[jira] Commented: (RAMPARTC-76) Username token should default inclusion to empty string, and treat an empty IncludeToken attribute to mean the token is optional

Thu, 28 Feb 2008 16:47:12 -0800 

    [ 
https://issues.apache.org/jira/browse/RAMPARTC-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573534#action_12573534
 ] 

Dave Meier commented on RAMPARTC-76:
------------------------------------

According to the spec, if IncludeToken is not provided it should default to 
Always, so I'm wrong about that.

The spec also shows how to OR things together in the policy, but when I tried 
that it in rampart/c it didn't work.  Here's what I tried (showing just the 
SignedSupportingTokens:

        <sp:SignedSupportingTokens 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
        <wsp:Policy>
          <wsp:ExactlyOne>
            <sp:UsernameToken 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
            <sp:SamlToken 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
          </wsp:ExactlyOne>
        </wsp:Policy>
        </sp:SignedSupportingTokens>

This should accept either UsernameToken or SamlToken.

Thanks,

-Dave.

> Username token should default inclusion to empty string, and treat an empty 
> IncludeToken attribute to mean the token is optional
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPARTC-76
>                 URL: https://issues.apache.org/jira/browse/RAMPARTC-76
>             Project: Rampart/C
>          Issue Type: Bug
>          Components: Rampart-core
>    Affects Versions: Current
>         Environment: Windows XP
>            Reporter: Dave Meier
>            Assignee: Ruchith Udayanga Fernando
>            Priority: Critical
>         Attachments: rampart_sec_header_processor_diff.txt, ut_c_diff.txt
>
>
> I want to specify a policy that has no IncludeToken attribute.  Since 
> IncludeToken is optional, it must be allowed to be unspecified.
> The following is how I specify UsernameToken in my services.xml file:
> <sp:UsernameToken/>
> I want that to indicate that the UsernameToken itself is optional.  I have a 
> use case where I want either a saml assertion or a username token, so I have 
> to handle the case where Username token is not there.  Rampart does not 
> complain when I leave out the saml assertion and put in the username token, 
> but it does complain when I have only the saml assertion and no username 
> token.
> Here is the full policy I have defined in services.xml:
>   <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
>     <wsp:ExactlyOne>
>       <wsp:All>
>         <sp:AsymmetricBinding 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>           <wsp:Policy>
>             <sp:InitiatorToken>
>               <wsp:Policy>
>                 <sp:X509Token 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
>                   <wsp:Policy>
>                     <sp:WssX509V3Token10/>
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:InitiatorToken>
>             <sp:RecipientToken>
>               <wsp:Policy>
>                 <sp:X509Token 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
>                   <wsp:Policy>
>                     <sp:WssX509V3Token10/>
>                   </wsp:Policy>
>                 </sp:X509Token>
>               </wsp:Policy>
>             </sp:RecipientToken>
>             <sp:Layout>
>               <wsp:Policy>
>                 <sp:Strict/>
>               </wsp:Policy>
>             </sp:Layout>
>             <sp:IncludeTimestamp/>
>           </wsp:Policy>
>         </sp:AsymmetricBinding>
>         <sp:SignedSupportingTokens 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>         <wsp:Policy>
>           <sp:IssuedToken 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
>             <sp:RequestSecurityTokenTemplate 
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";>
>               <wst:TokenType>oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
>               
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
>             </sp:RequestSecurityTokenTemplate>
>           </sp:IssuedToken>
>           <sp:UsernameToken/>
>         </wsp:Policy>
>         </sp:SignedSupportingTokens>
>         <rampc:RampartConfig 
> xmlns:rampc="http://ws.apache.org/rampart/c/policy";>
>             <rampc:TimeToLive>360</rampc:TimeToLive>
>             <rampc:PasswordType>plainText</rampc:PasswordType>
>             
> <rampc:AuthnModuleName>F:/TeamTrack701/software/contrib/axis2c/Win32Debug/lib/aeaxisauth.dll</rampc:AuthnModuleName>
>         </rampc:RampartConfig>
>       </wsp:All>
>     </wsp:ExactlyOne>
>   </wsp:Policy>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to