[
https://issues.apache.org/jira/browse/RAMPART-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542489
]
Nandana Mihindukulasooriya commented on RAMPART-111:
----------------------------------------------------
Now the Issuer Serial Reference problem is solved. I attached the policy I used
and the soap request. But still there is an issue when when a username token is
added a signed supporting token. When I added the signed supporting token,
signature element didn't get attached to the security header. I think this due
the below given code segment.
if (child.getOwnerDocument().equals(sibling.getOwnerDocument())) {
if (child.getParentNode() == null
&& !child.getLocalName().equals("UsernameToken")) {
rmd.getSecHeader().getSecurityHeader().appendChild(child);
}
((OMElement) child).insertSiblingAfter((OMElement) sibling);
return sibling;
} else {
Element newSib = (Element) child.getOwnerDocument().importNode(
sibling, true);
((OMElement) child).insertSiblingAfter((OMElement) newSib);
return newSib;
}
When rampart reaches this point, both username token's and signature element's
parent is set to null. but
rmd.getSecHeader().getSecurityHeader().appendChild(child); is not called as the
child element is a username token. I think because of this, signature element
is not added to the security header.
> Rampart won't send certificate serial + issuer. Only either BinaryToken or
> Identity, but not always as it should
> ----------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-111
> URL: https://issues.apache.org/jira/browse/RAMPART-111
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.3
> Environment: JDK6 on RHEL3, in Synapse 1.1
> Reporter: Paul Anderson
> Assignee: Nandana Mihindukulasooriya
> Attachments: client-111.xml, RAMPART-111-2.patch, RAMPART-111.patch,
> soap-request-111.xml
>
>
> Usually, Rampart seems to send BinaryToken (literal certificate) with
> messages when you specify a signed body and/or signed username token.
> I need to get Rampart to use Key Identifier or Issuer/Serial No. instead, and
> preferably when UsernameToken's enabled too.
> But I found:
> - If I use signed supporting tokens (username) then Rampart will always send
> only a literal BinaryToken.
> - If I disable username token, set Body to be signed, and set InitiatorToken
> Never in my WS-Policy, Rampart sends the key identity as token reference for
> WS-Security signing.
> But it always does this, even if I try to specify Issuer/Serial as the token
> reference by including
> <ramp:signatureKeyIdentifier>IssuerSerial</ramp:signatureKeyIdentifier>
> and/or
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
> or Never or AlwaysToRecipient
> <wsp:Policy>
> <sp:RequireIssuerSerialReference/>
> <!--<sp:RequireKeyIdentifierReference/>-->
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> These seemed to have no effect:
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> Putting the lines in the RecipientToken as well seemed to have no effect.
> It's a problem for me because on the recipient side I have to be specific
> about what form the certificate key will come in, and I have 2 WS clients for
> the same service. I don't want to deploy the service twice just because
> Rampart can only send BinaryToken.
> I hope there's a nightly build of Axis2 or Rampart alone that I can use to
> check any fix. Maybe I've misunderstood, and these are undocumented features
> and not a bug.. Maybe Rampart works OK for SymmetricBinding - I'm using
> Asymmetric.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
