Hi Ronnie,
Please change the policy as given below.
<wsp:Policy ...>
<sp:AsymmetricBinding>
...
</sp:AsymmetricBinding>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken/>
</sp:SupportingTokens>
<sp:Wss10 .../>
<sp:SignedParts .../>
<ramp:RampartConfig/>
</wsp:Policy>
Just the structure is shown above. The Supporting token assertion should be
a top level assetion. In you case, you have it as a nested assertion within
Asymmetric Binding assertion.
And if your username and private key alias is different, you need to use
both "user" and "userCertAlias" parameters in the RampartConfig as mentioned
by Martin. But if both of them are the same, you can just have the "user"
parameter [1].
And I don't understand why you have both user and encryptionUser set to
"user".
<ramp:user>user</ramp:user>
<ramp:encryptionUser>user</ramp:encryptionUser>
thanks,
nandana
[1] - http://wso2.org/library/3733
On Tue, Oct 7, 2008 at 8:40 AM, RonnieMJ <[EMAIL PROTECTED]> wrote:
>
> I don't actually get an exception (well I do get a soap fault for not
> having
> all of the right headers from their server).
>
> The message usually gets sent out simply without the username token. If I
> DO get the username token to go, it's as a signedsupportingtoken (which is
> not what they want).
>
>
>
> Samisa Abeysinghe-2 wrote:
> >
> > What is the exception that you get?
> >
> > Samisa...
> >
> > RonnieMJ wrote:
> >> I'm pretty new to WS, and especially the security piece, but I'm using
> >> rampart 1.4 using policy files to try to function as a client to an
> >> existing
> >> (external to my company) web service.
> >>
> >> I know that I need to send both a usernameToken and sign the header with
> >> a
> >> certificate. I've been able to do EITHER, but so far haven't been able
> >> to
> >> do both.
> >>
> >> I've tried it about 20 different ways, but my most recent attempt is:
> >>
> >>
> >> <wsp:Policy wsu:Id="SigAndUName"
> >> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> >> <wsp:All>
> >> <sp:AsymmetricBinding
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> >> <wsp:Policy>
> >> <sp:InitiatorToken>
> >> <wsp:Policy>
> >> <sp:X509Token
> >> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> >> <wsp:Policy>
> >>
> <sp:WssX509V3Token10/>
> >> </wsp:Policy>
> >> </sp:X509Token>
> >> </wsp:Policy>
> >> </sp:InitiatorToken>
> >> <sp:RecipientToken>
> >> <wsp:Policy>
> >> <sp:X509Token
> >> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> >> <wsp:Policy>
> >>
> <sp:WssX509V3Token10/>
> >> </wsp:Policy>
> >> </sp:X509Token>
> >> </wsp:Policy>
> >> </sp:RecipientToken>
> >> <sp:AlgorithmSuite>
> >> <wsp:Policy>
> >> <sp:Basic128Rsa15/>
> >> </wsp:Policy>
> >> </sp:AlgorithmSuite>
> >> <sp:Layout>
> >> <wsp:Policy>
> >> <sp:Lax/>
> >> </wsp:Policy>
> >> </sp:Layout>
> >> <sp:OnlySignEntireHeadersAndBody/>
> >> <sp:SupportingTokens>
> >> <wsp:Policy>
> >> <sp:UsernameToken
> >> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> "
> >> />
> >> </wsp:Policy>
> >> </sp:SupportingTokens>
> >> </wsp:Policy>
> >> </sp:AsymmetricBinding>
> >>
> >>
> >> <sp:Wss10
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> >> <wsp:Policy>
> >> <sp:MustSupportRefKeyIdentifier />
> >> <sp:MustSupportRefIssuerSerial />
> >> </wsp:Policy>
> >> </sp:Wss10>
> >>
> >>
> >> <sp:SignedParts
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> >> <sp:Body/>
> >> </sp:SignedParts>
> >>
> >> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy";>
> >> <ramp:user>user</ramp:user>
> >> <ramp:encryptionUser>user</ramp:encryptionUser>
> >>
> >>
> <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
> >>
> >> <ramp:signatureCrypto>
> >> <ramp:crypto
> >> provider="org.apache.ws.security.components.crypto.Merlin">
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
> >> <ramp:property
> >>
> name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
> >> </ramp:crypto>
> >> </ramp:signatureCrypto>
> >> </ramp:RampartConfig>
> >>
> >> </wsp:All>
> >> </wsp:Policy>
> >>
> >>
> >>
> >> I expect the final header output to be something like:
> >> <SOAP-ENV:Header >
> >> <wsse:Security >
> >> <wsse:UsernameToken >
> >> <wsse:Username >XXX</wsse:Username>
> >> </wsse:UsernameToken>
> >> <wsse:BinarySecurityToken
> >binaryTokenHere</wsse:BinarySecurityToken>
> >> <ds:Signature >
> >> <ds:SignedInfo >
> >> <ds:CanonicalizationMethod
> >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >> <ds:SignatureMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> >> <ds:Reference >
> >> <ds:Transforms >
> >> <ds:Transform />
> >> </ds:Transforms>
> >> <ds:DigestMethod />
> >> <ds:DigestValue </ds:DigestValue>
> >> </ds:Reference>
> >> <ds:Reference >
> >> <ds:Transforms >
> >> <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/>
> >> </ds:Transforms>
> >> <ds:DigestMethod
> >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> >> <ds:DigestValue </ds:DigestValue>
> >> </ds:Reference>
> >> </ds:SignedInfo>
> >> <ds:SignatureValue </ds:SignatureValue>
> >> <ds:KeyInfo >
> >> <wsse:SecurityTokenReference >
> >> <wsse:Reference />
> >> </wsse:SecurityTokenReference>
> >> </ds:KeyInfo>
> >> </ds:Signature>
> >> </wsse:Security>
> >> </SOAP-ENV:Header>
> >>
> >>
> >> I'm fairly sure I've just got the policy file slightly off. Any
> >> suggestions? Thanks for any reply.
> >>
> >
> >
> > --
> > Samisa Abeysinghe
> >
> > http://people.apache.org/~samisa/ <http://people.apache.org/%7Esamisa/>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org
