Hi all,
I'm having some issues with security configuration and I need some
clarifications because I'm just learning and I've been for a while with it. If
anybody could help me it would be great.
I'm using policy at my service, trying to force the client to send SKI
certificate reference so I have <sp:RequireKeyIdentifierReference/> assertion
in both Initiator Token and RecipientToken and
<sp:MustSupportRefKeyIdentifier/>.
In the client, I'm sending IssuerSerial references but in the service policy I
haven't got MustSupportIssuerSerialReference, so I think the service should
reject
the request but it doesn't. Am I right?
Also, I expected that the service should send SKI reference always, but, for
the encryption key it sends IssuerSerial reference. Can I force it to use
always SKI reference?
In the client, I'm signing Timestamp and Body, but in the message I can only
see
Timestamp signature. Where is Body signature? Does rampart sign only one of
them?
The last problem is that when I replace signedParts by signedElements
assertion, I can access the service but the WSDL is not generated (when
useOriginalwsdl is false) because it throws an exception:
com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "sp"
at [row,col {unknown-source}]: [1,1040]
I'm sending configurations and messages generated below.
Can anybody point me in the right direction?
Thanks in advance,
Jorge Fernández
public static OutflowConfiguration getOutflowConfiguration(){
OutflowConfiguration ofc = new OutflowConfiguration();
ofc.setActionItems("Timestamp Signature Encrypt");
ofc.setUser("client1");
ofc.setPasswordCallbackClass("client.PWCBHandler");
ofc.setSignaturePropFile("client1.properties");
ofc.setSignatureKeyIdentifier(WSSHandlerConstants.ISSUER_SERIAL);
ofc.setEncryptionKeyIdentifier(WSSHandlerConstants.ISSUER_SERIAL);
ofc.setEncryptionUser("medici-link");
ofc.setSignatureParts("{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;";);
ofc.setSignBody();
ofc.setEncryptBody();
return ofc;
}
POST /axis2/services/Medici_Link HTTP/1.1
Content-Type: application/soap+xml; charset=UTF-8; action="urn:validateSystem"
User-Agent: Axis2
Host: 127.0.0.1:8082
Transfer-Encoding: chunked
e38
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing";
xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="true">
<xenc:EncryptedKey Id="EncKeyId-3916915">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=CA,OU=X1,O=X2,L=Santiago,ST=Coruna,C=ES</ds:X509IssuerName>
<ds:X509SerialNumber>14</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>dr/IpAm4eczqbtJBxypHAPWwtDLdU6AveSBEvKLqWkxj770t8XTm5GrZsvgALxINEVU5lZL/v9QxDGu9I6CTH5JxkmBzWDtVmDWxD4hAkfjHtBiwfhUm227OlENApZqNCi9/zbQqvirl9e0IH65zm18IO0/LLGc/mDhH3Hu5YR8=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-29056009" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-33431531">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#Timestamp-15293014">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>KHfeVCmFYGNhDXhFYAssmRV7DPo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Q1x8bI4520lAzba8m2c6aUP1f+dwApAjGWVAonkFwb//JdZa7pURoQP5fS1sjONegdx6Yc9oQiki3yuP7RJ8ieHbWt44Im5M9w5e0pba+nDR0xAm0OB+01ndy6NZ3v9dJ4puhk6Mew93VQTXPmBDaVd2Y3pmZ3/Tqt2mPtdjO4A=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-17905186">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-22566565">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=CA,OU=X1,O=X2,L=Santiago,ST=Coruna,C=ES</ds:X509IssuerName>
<ds:X509SerialNumber>12</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-15293014">
<wsu:Created>2007-08-01T14:28:33.796Z</wsu:Created>
<wsu:Expires>2007-08-01T14:33:33.796Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:To>http://localhost:8082/axis2/services/Medici_Link</wsa:To>
<wsa:MessageID>urn:uuid:523839FBFE69D5BF4B1185978513264</wsa:MessageID>
