[
https://issues.apache.org/jira/browse/RAMPART-64?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518416
]
Ruchith Udayanga Fernando commented on RAMPART-64:
--------------------------------------------------
> Yes, I undesrtood that but If I send a IssuerSerial form the client, does the
> service accept it, even if NOT defining <sp:MustSupportIssuerSerial/>?
Yes ... right now this is the case due to limitations of WSS4J ... where we do
not have access to policy information to validate ref types. Therefore we
process all ref types we can handle and we do not restrict them.
> In 1.2 it worked like that and I think it shouldn't. Am I right?
And I agrees that this is against the spec and it should be fixed:-)
> Are the problem with namespaces defined in this JIRA resolved?
> OK. I'll open new JIRAs. Sorry I didn't see all your comments
Nope those are not resolved ... please open JIRAs for those...
I doubt we can get those issues fixed for 1.3 release or Rampart since we are
planning to release Rampart-1.3 soon after Axis2-1.3
Thanks,
Ruchith
> Issues with security configurations and useOriginalwsdl parameter
> -----------------------------------------------------------------
>
> Key: RAMPART-64
> URL: https://issues.apache.org/jira/browse/RAMPART-64
> Project: Rampart
> Issue Type: Bug
> Components: rampart-policy
> Affects Versions: 1.2
> Environment: Windows XP SP2, JDK 1.6, Eclipse 3.2
> Reporter: Jorge Fernández
> Priority: Blocker
> Attachments: eclipse_projects.rar, Webservice.rar
>
>
> I'm using policy at my service, trying to force the client to send SKI
> certificate reference so I have <sp:RequireKeyIdentifierReference/> assertion
> in both Initiator Token and RecipientToken and
> <sp:MustSupportRefKeyIdentifier/>.
> In the client, I'm sending IssuerSerial references but in the service policy
> I haven't got MustSupportIssuerSerialReference, so I think the service should
> reject the request but it doesn't. Am I right?
> Also, I expected that the service should send SKI reference always, but, for
> the encryption key it sends IssuerSerial reference. Can I force it to use
> always SKI reference?
> When I replace signedParts by signedElements assertion, I can access the
> service but the WSDL is not generated (when useOriginalwsdl is false) because
> it throws an exception:
> org.apache.axis2.dataretrieval.DataRetrievalException:
> com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "sp"
> at [row,col {unknown-source}]: [1,1028]
>
> org.apache.axis2.dataretrieval.AxisDataLocatorImpl.getData(AxisDataLocatorImpl.java:81)
> org.apache.axis2.description.AxisService.getData(AxisService.java:2143)
> org.apache.axis2.description.AxisService.getWSDL(AxisService.java:1007)
> org.apache.axis2.description.AxisService.printWSDL(AxisService.java:857)
>
> org.apache.axis2.transport.http.ListingAgent.processListService(ListingAgent.java:221)
> org.apache.axis2.transport.http.AxisServlet.doGet(AxisServlet.java:225)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> caused by
> org.apache.axis2.dataretrieval.DataRetrievalException:
> com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "sp"
> at [row,col {unknown-source}]: [1,1028]
>
> org.apache.axis2.dataretrieval.WSDLDataLocator.outputInlineForm(WSDLDataLocator.java:136)
>
> org.apache.axis2.dataretrieval.WSDLDataLocator.getData(WSDLDataLocator.java:71)
>
> org.apache.axis2.dataretrieval.AxisDataLocatorImpl.getData(AxisDataLocatorImpl.java:77)
> org.apache.axis2.description.AxisService.getData(AxisService.java:2143)
> org.apache.axis2.description.AxisService.getWSDL(AxisService.java:1007)
> org.apache.axis2.description.AxisService.printWSDL(AxisService.java:857)
>
> org.apache.axis2.transport.http.ListingAgent.processListService(ListingAgent.java:221)
> org.apache.axis2.transport.http.AxisServlet.doGet(AxisServlet.java:225)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> caused by
