Hello Ruwan,
1) I use synapse as a proxy with http transport enabled:
<proxy name="CalculatorProxy" trace="enable" transports="http">
When I use transports="https", the connection with the client does not work at
all. I found no way to configure synapse in order to use http between the
client and synapse and https between synapse and the web service.
When I use transports="all", I have this error:
2008-01-16 10:09:55,380 [127.0.0.1-localhost.localdomain] [main] WARN
VFSTransportListener Error configuring the File/VFS transport for Service :
CalculatorProxy :: Cannot find parameter : transport.vfs.FileURI for service :
CalculatorProxy
2) When I start synapse, the following log lines are displayed:
2008-01-16 09:49:30,618 [127.0.0.1-localhost.localdomain] [main] DEBUG
HttpCoreNIOSSLListener Loading Key Store from URL :
file:/home/sihem/programs/synapse-1.1/lib/identity.jks
2008-01-16 09:49:30,632 [127.0.0.1-localhost.localdomain] [main] DEBUG
HttpCoreNIOSSLListener Loading Trust Key Store from URL :
file:/home/sihem/programs/synapse-1.1/lib/trust.jks
Can you confirm me that identity.jks contains synapse certificate and trust.jks
contains all the certificates of authority certification trusted by synapse?
3) I copied identity.jks into glassfish/domains/domain1/config/ and I restarted
glassfish. But I have still the same exception
4) In policy_3.xml, store.jks is also used:
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
Can you explain me what this file is intended to ?
You will find in attachment the synapse configuration I use.
Thank you very much for your help!
Sihem
Ruwan Linton <[EMAIL PROTECTED]> a écrit : Hi Sihem,
Are you using https to talk to GlassFish? and also have you put the trust
store (identity.jks) in to the class path of the GlassFish server?
If you did so, then can you send the policy that you are using on the
GlassFish server to engage rampart.
Can you please provide the above information so that we can help you in
resolving this issue.
Thanks,
Ruwan
On Jan 15, 2008 11:26 PM, Sihem wrote:
> Hello,
> I am trying to use WS-Security between synapse and the web service. I used
> sample 100 and the policy file named policy_3.xml. It does not work because
> I do not know how to confogure rampart.
> GlassFish returns this error to synapse:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
> I think the error is due to the fact that some elements are not share with
> glassfish that cannot authenticate the message. I searched wsO2 for how to
> configure keystore but I found nothing that can help me.
> Can you, please, give me a little explanation on how to set a secure
> conversation between synapse and a web service ?
> Thank you by advance,
> Sihem
>
>
> ---------------------------------
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo!
> Mail
>
--
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"
---------------------------------
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail <endpoint xmlns="http://ws.apache.org/ns/synapse";>
<address uri="http://localhost:8080/CalculatorService/CalculatorWSService";>
<!--Use of WS-Security between synapse and the web service-->
<enableSec policy="sec_policy"/>
<!--Reliable message exchange
<enableRM/>-->
<enableAddressing/>
<suspendDurationOnFailure>60</suspendDurationOnFailure>
</address>
</endpoint>
<!--TRAITEMENT DES MESSAGES ENTRANT VERS SYNAPSE-->
<sequence name="dynamic_in_sequence" xmlns="http://ws.apache.org/ns/synapse"; onError="authFaultHandler">
<!-- Filtering of messages with XPath and regex matches -->
<filter source="get-property('To')" regex=".*/Calculator.*">
<!--Extending the mediation in java
<class name="BasicAuthenticationMediator"/>-->
<!-- Schema validation -->
<validate>
<schema key="validate_schema"/>
<!-- if the request does not validate againt schema throw a fault -->
<on-fail>
<makefault>
<code value="tns:Receiver" xmlns:tns="http://www.w3.org/2003/05/soap-envelope"/>
<reason value="Request does not validate againt schema"/>
</makefault>
<log level="custom">
<property name="Error" value="Request does not validate againt schema"/>
<property name="message" expression="get-property('ERROR_MESSAGE')"/>
</log>
<header name="To" action="remove"/>
<property name="RESPONSE" value="true"/>
<drop/>
</on-fail>
</validate>
<!-- XSLT transformation (replace value by 40) -->
<xslt key="xslt-key-req"/>
<!--create a sequence of messages to communicate via WS-Reliable Messaging
with an WS-RM enabled endpoint-->
<!--DOES NOT WORK FOR THE MOMENT. WAITING FOR A NEW RELEASE OF SYNAPSE
