Hi Ruwan,
The policy looks oky. This policy is not recommended when we
consider the security aspects, as you can see the clear text password is
going over the wire in an unsecured transport but this should work. I
checked this policy with Axis2 1.4 / Rampart 1.4 and it worked fine for me.
,
Jeff,
What is the error you are getting at the server side ?
thanks,
nandana
On Thu, Jun 12, 2008 at 10:35 AM, Ruwan Linton <[EMAIL PROTECTED]>
wrote:
> Hi Jeff,
>
> Lets first get this policy validated from one of the security experts :-)
>
> Nandana, can you please help us on this?
>
> Thanks,
> Ruwan
>
> On Thu, Jun 12, 2008 at 12:46 AM, Jeff Davis <[EMAIL PROTECTED]> wrote:
>
> > Hi everyone,
> >
> > Example 200 shows how to engage security on a proxy that uses a x509
> style
> > policy. That works great. However, I am trying to instead use
> UsernameToken
> > style with the following policy:
> >
> > <wsp:Policy wsu:Id="UTOverTransport"
> > xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> >
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SignedSupportingTokens xmlns:sp="
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> > <wsp:Policy>
> > <sp:UsernameToken sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SignedSupportingTokens>
> > <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy
> ">
> >
> >
> >
> <ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
> > <ramp:user>alice</ramp:user>
> > </ramp:RampartConfig>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > My inbound SOAP message looks like:
> >
> > <soapenv:Envelope xmlns:hel="http://helloworld"; xmlns:soapenv="
> > http://schemas.xmlsoap.org/soap/envelope/";>
> > <soapenv:Header>
> > <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > ">
> > <wsse:UsernameToken wsu:Id="UsernameToken-14134009" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > ">
> > <wsse:Username>alice</wsse:Username>
> > <wsse:Password Type="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> > ">password</wsse:Password>
> > </wsse:UsernameToken>
> > </wsse:Security>
> > </soapenv:Header>
> > <soapenv:Body>
> > <hel:getGreetings>
> > <hel:name>Hi!</hel:name>
> > </hel:getGreetings>
> > </soapenv:Body>
> > </soapenv:Envelope>
> >
> > However, I always get soap fault with a description of: InvalidSecurity
> >
> > I think my policy file is okay, cause when I use for engaging security on
> > an
> > outbound message, it works fine (i.e., adds the WS-Security header).
> >
> > Any ideas?
> >
> > jeff
> >
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
