public static final QName usernameToken = new QName(*WSConstants.WSSE_NS *, WSConstants.USERNAME_TOKEN_LN); where public static final String USERNAME_TOKEN_LN = "UsernameToken"; and *WSConstants.WSSE_NS* = public static final String WSSE_NS = "* http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd *"; which is not the one used in my request? When I look at the WSSecurityEngineResult I see the value of WSUsernamTokenPrincipal to be correctly created. The "action" has value 1, which means public static final int UT = 1;, or UsernameToken. I read that there is another action value that is possible: public static final int UT_SIGN = 64; I think this means signed UT? If so may be this is the correct value? And that is why I am receiving the "Unexpected signature" exception? I am apologizing in advance, that I do not understand all these code and stuff around rampart. I am sending you my comments, because I think there are some clues for a problems that may be are caused by what I ahve observed till now. Best regards, Dobri On Nov 13, 2007 6:04 PM, Dobri Kitipov <[EMAIL PROTECTED]> wrote: > Hi everybody, > My environment is based on Axis2 1.3, Rampart 1.3. > What I am testing is symmetric binding with Username token. What I am > receiving is the following exception: > "Unexpected signature". > > I know the reason about the problem, but I am interested is it bug in > rampart or there is another reason for that? Or may be I do not > understand it well? > This exception is caused into > org.apache.rampart.PolicyBasedResultsValidator class and namely into > the public void validate(ValidatorData data, Vector results) method. > There are several checks for signitureParts. These checks are for > "timestamp", "EndorsingSupportingTokens" and > "SignedEndorsingSupportingTokens". > The problem is that when I read the WS - Security Policy - 1.1 - July > 2005, which spec is implemented by Rampart, we can read that there are > two additional supporting tokens assertions, namely: > > - SupportingTokens Assertion > and > - SignedSupportingTokens Assertion. > > Why these two cases are not processed into the method? Is there any > particular reason about that? > > Here is an excerpt from my service.xml that causes the exception: > > <sp:SignedSupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"; > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> > </wsp:Policy> > </sp:SignedSupportingTokens> > > My understanding is that I should add two additional cases into the > above mentioned code in order to have: > > signatureParts.add(new WSEncryptionPart("SignedSupportingTokens ")); > and > signatureParts.add(new WSEncryptionPart("SupportingTokens ")); > > Thank you in advance! > Best regards, Dobri > > PS > I am applying and the SOAP request: > > <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > xmlns:wsa="http://www.w3.org/2005/08/addressing";> > <soapenv:Header> > <wsse:Security > xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd " > soapenv:mustUnderstand="1"> > <xenc:EncryptedKey Id="EncKeyId-18788761"> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> > <ds:KeyInfo xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference> > <wsse:KeyIdentifier > EncodingType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary " > ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier ">9kbwRNyMypNWhulx0JkHVOFvRB8=</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>PjfZ2MAa1HZs1pfzNxa+zdaNKBMgi9fjOdsQSY3jfqkl0lFiWMtc5UOngBfjlN0hNHxfLnU2cJVnEuBTQgHYl2iaJT/VnbDk2Oby5/HZcFyq2ojNarE0iScoJ5beZD0DbSkkpzkq3elfSjYpa1MXRYBtNHcCD+cDkmmpNfZHuJU=</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedKey> > <wsc:DerivedKeyToken > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; > xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " > wsu:Id="derivedKeyId-27003862"> > <wsse:SecurityTokenReference> > <wsse:Reference URI="#EncKeyId-18788761"/> > </wsse:SecurityTokenReference> > <wsc:Length>16</wsc:Length> > <wsc:Nonce>iy0NzppeoVrO6YfwpMlnSw==</wsc:Nonce> > <wsc:Offset>0</wsc:Offset> > </wsc:DerivedKeyToken> > <xenc:ReferenceList/> > <wsse:UsernameToken > xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " > wsu:Id="UsernameToken-13367741"> > <wsse:Username>vmtest</wsse:Username> > <wsse:Password > Type=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText ">vmtest</wsse:Password> > </wsse:UsernameToken> > <wsc:DerivedKeyToken > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; > xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " > wsu:Id="derivedKeyId-24856323"> > <wsse:SecurityTokenReference> > <wsse:Reference URI="#EncKeyId-18788761"/> > </wsse:SecurityTokenReference> > <wsc:Length>16</wsc:Length> > <wsc:Nonce>SYR+YeMYEbTiIxSg1ZnccQ==</wsc:Nonce> > <wsc:Offset>0</wsc:Offset> > </wsc:DerivedKeyToken> > <ds:Signature xmlns:ds=" http://www.w3.org/2000/09/xmldsig#"; > Id="Signature-19419092"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> > <ds:Reference URI="#UsernameToken-13367741"> > <ds:Transforms> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>n1Tt4rPVpDWRQbkXo21bMOSbcpU=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>JFfbGIEU9tGljsoEbTQfbQA0+jY=</ds:SignatureValue> > <ds:KeyInfo Id="KeyId-4167406"> > <wsse:SecurityTokenReference > xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " > wsu:Id="STRId-13506221"> > <wsse:Reference URI="#derivedKeyId-24856323"/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > <wsa:To>http://127.0.0.1:8082/wsstack/services/HelloPojo </wsa:To> > <wsa:MessageID>urn:uuid:FD4944A142545EE74F1194968191631</wsa:MessageID> > <wsa:Action>urn:sayHello</wsa:Action> > </soapenv:Header> > <soapenv:Body> > <xsd:sayHello xmlns:xsd="http://pojo.wsstack.mycompany.com "> > <xsd:name>Dodo!</xsd:name> > </xsd:sayHello> > </soapenv:Body> > </soapenv:Envelope> >