<RMSequence single="true" version="1.0"/>-->
<!--Add a new header in the request sent to the web service-->
<property name="NEW_SYNAPSE_HEADER" value="HEADER_VALUE" scope="transport"/>
<!-- If no validation error, send message to the web service -->
<send>
<!-- DEFINE ENDPOINTS -->
<endpoint>
<!-- CONFIG FAILOVER -->
<failover>
<!-- SERVER1 -->
<endpoint key="dynamic_endpoint_1.xml"/>
<!-- SERVER2 -->
<endpoint key="dynamic_endpoint_2.xml"/>
</failover>
</endpoint>
</send>
</filter>
</sequence>
<!--TRAITEMENT DES MESSAGES RECUS DU SERVICE WEB-->
<sequence name="dynamic_out_sequence" xmlns="http://ws.apache.org/ns/synapse";>
<log level="full">
<property name="message" expression="get-property('To')"/>
</log>
<header name="wsse:Security" action="remove" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
<header name="wsrm:SequenceAcknowledgement" action="remove"
xmlns:wsrm="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
<header name="wsrm:Sequence" action="remove"
xmlns:wsrm="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
<send/>
</sequence>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<wsp:Policy wsu:Id="SigEncr" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>alice</ramp:user>
<ramp:encryptionUser>bob</ramp:encryptionUser>
<ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy><!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<!-- A simple Synapse configuration -->
<definitions xmlns="http://ws.apache.org/ns/synapse";>
<!-- define a string resource entry to the local registry -->
<localEntry key="validate_schema" src="file:repository/conf/CalculatorWSService_schema1.xsd"/>
<!-- define the request processing XSLT resource as a static URL source -->
<localEntry key="xslt-key-req" src="file:repository/conf/transform.xslt"/>
<localEntry key="sec_policy" src="file:repository/conf/policy.xml"/>
<!-- define a reuseable endpoint definition -->
<endpoint name="secure1">
<address uri="http://localhost:8080/CalculatorService/CalculatorWSService"/>
</endpoint>
<!-- the SimpleURLRegistry allows access to a URL based registry (e.g. file:/// or http://) -->
<registry provider="org.apache.synapse.registry.url.SimpleURLRegistry">
trace="enable"<!-- the root property of the simple URL registry helps resolve a resource URL as root + key -->
<parameter name="root">file:./repository/conf/</parameter>
<!-- all resources loaded from the URL registry would be cached for this number of milli seconds -->
<parameter name="cachableDuration">15000</parameter>
</registry>
<proxy name="CalculatorProxy" trace="enable" transports="all">
<log level="full"/>
<target faultSequence="inOutFaultHandler">
<!--TRAITEMENT DES MESSAGES ENTRANT VERS SYNAPSE-->
<inSequence><sequence key="dynamic_in_sequence.xml"/></inSequence>
<!--TRAITEMENT DES REPONSES DU SERVICE WEB-->
<outSequence><sequence key="dynamic_out_sequence.xml"/></outSequence>
</target>
<publishWSDL uri="file:repository/conf/CalculatorWSService.wsdl"/>
<!--Use of WS-Security between the client and synapse
<policy key="sec_policy"/>
<enableSec/>-->
</proxy>
<sequence name="inOutFaultHandler">
<log level="full">
<property name="text" value="Unexpected error"/>
<property name="message" expression="get-property('ERROR_MESSAGE')"/>
</log>
<makefault>
<code value="tns:Receiver" xmlns:tns="http://www.w3.org/2003/05/soap-envelope"/>
<reason value="Unexpected error."/>
</makefault>
<!--Pas d'entete To issu de WSA: la supprimer pour qu'elle ne soit par reutilisée par la reponse-->
<header name="To" action="remove"/>
<!--Rediriger la requete vers le client et non vers le service web-->
<property name="RESPONSE" value="true"/>
<!--<header name="To" expression="get-property('ReplyTo')"/>-->
<!-- STOP FURTHER PROCESSING OF THE CURRENT MESSAGE -->
<drop/>
</sequence>
<sequence name="authFaultHandler">
<log level="full">
<property name="text" value="Unexpected error"/>
<property name="message" expression="get-property('ERROR_MESSAGE')"/>
</log>
<makefault>
<code value="tns:Receiver" xmlns:tns="http://www.w3.org/2003/05/soap-envelope"/>
<reason value="Authorization failed!"/>
</makefault>
<!--Pas d'entete To issu de WSA: la supprimer pour qu'elle ne soit par reutilisée par la reponse-->
<header name="To" action="remove"/>
<!--Rediriger la requete vers le client et non vers le service web-->
<property name="RESPONSE" value="true"/>
<!--<header name="To" expression="get-property('ReplyTo')"/>-->
<!-- STOP FURTHER PROCESSING OF THE CURRENT MESSAGE -->
<drop/>
</sequence>
</definitions>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
