Hi, I use a web-service which is secured with a policy. Inside the policy the service wants the client so sign the body and parts of the header. When I send a request from my WCF .NET client where the body is NOT signed, RAMPART accepts the request anyway. I attached the request and the policy to this mail. Greetings Chris
<?xml version="1.0" encoding="UTF-8"?> <wsp:Policy wsu:Id="TOKEN_SIGNED" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <Address xmlns="http://www.w3.org/2005/08/addressing";> http://localhost:8080/axis2/services/SecurityToken </Address> <!--<wsa:Metadata xmlns:wsa="http://www.w3.org/2005/08/addressing";> <mex:Metadata xmlns:mex="http://schemas.xmlsoap.org/ws/2004/09/mex"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <mex:MetadataSection> <mex:MetadataReference> <wsa:Address>http://localhost:8080/axis2/services/SecurityToken</wsa:Address> </mex:MetadataReference> </mex:MetadataSection> </mex:Metadata> </wsa:Metadata>--> </Issuer> <sp:RequestSecurityTokenTemplate> <t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 </t:TokenType> <t:KeyType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey </t:KeyType> <t:KeySize xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> 256 </t:KeySize> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireExternalReference /> </wsp:Policy> </sp:IssuedToken> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefThumbprint/> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <s:Header> <a:Action s:mustUnderstand="1" u:Id="_1">testEcho</a:Action> <a:MessageID u:Id="_2">urn:uuid:44cdc7c6-27f9-4a75-8eed-d7e5c201e558</a:MessageID> <a:ReplyTo u:Id="_3"> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> </a:ReplyTo> <a:To s:mustUnderstand="1" u:Id="_4">http://localhost:8080/axis2/services/Test</a:To> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <e:EncryptedKey Id="uuid-418b1854-cc7a-47c1-b824-bc46b78de9a5-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#";> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; xmlns="http://www.w3.org/2000/09/xmldsig#"/> </e:EncryptionMethod> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <o:SecurityTokenReference> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>Zv0bem+xnGgJfhU/q89KyKBQYAE=</o:KeyIdentifier> </o:SecurityTokenReference> </KeyInfo> <e:CipherData> <e:CipherValue>YcvnlZF6rVoVfDupgYN3o+5TUpsUV6qOwlhyM9hBsbpgtbjGcOOOfzPzTD68kK9ulXDiyPASn4BZ1/BI4eJiMKxEaDWIBDrjy8RPUK+y5EudesKlM8oug08nO2ZyR0m1A5kHpO4pUN9IuQHttnshGg4nQrgrTeyFOH4kxi4UKys=</e:CipherValue> </e:CipherData> </e:EncryptedKey> <Assertion AssertionID="_2254498271f93c3de4d719a65d023958" IssueInstant="2008-04-15T13:22:00.562Z" Issuer="Test SAML 1.1 Token Issuer" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion"> <Conditions NotBefore="2008-04-15T13:22:00.562Z" NotOnOrAfter="2008-04-15T13:27:00.562Z"></Conditions> <AuthenticationStatement AuthenticationInstant="2008-04-15T13:22:00.562Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <Subject> <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <xenc:EncryptedKey Id="EncKeyId-urn:uuid:72628562652E11F54512082657205626" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5";></xenc:EncryptionMethod> <ds:KeyInfo> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>Zv0bem+xnGgJfhU/q89KyKBQYAE=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>AsL0yvdRxC2mZ7mHv3m7G/yjLcZVCLtVBOFb7YF9r+15FgbczImUJ9GcgVkVNPr/7/7UvoKzn23r/E4mJCPmPUVJ5RYUl0qIHP0Fj2FJMCWq9JpLJlkSQaERUohuFWiXanwB/yCIsFInGirCzuTTHEozMc58dkKQIo1CS8/UiMs=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </KeyInfo> </SubjectConfirmation> </Subject> </AuthenticationStatement> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI="#_2254498271f93c3de4d719a65d023958"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <InclusiveNamespaces