> org.apache.axiom.om.OMException: com.ctc.wstx.exc.WstxParsingException:
> Undeclared namespace prefix "sp"
> at [row,col {unknown-source}]: [1,1028]
>
> org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:211)
> org.apache.axiom.om.impl.llom.OMNodeImpl.build(OMNodeImpl.java:315)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.build(OMElementImpl.java:608)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.detach(OMElementImpl.java:577)
> org.apache.axiom.om.impl.llom.OMNodeImpl.setParent(OMNodeImpl.java:114)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMElementImpl.java:236)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMElementImpl.java:192)
>
> org.apache.axis2.description.AxisService2OM.addPolicyAsExtElement(AxisService2OM.java:905)
>
> org.apache.axis2.description.AxisService2OM.generateSOAP11Binding(AxisService2OM.java:514)
>
> org.apache.axis2.description.AxisService2OM.generateOM(AxisService2OM.java:184)
>
> org.apache.axis2.dataretrieval.WSDLDataLocator.outputInlineForm(WSDLDataLocator.java:132)
>
> org.apache.axis2.dataretrieval.WSDLDataLocator.getData(WSDLDataLocator.java:71)
>
> org.apache.axis2.dataretrieval.AxisDataLocatorImpl.getData(AxisDataLocatorImpl.java:77)
> org.apache.axis2.description.AxisService.getData(AxisService.java:2143)
> org.apache.axis2.description.AxisService.getWSDL(AxisService.java:1007)
> org.apache.axis2.description.AxisService.printWSDL(AxisService.java:857)
>
> org.apache.axis2.transport.http.ListingAgent.processListService(ListingAgent.java:221)
> org.apache.axis2.transport.http.AxisServlet.doGet(AxisServlet.java:225)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> caused by
> com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "sp"
> at [row,col {unknown-source}]: [1,1028]
> com.ctc.wstx.sr.StreamScanner.throwParseError(StreamScanner.java:458)
>
> com.ctc.wstx.sr.NsInputElementStack.resolveAndValidateElement(NsInputElementStack.java:383)
>
> com.ctc.wstx.sr.BasicStreamReader.handleStartElem(BasicStreamReader.java:2807)
>
> com.ctc.wstx.sr.BasicStreamReader.nextFromTree(BasicStreamReader.java:2718)
> com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1004)
>
> org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:125)
> org.apache.axiom.om.impl.llom.OMNodeImpl.build(OMNodeImpl.java:315)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.build(OMElementImpl.java:608)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.detach(OMElementImpl.java:577)
> org.apache.axiom.om.impl.llom.OMNodeImpl.setParent(OMNodeImpl.java:114)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMElementImpl.java:236)
>
> org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMElementImpl.java:192)
>
> org.apache.axis2.description.AxisService2OM.addPolicyAsExtElement(AxisService2OM.java:905)
>
> org.apache.axis2.description.AxisService2OM.generateSOAP11Binding(AxisService2OM.java:514)
>
> org.apache.axis2.description.AxisService2OM.generateOM(AxisService2OM.java:184)
>
> org.apache.axis2.dataretrieval.WSDLDataLocator.outputInlineForm(WSDLDataLocator.java:132)
>
> org.apache.axis2.dataretrieval.WSDLDataLocator.getData(WSDLDataLocator.java:71)
>
> org.apache.axis2.dataretrieval.AxisDataLocatorImpl.getData(AxisDataLocatorImpl.java:77)
> org.apache.axis2.description.AxisService.getData(AxisService.java:2143)
> org.apache.axis2.description.AxisService.getWSDL(AxisService.java:1007)
> org.apache.axis2.description.AxisService.printWSDL(AxisService.java:857)
>
> org.apache.axis2.transport.http.ListingAgent.processListService(ListingAgent.java:221)
> org.apache.axis2.transport.http.AxisServlet.doGet(AxisServlet.java:225)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> I found a strange behaviour in my service policy: I'm trying to encrypt
> ServiceGroupId and some of my payload elements.
