difficult to say (without seeing the inflow and outflow code) thanks, Martin Gainty ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Thu, 18 Feb 2010 18:17:32 +0100 > From: vicam...@eng.it > To: rampart-dev@ws.apache.org > Subject: Saml as SupportingToken > > Hi, > in a WS-Trust scenario, i have a issuer policy with SAML defined as > supporting token. My STS issues a SAML token on basis of a SAML token. > It seems to me that rampart simply ignores the <SupportingTokens> > element i added to the issuer policy. How will i attach a SAML token in > the security header of my RST using rampart? > > Thanks, vicampan. > > My issuer policy looks like: > > <?xml version="1.0" encoding="UTF-8"?> > <wsp:Policy wsu:Id="SigOnly" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256Rsa15 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:EncryptBeforeSigning /> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:SupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:SamlToken > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"; > > /> > <wsp:Policy> > <sp:WssSamlV11Token11/> > </wsp:Policy> > </wsp:Policy> > </sp:SupportingTokens> > <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > </wsp:Policy> > </sp:Wss10> > <sp:SignedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body /> > </sp:SignedParts> > <sp:EncryptedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body /> > </sp:EncryptedParts> > <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> > <ramp:user>client</ramp:user> > <ramp:encryptionUser>server</ramp:encryptionUser> > <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass> > <ramp:signatureCrypto> > <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property> > </ramp:crypto> > </ramp:signatureCrypto> > <ramp:encryptionCypto> > <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property> > </ramp:crypto> > </ramp:encryptionCypto> > </ramp:RampartConfig> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > My service policy is: > > <wsp:Policy wsu:Id="SgnOnlyAnonymous" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256Rsa15 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:EncryptBeforeSigning /> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:SupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:IssuedToken > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> > <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <Address > xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/STS</Address> > </Issuer> > <sp:RequestSecurityTokenTemplate> > <t:TokenType > xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> > <t:KeyType > xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType> > <t:KeySize > xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>256</t:KeySize> > </sp:RequestSecurityTokenTemplate> > <wsp:Policy> > <sp:RequireInternalReference /> > </wsp:Policy> > </sp:IssuedToken> > </wsp:Policy> > </sp:SupportingTokens> > <sp:SignedParts> > <sp:Body /> > </sp:SignedParts> > <sp:EncryptedParts> > <sp:Body /> > </sp:EncryptedParts> > <sp:Wss11> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > <sp:RequireSignatureConfirmation /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust10> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <!-- <sp:RequireClientEntropy/> --> > <!-- <sp:RequireServerEntropy/> --> > </wsp:Policy> > </sp:Trust10> > <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> > <ramp:user>client</ramp:user> > <ramp:encryptionUser>server</ramp:encryptionUser> > <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass> > <ramp:signatureCrypto> > <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property> > </ramp:crypto> > </ramp:signatureCrypto> > <ramp:encryptionCypto> > <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property> > </ramp:crypto> > </ramp:encryptionCypto> > </ramp:RampartConfig> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > -- > > > * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > > Ing. Vincenzo Campanile > > Engineering Ingegneria Informatica s.p.a. > > Via Ferrante Imparato 192-198 > Centro Mercato 2, ed. F > 80146 Napoli > > Tel. 081 5650654 - Fax: 081 5650636 > e-mail: vincenzo.campan...@eng.it > > * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/
