Hi Nandana, thank you very much for the comprehensive answer! I will do what you are suggesting me and if there is a need we can discuss the results :)
Thank you! Dobri PS Anyway can you suggest any good articles, resources that explains in more details the symmetric binding philosophy? On Nov 12, 2007 4:48 AM, Nandana Mihindukulasooriya <[EMAIL PROTECTED]> wrote: > Hi Dobri, > > Anyway I am a little bit new to all that WS security stuff, so excuse > > me if I do not understand correct some things. > > Ok, it is a little bit away from the topic, but will be enough for > > symmetric binding to add only timestamp? > > > IMHO, this depends on what kind of protection you want. > Only timestamp will able to prevent replay attacks to > some extent as it is signed and no one can tamper the > creation and expiration time. But if you look at how > symmetric binding works, I don't think there is much > security if only a timestamp is used. > When a symmetric binding is used, a random ephemeral key is > created by the initiator. Encrypted key is then created > encrypting the ephemeral key for recipients certificate. > This encrypted key is used to sign and encrypt the desired > message elements between client and the server. So > as you can see, here only the server or the recipient > needs to get authenticated. Client doesn't need to > have any claims ( certificate, token ) in order to communicate > with the server. For this reason, this also called as anonymous > configuration as server is communicating with anonymous > clients. But still, if the message is properly signed and > encrypted, no one can tamper it or read it in the transit > as only the recipient can decrypt the encrypted key. > This will prevent man in the middle kind of attacks. > Clients can be sure that the requests and responses are > not disclosed or tampered. > But what if you want both the clients and the server > to get authenticated using symmetric binding so that > you don't want anonymous clients to access your service. > Then you can add a supporting token to make sure that > clients also provide necessary claims to authenticate > them selves. > > "Unexpected encrypted data found, no encryption required" - what > > does it mean? Why this is thrown? > > > This is due to a bug in Rampart but now it is fixed. The empty reference > list > after the first derived key is the one which is causing the problem. And now > Rampart doesn't create empty reference lists when there is nothing to > encrypt > and the validator also can handle empty reference lists correctly. > See JIRA RAMPART-92 [1] anf JIRA RAMPART-104 [2] . Can you take a check > out from the Rampart trunk and retry this policy. This should work properly. > > > <wsc:DerivedKeyToken > > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc"; > > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > wsu:Id="derivedKeyId-21657019"> > > <wsse:SecurityTokenReference> > > <wsse:Reference > > URI="#EncKeyId-31478058"/> > > </wsse:SecurityTokenReference> > > <wsc:Length>16</wsc:Length> > > > > <wsc:Nonce>NQxv+tVJKNDpWUC4T9CF5A==</wsc:Nonce> > > <wsc:Offset>0</wsc:Offset> > > </wsc:DerivedKeyToken> > > <xenc:ReferenceList/> > > > > > > Can you tell me what is the problem from your point of view? Do you > > think I should post the JIRA request? > > > I think you should create a JIRA for the issue "Cannot find Reference in > Manifest", > you mentioned in the first mail, so that we can fix it. > > Regards, > Nandana > > > [1] http://issues.apache.org/jira/browse/RAMPART-92 > [2] http://issues.apache.org/jira/browse/RAMPART-104 > > > > > > > > Thank you in advance! > > Dobri > > > > > > On Nov 9, 2007 2:19 PM, Nandana Mihindukulasooriya > > <[EMAIL PROTECTED] > wrote: > > > Hi Dobri, > > > I came across the same problem when there is an empty signature > > element > > > in > > > the message. That is if there are no references in the signature > > element, > > > xmlsec > > > can't process that signature. Looking at the policy, we can see it is > > the > > > case here. > > > So can you post your soap request ? Can you put JIRA [1] if this is the > > > case. This > > > can be fixed in Rampart. We can simply avoid creating a signature when > > there > > > is > > > nothing to sign. > > > BTW, I have a small problem about your policy. As it seems this > > policy > > > doesn't > > > provide any security at all. No integrity or confidentiality > > protections, > > > no timestamp > > > and no supporting tokens. > > > > > > Regards, > > > Nandana > > > > > > [1] - http://issues.apache.org/jira/browse/Rampart > > > > > > On Nov 9, 2007 4:54 PM, Dobri Kitipov <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > > > Hi everybody, > > > > I know this is a question that has been already asked in this mailing > > > > list but there is no answer to it. > > > > My environment is based on Axis2 1.3, Rampart 1.3. and > > > > xmlsec-1.4.1.jar. What I am testing is the symmetric binding. > > > > The problem is that I am receiving the following exception when > > > > invoking the service: > > > > > > > > 2007-11-09 11:58:24 (axis2_test.log) 09:11:2007 11:58:24,406 > > > > [http-8081-Processor24] (AxisServlet.java:159) ERROR > > > > org.apache.axis2.transport.http.AxisServlet - Cannot find Reference > > > > in Manifest > > > > 2007-11-09 11:58:24 (axis2_test.log) org.w3c.dom.DOMException: > > Cannot > > > > find Reference in Manifest > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.xml.security.signature.Manifest.