PrefixList="code ds kind rw saml samlp typens #default xsd xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#";></InclusiveNamespaces> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>mtCEPY/dT0bu7JeQccXRQ2n2dMA=</DigestValue> </Reference> </SignedInfo> <SignatureValue>3ga4mxHYPDAtKB6YMQzlnaMjpMPRSXRp2VXzL4SNHa9OtSY9Egd6ecMUyXcxeG/PiD0SS2Z3TClmTUP4HJnfHrglVNdjuUgMPGhMj0GFMZhUFEBuurDL5ZfqPsSYy2ySpanjhioFexLK1iarAXgF1GnX9YuvoSS0mt+4z7bXQ9o=</SignatureValue> <KeyInfo> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Certificate>MIIDmTCCAwKgAwIBAgIJAMo2Mj7QF6//MA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYDVQQHEwdDb2xvZ25lMQ8wDQYDVQQKEwZUZWNEb2MxEDAOBgNVBAsTB1Bob2VuaXgxHDAaBgNVBAMTE1RlY0RvYyBUZXN0IFJvb3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXRlY2RvY0B0ZWNkb2MubmV0MB4XDTA3MTEzMDA4NDEyNVoXDTM1MDQxNjA4NDEyNVowgZAxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEDAOBgNVBAcTB0NvbG9nbmUxDzANBgNVBAoTBlRlY0RvYzEQMA4GA1UECxMHUGhvZW5peDEcMBoGA1UEAxMTVGVjRG9jIFRlc3QgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRdGVjZG9jQHRlY2RvYy5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOgTz4e4wonYUJO4QUMJ42IZg64LPOe+xAN6tNyXOxTmd043x/7AIBqo4JA9PsV4dnmy7q/bCnjL5qzOQswghraswuJYYcuNnGuYoeNnTHSKExv7B0mx4tezyvmj633PusvxroQoexuKQMXHtUbLvsD/5sKcyjzSmKe+hQbMY7g5AgMBAAGjgfgwgfUwHQYDVR0OBBYEFEvw0AA85snfNajBgUkcHne94HW0MIHFBgNVHSMEgb0wgbqAFEvw0AA85snfNajBgUkcHne94HW0oYGWpIGTMIGQMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMRAwDgYDVQQHEwdDb2xvZ25lMQ8wDQYDVQQKEwZUZWNEb2MxEDAOBgNVBAsTB1Bob2VuaXgxHDAaBgNVBAMTE1RlY0RvYyBUZXN0IFJvb3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXRlY2RvY0B0ZWNkb2MubmV0ggkAyjYyPtAXr/8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAYKGGKSgG7IT6tl1UfgFHbr7tgjqGkjTpHGT7q2PZkBMEjPclwmqzbLUpSVyZ4g4mYSs8705JUk47sLpnGhgZqEWR0k7oIscMuwkm0qBR2FF/bS+EPzszO5HVV5r0/9x1ODVfMFTZYa5Ml4Mo39RSzmmB9UDdt0bUzPfd32AlTuQ==</ds:X509Certificate> </ds:X509Data> </KeyInfo> </Signature> </Assertion> <c:DerivedKeyToken u:Id="_5" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";> <o:SecurityTokenReference> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_2254498271f93c3de4d719a65d023958</o:KeyIdentifier> </o:SecurityTokenReference> <c:Offset>0</c:Offset> <c:Length>24</c:Length> <c:Nonce>U2186Kq2fvwZHKfvdO1hSw==</c:Nonce> </c:DerivedKeyToken> <Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <Reference URI="#_1"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>ri0ra76ESKfuWdKlWFbZD4Uumk0=</DigestValue> </Reference> <Reference URI="#_2"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>RLzLDDYdbGld3jYT+EuGZqoFb/0=</DigestValue> </Reference> <Reference URI="#_3"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>o3ibE52LCPwycD7dwAsKtJa+WMw=</DigestValue> </Reference> <Reference URI="#_4"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>dvmBfDrALsdk/cqaKRZ4OV2VlhE=</DigestValue> </Reference> </SignedInfo> <SignatureValue>pL/yywsnGEDZwrOhMuIVS0nly6o=</SignatureValue> <KeyInfo> <o:SecurityTokenReference> <o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; URI="#uuid-418b1854-cc7a-47c1-b824-bc46b78de9a5-1"/> </o:SecurityTokenReference> </KeyInfo> </Signature> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <Reference URI="#_0"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>bcgjcR51FpacWQ4kQkpr1cchq5Q=</DigestValue> </Reference> </SignedInfo> <SignatureValue>upjhxIQc+YmBKSGvyZvSsJbJOeU=</SignatureValue> <KeyInfo> <o:SecurityTokenReference> <o:Reference URI="#_5"/> </o:SecurityTokenReference> </KeyInfo> </Signature> </o:Security> </s:Header> <s:Body> <testinput xmlns="http://www.test.test";> <value>ZSJMQ1Zi</value> </testinput> </s:Body></s:Envelope>
