Hello, I have still a problem with a security policy. My policy uses an asymmetric binding with an issued token as initiator token and a x509 token as recipient token. The client requests the token from the STS and recieves it. But then it doesn't use the token in the next message. Strangly RAMPART accepts the "wrong secured" message and sends the response. I attached the used policy, the request where I am missing the SAML assertion and the response to this mail. Greetings Christian
<?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="http://www.w3.org/2005/08/addressing";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-10589182"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <ds:Reference URI="#Id-14141119"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>zL8HwFfBOizL5G94YITGZ5sic8w=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-22765846"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>sXnXiIJlem2/7sIdEZRdRIMmCv4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-4388430"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>ax89OZAKrXsOwSApla9Pktoi+XA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>X4sPLGfoksqXF8+7uwA5864FExU3S9HpBp66bwPOv3dIJx8ngJ5TK0y8lZ6ZqTFcXY/EXvYopXRuNgSy6QAE7IFwL0WuuD8Ka7tbR23/18bxrhUGlwclXbjN7j7mdwARpgH3fIUtCk5yHeXGbUpSk1igpYVcqlZVA6qUQmjvapw=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-33238777"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-29948190"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>Zv0bem+xnGgJfhU/q89KyKBQYAE=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> <wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-22765846">http://tecdoc.net/phoenix/wsdl/TestPortType/echoResponse</wsa:Action> <wsa:RelatesTo xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-4388430">urn:uuid:A14C3B0A8D5F4C91041211284907743</wsa:RelatesTo> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Id-14141119"> <testoutput xmlns="test.namespace"> <back>Beim Service angekommen!!!!</back> </testoutput> </soapenv:Body> </soapenv:Envelope> 0
<?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="urn:uuid:FAE81B2CAB24DD152B12112849077657">MIIDmTCCAwKgAwIBAgIJAMo2Mj7QF6//MA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYDVQQHEwdDb2xvZ25lMQ8wDQYDVQQKEwZUZWNEb2MxEDAOBgNVBAsTB1Bob2VuaXgxHDAaBgNVBAMTE1RlY0RvYyBUZXN0IFJvb3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXRlY2RvY0B0ZWNkb2MubmV0MB4XDTA3MTEzMDA4NDEyNVoXDTM1MDQxNjA4NDEyNVowgZAxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEDAOBgNVBAcTB0NvbG9nbmUxDzANBgNVBAoTBlRlY0RvYzEQMA4GA1UECxMHUGhvZW5peDEcMBoGA1UEAxMTVGVjRG9jIFRlc3QgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRdGVjZG9jQHRlY2RvYy5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOgTz4e4wonYUJO4QUMJ42IZg64LPOe+xAN6tNyXOxTmd043x/7AIBqo4JA9PsV4dnmy7q/bCnjL5qzOQswghraswuJYYcuNnGuYoeNnTHSKExv7B0mx4tezyvmj633PusvxroQoexuKQMXHtUbLvsD/5sKcyjzSmKe+hQbMY7g5AgMBAAGjgfgwgfUwHQYDVR0OBBYEFEvw0AA85snfNajBgUkcHne94HW0MIHFBgNVHSMEgb0wgbqAFEvw0AA85snfNajBgUkcHne94HW0oYGWpIGTMIGQMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYDVQQHEwdDb2xvZ25lMQ8wDQYDVQQKEwZUZWNEb2MxEDAOBgNVBAsTB1Bob2VuaXgxHDAaBgNVBAMTE1RlY0RvYyBUZXN0IFJvb3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXRlY2RvY0B0ZWNkb2MubmV0ggkAyjYyPtAXr/8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAYKGGKSgG7IT6tl1UfgFHbr7tgjqGkjTpHGT7q2PZkBMEjPclwmqzbLUpSVyZ4g4mYSs8705JUk47sLpnGhgZqEWR0k7oIscMuwkm0qBR2FF/bS+EPzszO5HVV5r0/9x1ODVfMFTZYa5Ml4Mo39RSzmmB9UDdt0bUzPfd32AlTuQ==</wsse:BinarySecurityToken> <xenc:EncryptedKey Id="EncKeyId-urn:uuid:FAE81B2CAB24DD152B12112849077658"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference> <wsse:Reference URI="#urn:uuid:FAE81B2CAB24DD152B12112849077657" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>tevVWiBQCuXldI0V/Moeg6yiXlOgytmdx44fvL7HLzn6N4i36TrmP+1YEdwNeSiE5Sc/fEDFEM2W5Wr6M62h6TaOiNhryCrhroDNYrIMVNiAfor0LIGj29KUx40MxlUiyhp2O8V93D3oq8rtSm2r8uESHeGqHtzgO3aPAcQuYjA=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="derivedKeyId-10183200"> <wsse:SecurityTokenReference> <wsse:Reference URI="#EncKeyId-urn:uuid:FAE81B2CAB24DD152B12112849077658" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; /> </wsse:SecurityTokenReference> <wsc:Offset>0</wsc:Offset> <wsc:Length>24</wsc:Length> <wsc:Nonce>Yqq0RMAdkHAVPm0I7OqJsw==</wsc:Nonce> </wsc:DerivedKeyToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-6530849"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; /> <ds:Reference URI="#Id-16780239"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>CTV4Lbc8dv7B2KdLJGUG23Ifs4w=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-20978984"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3960.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>t2aktb2Jd/IdGskoN/A1N5wdzE0=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-11421254"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>AYRvyIYis7aUuBMzwkWaWnXE5Qg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-25670279"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>Vz6/yqyiqf45GZJNKzx0ACiDLF4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>vpvpMrXCVwJy5Y4Y6tFAx2EJD6E=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-7446303"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-25537913"> <wsse:Reference URI="#derivedKeyId-10183200" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> <wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-11421254">http://localhost:8080/axis2/services/Test</wsa:To> <wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-25670279">urn:uuid:A14C3B0A8D5F4C91041211284907743</wsa:MessageID> <wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="id-20978984">testEcho</wsa:Action> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Id-16780239"> <testinput xmlns="test.namespace"> <value>9GYiu9VrdSpaUrjDjw0cnGN7/0vLxc1JO592opV8Ei+go5ovQi8e1JGwgOB4Y5VFpgFlaLFPaeKJk2s2IyId6GS+Xp7GnMA9cClwURn3KJO9SodzOvoQm9oyTp8j9l3+eniYCw==</value> </testinput> </soapenv:Body> </soapenv:Envelope>0
<?xml version="1.0" encoding="UTF-8"?> <wsp:Policy wsu:Id="TOKEN_SIGNED" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <Address xmlns="http://www.w3.org/2005/08/addressing";> http://localhost:8080/axis2/services/SecurityToken </Address> </Issuer> <sp:RequestSecurityTokenTemplate> <t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 </t:TokenType> <t:KeyType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey </t:KeyType> <t:KeySize xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> 256 </t:KeySize> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireDerivedKeys /> </wsp:Policy> </sp:IssuedToken> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefThumbprint/> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