<init>(Unknown Source) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature( > > > > SignatureProcessor.java:161) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.ws.security.processor.SignatureProcessor.handleToken( > > > > SignatureProcessor.java:85) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > > > > WSSecurityEngine.java:284) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader( > > > > WSSecurityEngine.java:206) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader ( > > > > WSSecurityEngine.java:159) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.rampart.RampartEngine.process(RampartEngine.java:127) > > > > 2007-11-09 11:58:24 (axis2_test.log) at > > > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java > > :85) > > > > etc......... > > > > > > > > Here is my services.xml: > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <serviceGroup> > > > > <service name="HelloPojo"> > > > > <description>Web Service HelloPojo</description> > > > > <parameter name="ServiceClass"> > > > > com.mycompany.wsstack.pojo.HelloPojo</parameter> > > > > <messageReceivers> > > > > <messageReceiver > > > > class="org.apache.axis2.rpc.receivers.RPCMessageReceiver " > > > > mep="http://www.w3.org/2004/08/wsdl/in-out"/> > > > > </messageReceivers> > > > > <operation name="sayHello"/> > > > > <wsp:Policy wsu:Id="User defined" > > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy " > > > > xmlns:wsu=" > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > > > > > "> > > > > <wsp:ExactlyOne> > > > > <wsp:All> > > > > <sp:SymmetricBinding > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <wsp:Policy> > > > > > > > > <sp:ProtectionToken> > > > > > > <wsp:Policy > > > > xmlns:wsp=" http://schemas.xmlsoap.org/ws/2004/09/policy";> > > > > > > > > <sp:X509Token > > > > sp:IncludeToken=" > > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > > > > > > > > <wsp:Policy> > > > > > > > > <sp:WssX509V3Token10/> > > > > > > > > <sp:RequireDerivedKeys/> > > > > > > > > </wsp:Policy> > > > > > > > > </sp:X509Token> > > > > > > > > </wsp:Policy> > > > > > > > > </sp:ProtectionToken> > > > > > > <sp:AlgorithmSuite > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > > > > > <wsp:Policy> > > > > > > > > <sp:Basic128/> > > > > > > > > </wsp:Policy> > > > > > > > > </sp:AlgorithmSuite> > > > > <sp:Layout> > > > > > > > > <wsp:Policy> > > > > > > > > <sp:Strict/> > > > > > > > > </wsp:Policy> > > > > </sp:Layout> > > > > </wsp:Policy> > > > > </sp:SymmetricBinding> > > > > <sp:Wss10 xmlns:sp=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <sp:Policy> > > > > > > > > <sp:MustSupportRefKeyIdentifier/> > > > > > > > > <sp:MustSupportRefIssuerSerial/> > > > > </sp:Policy> > > > > </sp:Wss10> > > > > <sp:SignedSupportingTokens > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy "> > > > > <wsp:Policy/> > > > > </sp:SignedSupportingTokens> > > > > <ramp:RampartConfig > > xmlns:ramp=" > > > > http://ws.apache.org/rampart/policy";> > > > > > > > > <ramp:user>service</ramp:user> > > > > > > > > <ramp:encryptionUser>client</ramp:encryptionUser> > > > > > > > > <ramp:passwordCallbackClass> > > > > com.mycompany.wsstack.pwcb.PasswordCallbackHandler > > > > </ramp:passwordCallbackClass> > > > > <ramp:signatureCrypto> > > > > <ramp:crypto > > > > provider="org.apache.ws.security.components.crypto.Merlin"> > > > > > > > > <ramp:property > > > > name=" org.apache.ws.security.crypto.merlin.keystore.type > > > > ">JKS</ramp:property> > > > > > > > > <ramp:property > > > > name="org.apache.ws.security.crypto.merlin.file">service.jks > > > > </ramp:property> > > > > > > > > <ramp:property > > > > name="org.apache.ws.security.crypto.merlin.keystore.password > > > > ">openssl</ramp:property> > > > > </ramp:crypto> > > > > </ramp:signatureCrypto> > > > > <ramp:encryptionCypto> > > > > <ramp:crypto > > > > provider="org.apache.ws.security.components.crypto.Merlin"> > > > > > > > > <ramp:property > > > > name="org.apache.ws.security.crypto.merlin.keystore.type > > > > ">JKS</ramp:property> > > > > > > > > <ramp:property > > > > name="org.apache.ws.security.crypto.merlin.file">service.jks > > > > </ramp:property> > > > > > > > > <ramp:property > > > > name=" org.apache.ws.security.crypto.merlin.keystore.password > > > > ">openssl</ramp:property> > > > > </ramp:crypto> > > > > </ramp:encryptionCypto> > > > > > > </ramp:RampartConfig> > > > > </wsp:All> > > > > </wsp:ExactlyOne> > > > > </wsp:Policy> > > > > <module ref="addressing"/> > > > > <module ref="rampart"/> > > > > </service> > > > > </serviceGroup> > > > > > > > > > > > > Can someone give me some info about that problem? > > > > > > > > > > > > Thank you in advance! > > > > Dobri > > > > > > > > > >