> For example, in my service policy I have:
> sp:EncryptedElements
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <sp:XPath>descendant::ns3:getPatientsResponse</sp:XPath>
> </sp:EncryptedElements>
> If the client sends elements defined with that prefix, there's no problem
> when decrypting them in the service. But when I need to encrypt elements like
> that, to send them back to the client, I have the exception:
> org.apache.axis2.AxisFault: java.lang.RuntimeException:
> org.jaxen.UnresolvableException: Cannot resolve namespace prefix 'ns3'
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:178)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:261)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>
> at
> prg.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:581)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Unknown Source)
Caused by:
> java.lang.RuntimeException: org.jaxen.UnresolvableException: Cannot resolve
> namespace prefix 'ns3'
> at
> org.apache.rampart.util.RampartUtil.getPartsAndElements(RampartUtil.java:705)
>
> at
> org.apache.rampart.util.RampartUtil.getEncryptedParts(RampartUtil.java:564)
>
> at
> org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:67)
> at org.apache.rampart.RampartEngine.process(RampartEngine.java:88)
> at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:71)
>
> at org.apache.axis2.engine.Phase.invoke(Phase.java:383)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:203)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:131)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:279)
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:116)
> ... 14 more
Caused by: org.jaxen.UnresolvableException: Cannot
> resolve namespace prefix 'ns3'
 at
> org.jaxen.expr.DefaultNameStep.matches(DefaultNameStep.java:340)
> at org.jaxen.expr.DefaultNameStep.evaluate(DefaultNameStep.java:209)
>
> at
> org.jaxen.expr.DefaultLocationPath.evaluate(DefaultLocationPath.java:140)
>
> at org.jaxen.expr.DefaultXPathExpr.asList(DefaultXPathExpr.java:102)
> at org.jaxen.BaseXPath.selectNodesForContext(BaseXPath.java:680)
> at org.jaxen.BaseXPath.selectNodes(BaseXPath.java:219)
> at
> org.apache.rampart.util.RampartUtil.getPartsAndElements(RampartUtil.java:690)
> ... 23 more
> However, for other operations it has no problem. I have one that returns the
> same data as the one above and it works perfect. The only difference in the
> response, is the name of the operation.
> I have this operations:
> validate (In-Only OK)
> logout (In-Only OK)
> getOntologyFindings
> getOntologyFindingsByConcept (OK)
> getOntologyAbstractParameters
> getOntologyAbstractParametersByType (OK, returns the same data as the
> previous one) getOntologyUnits
> getOntologySignals
> getOntology
> getPatients
> getPrimitiveParameterData (OK)
> Operations without (OK) throw the exception described above. You can see that
> when the names are almos the same (as getPatients and getPatientsByType), the
> longer works OK but the shorter doesn't. For some other, even if their names
> are different, it doesn't work.
> In the case of encrypting ServiceGroupID, it says it cannot resolve prefix
> 'axis2'. With other elements such as addressing headers and timestamp there
> is no problem.
> For some operations, I have a response like this:
> <ns3:getPrimitiveDataResponse xmlns:ns3="http://op_messages.medici_link/xsd";>
> <parameterData xmlns="http://op_messages.medici_link/xsd";>
> <annotations \
> xmlns="http://external.communication_data_model.medici_link/xsd"; \
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:nil="true" \
> />
> <dataSegments \
> xmlns="http://external.communication_data_model.medici_link/xsd";> \
> <beginMsec>1186069490203</beginMsec> <endMsec>1186069490203</endMsec>
> <data>
> <xop:Include \
> href="cid:1.urn:uuid:[EMAIL PROTECTED]" \
> xmlns:xop="http://www.w3.org/2004/08/xop/include"; /> </data>
> </dataSegments>
> </parameterData>
> </ns3:getPrimitiveDataResponse>
> and I want to sign and encrypt annotations and dataSegments so I put that in
> the policy but none of them are encrypted nor signed and neither I get any
> exception.It seems that rampart isn't able to find them. I tried identifying
> them in the policy with descendant::ns3:dataSegments and
> descendant::dataSegments.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
