UsernameToken always encrypted

Mon, 19 May 2008 02:16:32 -0700 

Hi guys,

I ran in some issue using an asymmetric binding and a username signed
supporting token. You can find the sample policy xml attached to the
message.
Basically the problem is that the supporting username token is added for
encryption as an encrypted element (with <EncryptedElements> tag). In
addition to that it is registered as a SignedSupportingToken. However the
method handleSupportingTokens in org.apache.rampart.builder.BindingBuilder
will add my username token to some encryptedTokensIdList collection, thus
scheduling it for encryption later on. As a result of the token being
ordered for encryption twice I get an exception since it is not found for
the second encryption attempt. Now obviously this is no big issue in that
case because I can simply remove the entry from <EncryptedElements> and get
the required effect, however I wanted to ask you whether this is the
expected behaviour here - should the UsernameToken always get encrypted?
Instead of adding it directly to the encryptedTokensIdList in the
handleSupportingTokens method, one can easily add

if (suppTokens.isEncryptedToken())
{
    encryptedTokensIdList.add(utBuilder.getId());
}

as it is done for the other supporting tokens a couple of lines above.

Regards,
Chefo

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
	xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
	wsu:Id="User defined">
	<wsp:ExactlyOne>
		<wsp:All>
            <sp:AsymmetricBinding
            	xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
            	<wsp:Policy>
            		<sp:InitiatorToken>
            			<wsp:Policy>
            				<sp:X509Token
            					sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
            					<wsp:Policy>
            						<sp:WssX509V3Token10 />
            					</wsp:Policy>
            				</sp:X509Token>
            			</wsp:Policy>
            		</sp:InitiatorToken>
            		<sp:RecipientToken>
            			<wsp:Policy>
            				<sp:X509Token
            					sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
            					<wsp:Policy>
            						<sp:WssX509V3Token10 />
            					</wsp:Policy>
            				</sp:X509Token>
            			</wsp:Policy>
            		</sp:RecipientToken>
            		<sp:AlgorithmSuite>
            			<wsp:Policy>
            				<sp:TripleDesRsa15 />
            			</wsp:Policy>
            		</sp:AlgorithmSuite>
            		<sp:Layout>
            			<wsp:Policy>
            				<sp:Strict />
            			</wsp:Policy>
            		</sp:Layout>
            		<sp:OnlySignEntireHeadersAndBody />
            	</wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss10>
            	<sp:Policy>
            		<sp:MustSupportRefKeyIdentifier />
            		<sp:MustSupportRefIssuerSerial />
            	</sp:Policy>
            </sp:Wss10>
            <sp:SignedSupportingTokens>
            	<wsp:Policy>
            		<sp:UsernameToken
            			sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always"; />
            	</wsp:Policy>
            </sp:SignedSupportingTokens>
            <sp:SignedParts>
            	<sp:Body />
            </sp:SignedParts>
            <sp:EncryptedParts>
            	<sp:Body />
            </sp:EncryptedParts>
            <sp:SignedElements/>
            <sp:EncryptedElements>
            	<sp:XPath>/soapenv:Envelope/soapenv:Header/wsse:Security/wsse:UsernameToken</sp:XPath>
            </sp:EncryptedElements>
			<ramp:RampartConfig
				xmlns:ramp="http://ws.apache.org/rampart/policy";>
				<ramp:user>chefo</ramp:user>
				<ramp:encryptionUser>chefo-service</ramp:encryptionUser>
				<ramp:userCertAlias>chefo-client</ramp:userCertAlias>
				<ramp:passwordCallbackClass>
					test.PasswordCallbackHandler
				</ramp:passwordCallbackClass>
				<ramp:signatureCrypto>
					<ramp:crypto
						provider="org.apache.ws.security.components.crypto.Merlin">
						<ramp:property
							name="org.apache.ws.security.crypto.merlin.keystore.type">
							JKS
						</ramp:property>
						<ramp:property
							name="org.apache.ws.security.crypto.merlin.file">
							chefoService.jks
						</ramp:property>
						<ramp:property
							name="org.apache.ws.security.crypto.merlin.keystore.password">
							chefo
						</ramp:property>
					</ramp:crypto>
				</ramp:signatureCrypto>
				<ramp:encryptionCypto>
					<ramp:crypto
						provider="org.apache.ws.security.components.crypto.Merlin">
						<ramp:property
							name="org.apache.ws.security.crypto.merlin.keystore.type">
							JKS
						</ramp:property>
						<ramp:property
							name="org.apache.ws.security.crypto.merlin.file">
							chefoService.jks
						</ramp:property>
						<ramp:property
							name="org.apache.ws.security.crypto.merlin.keystore.password">
							chefo
						</ramp:property>
					</ramp:crypto>
				</ramp:encryptionCypto>
			</ramp:RampartConfig>
		</wsp:All>
	</wsp:ExactlyOne>
</wsp:Policy>

Reply via email to