Hi folks,
I'm something of a rookie when it comes to implementing security in web
services. I'm working with policy example #3 to try and get an idea for
how security policy works. Direct link here:
https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/*modules*/rampart-samples/policy/sample03/
<https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/policy/sample03/>
0
I've made some alterations to the example 1) I've changed the invoked
web service method (it now invokes testFunction instead of echo, but I
imagine this makes little difference) , 2) in the client I use
RPCServiceClient to invoke the service. The policy.xml and services.xml
is the same, but I'm a bit confused by something. As I understand it the
soap message body in this example should be encrypted, correct? But
looking at the messages in SOAPMonitor, I am seeing the security header
but the body in plain text. Is the policy not being applied properly?
I'm also seeing differences in the response shown in SOAPMonitor and a
printout of the OMElement response in the client (messages displayed
below). The OMElement shows the wsa, xenc and wsu namespaces while
SOAPMonitor does not.
Basically I'm a bit confused by what I am seeing in SOAPMonitor and I'm
not sure whether this is indicating that the policy is not being applied
properly or whether this is typical behaviour of SOAPMonitor itself?
Also, despite reading into WS-Policy I'm still rather unsure of it,
generally. Are there any guides to creating policy documents? Ultimately
my aim is for the requests to the service to have a UsernameToken and
the SOAP body encrypted. And the response message body to be encrypted.
*SOAPMonitor Request complete envelope:*
<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing";
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-6296823">
<wsu:Created>2007-09-03T20:45:52.334Z</wsu:Created>c
<wsu:Expires>2007-09-03T20:50:52.334Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="EncKeyId-27234531">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Sample
Service,OU=Rampart,O=Apache,L=Colombo,ST=Western,C=LK</ds:X509IssuerName>
<ds:X509SerialNumber>1187603713</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Wpmo5tj9xw1DbUxPTDh5lQp9eFxXNoUXxEeDbHq87hmusdwyFQ5kgKG/ND6u66rcQMZhiWq7ZocQWh9Iz9JePxFIs46vhe1R6JLXEjOKZddv1lN4czQfG6FB5v6rqd7f6491DzuwcwPLTJ+glg87CNVl+sVB+PMSvS4VpjyU6Tw=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="CertId-148082">MIICTDCCAbUCBEbJZMQwDQYJKoZIhvcNAQEEBQAwbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDAgFw0wNzA4MjAwOTU0MTJaGA8yMDYyMDUyMzA5NTQxMlowbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhjQp2NJRUrAEsPYIlg26m34O16E6WkyBWMbkSvy/FJQoNg2HSOtqF/DHmej7qqJCDtiHtdZqCTOo28cpyB3XJ0g6y23ADTy1v7qUjYieF4Bn3p9QFtyznUmKyZ6hK4CjGraYvcDgjRlnPkfeyVnNamkzJB7TVRaLkumRlxHgxm0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNLSbNEaGBj8GBoXWBndY3JFvblPvI2mDbtZsNiggGOCezyAufGe6RnR3s5DjR5YQqPcMiDtlskFQm4/SRN2Yh16E6l7LfsOhGQsPiPrDrci4T18pz1eDLSrtJiiBah1NdeISaD0kpoUiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-26545674">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#Id-39600">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>UhRz20aeCS07rzz1g6ram2VyIcE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-6296823">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>Er5e4Sn6Suw6/QJbcQF9KtUw8HM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OzdpEnBZK17W3eHoAtS5yuDzEqj0DYV+LUKjx0VcLlSZHqT8kgUMG96wIuNKeOiLVrpkyV8azEO0
M67eEUtVEH+AYmn81yOs9ZhXjoWzk1M9SAEYePW6ZXyGUIN1y82imoh/3YmP6eWoSMZKxaCxUx7c
fCYijsTVwMdzy7CTn3Q=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-16133818">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-7718724">
<wsse:Reference URI="#CertId-148082"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-39600" />
</xenc:ReferenceList>
</wsse:Security>
<wsa:To>http://localhost:8085/axis2/services/LPAdminService</wsa:To>
<wsa:MessageID>urn:uuid:59356FD889A283F1BF1188852352369</wsa:MessageID>
<wsa:Action>userLogin</wsa:Action>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"
wsu:Id="Id-21192393">
<ns2:testFunction xmlns:ns2="http://webservice.example.com/xsd";>
<arg0 >username</arg0>
<arg1>pas</arg1>
</ns2:testFunction>
</soapenv:Body>
</soapenv:Envelope>
*SOAPMonitor Response Message:*
<soapenv:Envelope xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/";>
<soapenv:Body>
<ns:testFunctionResponse xmlns:ns="http://webservice.example.com/xsd";>
<ns:return>
<responseCode xmlns="http://schema.example.com/xsd";>0</responseCode>
<responseMessage xmlns=" http://schema.example.com/xsd";>Request
Fulfilled</responseMessage>
</ns:return>
</ns:testFunctionResponse>
</soapenv:Body>
</soapenv:Envelope>
*Printout of response message at client:*
<ns:testFunctionResponse xmlns:ns="http://webservice.example.com/xsd";
xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsa="http://www.w3.org/2005/08/addressing";
xmlns:xenc=" http://www.w3.org/2001/04/xmlenc#
<http://www.w3.org/2001/04/xmlenc>"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>">
<ns:return>
<responseCode xmlns:axis2ns7="http://schema.example.com/xsd";
xmlns="http://schema.example.com/xsd
<http://schema.example.com/xsd>">0</responseCode>
<responseMessage xmlns="http://schema.example.com/xsd";
xmlns:axis2ns8="http://schema.example.com/xsd
<http://schema.example.com/xsd>">Request Fulfilled</responseMessage>
</ns:return>
</ns:exampleFunctionResponse>
Regards,
Alan.
