Disregard: Axis2 response not signed

[Marc Boorshtein]

I fixed my problem, they were two fold:

1.  I hadn't yet imported the server's key into the client keystore
2.  I didn't see the WS-Security headers in SOAPMonitor because the output
phase was at the begining instead of the end

Thanks
Marc

---------- Forwarded message ----------
From: Marc Boorshtein <mboorsht...@gmail.com>
Date: Sat, Feb 28, 2009 at 10:28 AM
Subject: Axis2 response not signed
To: rampart-...@ws.apache.org


All,

I'm trying to create a services that uses Rampart to sign both the request
and the response.  The request works great, but the response is not signed.
Here's my service config:

<?xml version="1.0" encoding="UTF-8"?>
<service>
    <module ref="rampart" />
    <parameter name="ServiceClass"
locked="false">tutorial.rampart.service.SecureService </parameter>
    <operation name="add">
        <messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
    </operation>

    <wsp:Policy wsu:Id="SigOnly" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:AsymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
        <wsp:Policy>
          <sp:InitiatorToken>
            <wsp:Policy>
               <sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
                 <wsp:Policy>
                   <sp:WssX509V3Token10/>
                 </wsp:Policy>
               </sp:X509Token>
            </wsp:Policy>
          </sp:InitiatorToken>
          <sp:RecipientToken>
            <wsp:Policy>
               <sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
                 <wsp:Policy>
                   <sp:WssX509V3Token10/>
                 </wsp:Policy>
               </sp:X509Token>
            </wsp:Policy>
          </sp:RecipientToken>
          <sp:AlgorithmSuite>
            <wsp:Policy>
               <sp:TripleDesRsa15/>
            </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
            <wsp:Policy>
               <sp:Strict/>
            </wsp:Policy>
          </sp:Layout>
          <sp:IncludeTimestamp/>
          <sp:OnlySignEntireHeadersAndBody/>
        </wsp:Policy>
      </sp:AsymmetricBinding>
          <sp:Wss10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
        <wsp:Policy>
          <sp:MustSupportRefKeyIdentifier/>
          <sp:MustSupportRefIssuerSerial/>
        </wsp:Policy>
      </sp:Wss10>
      <sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
        <sp:Body/>
      </sp:SignedParts>

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
                    <ramp:user>server-cert</ramp:user>
                    <ramp:encryptionUser>client-cert</ramp:encryptionUser>

<ramp:passwordCallbackClass>tutorial.rampart.service.PWCBHandlerCert</ramp:passwordCallbackClass>


                    <ramp:signatureCrypto>
                        <ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
                            <ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>

                            <ramp:property
name="org.apache.ws.security.crypto.merlin.file">/home/mlb/apps/apache-tomcat-6.0.18/webapps/axis2/WEB-INF/keystores/server-certs.jks</ramp:property>

                            <ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">secret</ramp:property>

                        </ramp:crypto>
                    </ramp:signatureCrypto>
                </ramp:RampartConfig>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

</service>

here's the request:

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";>
  <soapenv:Header>
    <wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="true">
      <wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-6503761">
        <wsu:Created>2009-02-28T15:20:15.894Z</wsu:Created>
        <wsu:Expires>2009-02-28T15:25:15.894Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="CertId-1444955">MIICLzCCAZigAwIBAgIESakwLTANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJ1czELMAkGA1UECBMCdmExEDAOBgNVBAcTB21jY2xlYW4xDDAKBgNVBAoTA3B3YzEMMAoGA1UECxMDbWxiMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMDkwMjI4MTIzODA1WhcNMDkwNTI5MTIzODA1WjBcMQswCQYDVQQGEwJ1czELMAkGA1UECBMCdmExEDAOBgNVBAcTB21jY2xlYW4xDDAKBgNVBAoTA3B3YzEMMAoGA1UECxMDbWxiMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAIsof7/qW0m6iwjhyYnfRfUFFpoSVd+V9Fod6XiFhT0VOdB0kRk9i4XZqcL43ENQ1BrTO4OAI5hn1aCT+EJCWLaFQp9igzIhwKzzs81WcvHH5fyZbvkeSEkGZOUTpw/tYnnXGS4n5vK6NMrfTNTj/1fmexMs+mbf8YtwLtbA/VAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAYOSvD7ll+EGNw5IbkrAlTgylawRRO2hvLUm86euxb+jJwCNwwISAogUiJHYxXjgheoQb6LvPFZgYp/MXEHggLFzaoF4VPPhnuSRydYI07nDxI+n6Hd3dieonQV1IM3xEBLbwwTKbxISP2LdvqbxETCoX667tOxglvF54lQTvu80=</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-9411122">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
          <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
          <ds:Reference URI="#Id-11875256">
            <ds:Transforms>
              <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"; />
            <ds:DigestValue>IvAEAuiXrdVReHMVFEQvF5wcwK4=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#Timestamp-6503761">
            <ds:Transforms>
              <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"; />
            <ds:DigestValue>hDSdKC4JpqLlNp4a6D24WrsAelU=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>

MYiZUVZjuHCpPjaI4h1qIyX2eLg5LlMD1D3qIkdfkWbgi4G4xaS+bHzERt8IBmPTO3a1FO003KyF

hrLq2spW6RvOCoBkb8x/JPuRjczOhJhE0u8IHRgqUSNHAWTIacTQy2UUO+Eg29QIzEl7CJ+aKW39
          1G5KuT3CW5NloYejcuE=
        </ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-14837200">
          <wsse:SecurityTokenReference xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-22552192">
            <wsse:Reference URI="#CertId-1444955" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-11875256">
    <ns1:add xmlns:ns1="http://service.rampart.tutorial";>
      <ns1:param0>3</ns1:param0>
      <ns1:param1>4</ns1:param1>
    </ns1:add>
  </soapenv:Body>
</soapenv:Envelope>

here's the response:

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";>
  <soapenv:Body>
    <ns:addResponse xmlns:ns="http://service.rampart.tutorial";>
      <ns:return>7</ns:return>
    </ns:addResponse>
  </soapenv:Body>
</soapenv:Envelope>

I tried comparing my policy to sample02, it checks out.  I'm guessing I'm
missing something simple?

Thanks
Marc