[
https://issues.apache.org/jira/browse/RAMPART-300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12885136#action_12885136
]
Amila Jayasekara commented on RAMPART-300:
------------------------------------------
Hi Cerbero,
What you have mentioned is indeed true. Let me explain the cause for
this issue.
According to your policy you are using Asymmetric binding with a supporting
token. Thus you are planning to use that supporting token in plain text
format. But Rampart encrypts supporting tokens, irrespective of what policy
asserts. To encrypt supporting token Rampart needs an encrypting user. In other
sense Rampart needs "<ramp:encryptionUser>initiator</ramp:encryptionUser>" tag.
This behaviour is reported in "RAMPART-225 : SupportingToken UsernameToken is
always encrypted" (https://issues.apache.org/jira/browse/RAMPART-225). Could
you please apply the patch in RAMPART-225
(https://issues.apache.org/jira/secure/attachment/12448664/RAMPART-225.diff)
and check whether you would be able to send messages without encrypting user ?
Thank you.
AmilaJ
> Rampart automaticaly tries to load an "Encryption user" if the security
> policy defines the use of a UsernameToken with a AsymmetricBinding
> ------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-300
> URL: https://issues.apache.org/jira/browse/RAMPART-300
> Project: Rampart
> Issue Type: Bug
> Environment: OS: Linux. Axis2, RAMPART 1.5
> Reporter: cerbero
> Assignee: Ruchith Udayanga Fernando
>
> Rampart automaticaly tries to load an "Encryption user" if the security
> policy defines the use of a UsernameToken with a AsymmetricBinding
> I have a service implemented using Websphere Message Broker and I'm
> developing an axis2 client for this service.
> To use this service, the message's body must be signed, to sign the message I
> created the following policy (based on rampart sample03):
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:Policy wsu:Id="SigOnly"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
> />
> </wsp:Policy>
> </sp:SupportingTokens>
> <sp:AsymmetricBinding
>
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
>
> <sp:RequireThumbprintReference />
>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> <wsp:Policy>
> <!--
> <sp:RequireThumbprintReference /> -->
>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <!-- <sp:IncludeTimestamp /> -->
> <!-- <sp:OnlySignEntireHeadersAndBody
> /> -->
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts
>
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <sp:Body />
> </sp:SignedParts>
> <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy";>
> <ramp:user>client</ramp:user>
> <ramp:userCertAlias>client</ramp:userCertAlias>
> <!--
> <ramp:encryptionUser>client</ramp:encryptionUser> -->
>
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample03.PWCBHandler
> </ramp:passwordCallbackClass>
> <ramp:signatureCrypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">/home/.../src/client.jks
> </ramp:property>
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.password">changeme</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> The problem is that rampart is trying to retrieve "Encryption user" to
> encrypt the mesage, but I only wish sign the mesage.
> org.apache.axis2.AxisFault: Encryption user not specified (The context is
> created by the initiating party)
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)
> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:416)
> at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:402)
> at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
> at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
> at
> org.example.www.echoservice.EchoServiceStub.send(EchoServiceStub.java:187)
> at TesteSignOnly.main(TesteSignOnly.java:45)
> Caused by: org.apache.rampart.RampartException: Encryption user not specified
> (The context is created by the initiating party)
> at
> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1254)
> at
> org.apache.rampart.util.RampartUtil.setEncryptionUser(RampartUtil.java:1242)
> at
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:536)
> at
> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:95)
> at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
> ... 8 more
> the code works fine, the message is signed, if I take out the snippet:
> <sp:SupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
> />
> </wsp:Policy>
> </sp:SupportingTokens>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
