Trying to setup rampart as STS

Markus Decke Wed, 20 Oct 2010 06:44:22 -0700

Hello,

My name is Markus Decke and a student at Free University in Berlin (Germany).


I am currently testing some Opensource STS, which supports WS-Trust 1.3
and also the WS-Trust Negotiation/Challange.

My setup is as follows:

        - tomcat 6.0.29
        - axis2 1.5.1 deployed in tomcat
        - rampart 1.5 as module in axis2

I am fairly new to Apache Axis2, I have used the book "Java Web Services
mit Apache Axis2" for guidance.

I have used the documentation for a STS [1].

I tried to make it work, but have some problems getting through to my
implementation of a custom issuer "org.custom.MyIssuer".

Using[1] I made a STS and a Client, I got a TrustException[2]

I checked the Class RahasData, and as it turns out it checks for some
WSS4J things.

The line 159 in RahasData is inside the method
processWSS4JSecurityResults(), in an if-clause which checks this:

 results = (Vector)
this.inMessageContext.getProperty(WSHandlerConstants.RECV_RESULTS)) ==
null

They are null and therefore the Exception is thrown. The comment[3] seems
to say that a Certificate or UsernameToken is needed.

I figured that a authentication is needed and used [4] for setting up a
Username/Password Authentication with a CallbackHandler, this worked and I
got rid of the Exception [2].

Now I get an Error[5], I read the code of AxisEngine.java at(and around)
line 97, it seems to me that there may be a problem with my policy server
side[6] or client side[5] using axis2.

wsse:Security is not present in the soapenv:Header, how is this set ?

I used Options to set username and password like this

options.setUserName("user");
options.setPassword("pass");

to the OperationClient.

Am I missing something ?

best regards,
Markus Decke

---
[1] http://ws.apache.org/rampart/setting-up-sts.html
[2] Here a Transkript of the Exception:

    org.apache.rahas.TrustException: The specified request failed
        at
org.apache.rahas.RahasData.processWSS4JSecurityResults(RahasData.java:159)
        at org.apache.rahas.RahasData.<init>(RahasData.java:99)
        at
org.apache.rahas.TokenRequestDispatcher.handle(TokenRequestDispatcher.java:56)
        at
org.apache.rahas.STSMessageReceiver.invokeBusinessLogic(STSMessageReceiver.java:57)
        at
org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
        at
org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:114)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:173)
        at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:167)
        at 
org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:142)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at 
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:619)

[3] Comment inside Method processWss4JSecurityResults():
        /*
         * User can be identifier using a UsernameToken or a certificate -
If a
         * certificate is found then we use that to - identify the user and -
         * encrypt the response (if required) - If a UsernameToken is
found then
         * we will not be encrypting the response
         */

[4] http://www.ibm.com/developerworks/java/library/j-jws4/

[5] [ERROR] Must Understand check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
: Security
org.apache.axis2.AxisFault: Must Understand check failed for header
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
: Security
        at
org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:97)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163)
        at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:167)
        at 
org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:142)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at 
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:619)

[6] policy server side
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
    
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:SupportingTokens
          xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
        <wsp:Policy>
          <sp:UsernameToken sp:IncludeToken=
              
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
        </wsp:Policy>
      </sp:SupportingTokens>

      <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
        
<ramp:passwordCallbackClass>de.fraunhofer.fokus.sts.rampart.PWCBHandler</ramp:passwordCallbackClass>
      </ramp:RampartConfig>

    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

[7] policy client side
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
    
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:SupportingTokens
          xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
        <wsp:Policy>
          <sp:UsernameToken sp:IncludeToken=
              
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
        </wsp:Policy>
      </sp:SupportingTokens>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

Trying to setup rampart as STS

Reply via email to