Hi Mauro
I am not yet working on a project as you do, but I have to write a security concept paper right now about how to secure our password and selectively data sent in our soap xml message body. I have 100% the same issue as you have, sooner or later. So I like to add only a few words to allow more experienced developers to help you/us. I think Rampart was tested! What if you rerun such test using a debugger to find out how Rampart runs and was tested and in what scenarios it works or does not work? Not an easy way, but it gives you a lot insight into even undocumented things. Running tests against a certain component makes me many times understanding what is going on, even it is not documented. Josef Von: Mauro Brasil [mailto:[email protected]] Gesendet: Mittwoch, 2. März 2011 13:58 An: [email protected] Betreff: Problems with rampartc token reference... Hello there! I'm trying to improve security on a application suite we have here by adding ws-security encryption. We were using just ws-security's Username Token for authentication, but now we need to encrypt message's content because some sensitive information will be added to it. We use JBossWS running on "JBoss-4.2.3.GA" at server side and axis2c/rampartc on clients side. First problems we detected was the absense of tokenReference configuration what led us to a clear message on server "Invalid message, SecurityTokenRefence is empty". Having a closer look at JBossWS configuration I've noticed that it accepts 3 types of token references, that are: directReference (default), keyIdentifier and x509IssuerSerial. I couldn't find a usable rampartc policy file configuration for first option "directReference" and I'm not sure if it's provided at all. I've found a reference for second option "keyIdentifier" but the addition on policy file (through "<sp:RequireKeyIdentifierReference/>" tag) resulted again on empty SecurityTokenReference, and the last option "x509IssuerSerial" works for rampartc but server refuses it. So, I would like to ask someone about the other two options "directReference" and "keyIdentifier" token references. Does anyone know how to config rampartc policy file to send those kind of token references? Note.: I'm using axis2c version 1.6.0 and rampartc version 1.3.0. Thanks a lot and best regards, Mauro.
