Maybe it's not a bug but a feature request :-). I see two issues:
1) WS-Security automatically adds undesirable WS-Addressing elements (IMO, this should only happen when enableAddressing is specified). I don't see anything in the WS-Security spec that indicates WS-Addressing is required. I don't see a way to turn this behavior off in Synapse, without resorting to a workaround such as I demonstrated (i.e., chaining together 2 sequences, within one removing the undesirable WS-Addressing elements). 2) I didn't see a a way to add the ReplyTo WS-Addressing element (and it's child node Address) using the header mechanism (or property, for that matter). This was the crux of my issue, as, for some reason, Amazon expected a ReplyTo. I suspect this is probably easily possible, but just wasn't able to figure it out. Btw, I was able to successfully interact with Amazon's SimpleDB now! I hope to writeup a blog entry on my findings (I am actually also writing the book called Open Source SOA from Manning, and I am including a big chapter on Synapse, which I am a huge fan of). To be honest, a lot of this WS-Security stuff is rather new to me, so I'm feverishly trying to get a handle on it (the Manning book SOA Security has been a big help). I have used PasswordDigest mechanism a lot, but not that signing with x509 certs as much. jeff On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton <[EMAIL PROTECTED]> wrote: > Hi Jeff, > > What is the bug from your POV? I am sorry, I don't see a bug here..... > > Well you could go ahead and file a JIRA so that we can evaluate what is the > issue that you have faced and see whether is there something wrong with > Synapse, but I assume this is rather a configuration error. > > Thanks, > Ruwan > > > On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis <[EMAIL PROTECTED]> wrote: > > > As a follow-up, I was running it through tcpmon, which is why it had the > > strange address. > > > > Yes, I am running the latest 1.2 build from the URL provided me last > > Thursday, I believe. > > > > Should I submit this is a bug? > > > > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton <[EMAIL PROTECTED]> > > wrote: > > > > > Hi Jeff, > > > > > > If you enable addressing to the outbound message then synapse should be > > > sending the ReplyTo header as appropriate. May be amazon is not > accepting > > > anonymous ReplyTo headers, so assuming that you are using the 1.2 build > > > here > > > is the proposed solution to this; > > > > > > <definitions xmlns="http://ws.apache.org/ns/synapse";> > > > <localEntry key="sec_policy" > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/> > > > > > > <in> > > > <send> > > > <endpoint name="secure"> > > > <address uri="http://localhost:8086";> > > > <enableSec policy="sec_policy"/> > > > <enableAddressing separateListener="true"/> > > > </address> > > > </endpoint> > > > </send> > > > </in> > > > <out> > > > <header name="wsse:Security" action="remove" xmlns:wsse=" > > > http://www.w3.org/2005/08/addressing"/> > > > <send/> > > > </out> > > > </definitions> > > > > > > The above configuration should work, but please note that you need to > > > change > > > the address uri of the endpoint in the above configuration from " > > > http://localhost:8086"; to "AMAZON_URL" > > > > > > If this is not working could you please attach the TCPMon out put of > the > > > outbound message which is going to AMAZON (after changing important > > > information) and the message received from AMAZON. If you don't want to > > > post > > > it publicly you may send it to me (mailto:[EMAIL PROTECTED] < > [EMAIL PROTECTED] > > >) > > > > > > Thanks, > > > Ruwan > > > > > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis <[EMAIL PROTECTED]> wrote: > > > > > > > I did a little research, and I haven't seen anything in the standard > > that > > > > indicates WS-Security requires WS-Addressing. Unfortunately, it > > doesn't > > > > appear as though setting the header has any impact (further, if it > did, > > > the > > > > ReplyTo has a child element for the Address, so not sure how that > would > > > be > > > > added). Here's my configuration: > > > > > > > > <definitions xmlns="http://ws.apache.org/ns/synapse";> > > > > <localEntry key="sec_policy" > > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/> > > > > > > > > <in> > > > > <header name="ReplyTo" action="set" value=""/> > > > > <send> > > > > <endpoint name="secure"> > > > > <address uri="http://localhost:8086";> > > > > <enableSec policy="sec_policy"/> > > > > <enableAddressing/> > > > > </address> > > > > </endpoint> > > > > </send> > > > > </in> > > > > <out> > > > > <send/> > > > > </out> > > > > </definitions> > > > > > > > > In lieu of the above header, I also tried: > > > > > > > > <header name="wsse:Security" action="remove" > > > > xmlns:wsse="http://www.w3.org/2005/08/addressing"/> > > > > > > > > (I also tried removing the <enableAddressing/> node for each test). > > > > > > > > To recap my issue, it seems as though Amazon AWS (at least for > SimpleDB > > > > service) requires the ReplyTo WS-Addressing element, if WS-Addressing > > is > > > > used. I haven't found a way to remove WS-Addressing generated > > > automatically > > > > by Synapse when WS-Security is used, and I haven't figure out how to > > add > > > > ReplyTo (and it's child Address node) to the outbound message. > > > > > > > > Anyone have any work-arounds? Maybe I'll try chaining together some > > > things > > > > to see if I can devise something. > > > > > > > > Thanks, > > > > > > > > jeff > > > > > > > > > > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera <[EMAIL PROTECTED]> > > > > wrote: > > > > > > > > > Hi Jeff > > > > > > > > > >> To be honest, I'm not entirely certain how to add it in the Header > > > > >> mediator, > > > > >> as you allude to. I did try various permutations of using the > > property > > > > and > > > > >> header nodes within the <in>, but nothing ever appeared. > > > > >> > > > > >> > > > > > I am sorry.. I had made a mistake in my reply earlier.. to set the > > > > ReplyTo > > > > > header to something, you will use "<header name="ReplyTo" > > value="..."/> > > > > > format.. If you are familiar with using TCPMon, you can place it > > > between > > > > > your service and Amazon and route the message through it to get a > > trace > > > > of > > > > > the messages. This will help you and us to solve any problems. > > > > > > > > > >> Obviously, Amazon's service is not entirely compliant with the > > > > WS-Security > > > > >> standards. Even in their section under WS-Security SOAP, they > state > > > that > > > > >> "if > > > > >> you're using WS-Addressing, we recommend you also sign the Action > > and > > > To > > > > >> header elements" (I haven't figured out how to do that yet, but > I'll > > > dig > > > > >> into that). > > > > >> > > > > >> > > > > > If you are ok to share your configuration/scenario with us or let > us > > > try > > > > > some simple sample to reproduce the issue you are facing, one of > the > > > > > developers would be able to tell you exactly whats wrong, and what > > you > > > > could > > > > > do to get past the problem > > > > > > > > > > asankha > > > > > > > > > > > > > > > > > > > > > -- > > > Ruwan Linton > > > http://www.wso2.org - "Oxygenating the Web Services Platform" > > > > > > > > > -- > Ruwan Linton > http://www.wso2.org - "Oxygenating the Web Services Platform" >