<wsa:Action>urn:validateSystem</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<xenc:EncryptedData Id="EncDataId-29056009"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<xenc:CipherData>
<xenc:CipherValue>YhZlOStquqla9TfR/E0PU8HRCJA+WZk/EXWyVgJ+IlxEbxEyUs7S+lUm6cGtd3eTBF8R6YyYdjkF6yxSBcYNKl+NzUWjHY/4R50DFkS5/haY6JgCnP3whgKz1Z8+GpuoeiPj0qzpBjZ/TDPgVnppQxwYJwCbopqNou66WLalx3ToMrOd7vVTgc/WGUf26hrClAzDOJUpKc5t5ipAc6T+iJ8P1l6/Vy/DCsSDTbQrK6xtsGtYUBCqXqWtnbPnLsDC8CmK8wQd2r1ZZfgB65rr+12KDNlJk7XxStzdUmnZF4wRp9A8dbs3KsOmdCX/Qjt4WYG80SetalcdlsPmMefgJd8RrD7pyrtAFJMj/ky7pUX3VQBnMuvw7NdnatBdUDB5uZ+jpGEzStE+4avpmbjVZ4CwNdoU/Sk8I7POyf7+++0un/N6H66P+kUoPnndQXxI</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>0
<wsp:Policy wsu:Id="medici-link-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireKeyIdentifierReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireKeyIdentifierReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
</wsp:Policy>
</sp:Wss11>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>medici-link</ramp:user>
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
<ramp:passwordCallbackClass>medici_link.service.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">medici-link.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">medici-link.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/soap+xml; action="urn:validateSystem";charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 01 Aug 2007 14:28:40 GMT
11b5
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope";
xmlns:wsa="http://www.w3.org/2005/08/addressing";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-27859243">
<wsu:Created>2007-08-01T14:28:40.093Z</wsu:Created>
<wsu:Expires>2007-08-01T14:33:40.093Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="EncKeyId-11702064">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=CA,OU=X1,O=X2,L=Santiago,ST=Coruna,C=ES</ds:X509IssuerName>
<ds:X509SerialNumber>12</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Tvs2CbLiLz7GYXWJDL/infWAL5LnogIV4BJBBU/8hY7qP+NOEa9UYjDG44/qrvqzpfichGeMT2Iw/strhTsBO7Bghqf7vIUo05nu5ABNHba0NMR5WUn0bfuHvA/Ha0UmnobSTQjAHrkzKG+syVaplXOW/LfTitOpwIZpm2qpCoI=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-11755554" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-32885718">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#Id-11755554">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>+y2+OfUJL3d0Mw42EbKMvdIInL8=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-27859243">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>f0oJfTZttlBvWt14AaJwlJZ59sQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SolCHPlgaSTGsU4YBtAYFttFNsBZcXmrlyv1+6i/h+ZROCgpCII8ADVvkWkl+/H/gnYgwlFV7q9UIZon8BdKU2uIqr1MtO9+PvX3wMFJ9/j2bhsMpiedB43TjVf1S4+aBuq84CjpRRAx772bVKAJj1GdIuvQ949aH8qORtiEHGY=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-13889929">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-9869406">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>y04CDWZeR2reLTliC8uk7coJw1k=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/none</wsa:Address>
<wsa:ReferenceParameters>
<axis2:ServiceGroupId
xmlns:axis2="http://ws.apache.org/namespaces/axis2";>urn:uuid:98F28CD7CAF64DA9A81185978519823</axis2:ServiceGroupId>
</wsa:ReferenceParameters>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:98F28CD7CAF64DA9A81185978519839</wsa:MessageID>
<wsa:Action>urn:validateSystem</wsa:Action>
<wsa:RelatesTo>urn:uuid:523839FBFE69D5BF4B1185978513264</wsa:RelatesTo>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-11755554">
<xenc:EncryptedData Id="EncDataId-11755554"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; />
<xenc:CipherData>
<xenc:CipherValue>AQikCau4Nj4f4bH3U9mDUjf0c8FhzqoZNnxS61YXuCZVS/NTHHFz/DdR5tYQ4l89mdSegQTllIf4/T1Jdd2rWVql7NedolFei8ibVKrDu0TkNSCD406xQU1ep/j/4U2ZP/pwQ9dDnkQdiG6OiDduviS6kue1yr4VZJbjr4ihMGsAVXmf87sXZfi755fv8pbmQGoOomNnb4qoAdv8M95UcQdsmZx0Vd4RRdeyPGSjLusFUnVSeM7OqE5HT3VMBKUqAmTVj/bkYYKddad6QRe5vt9jZ/Ywkbr9104v5+3nGIiWlk41
yTElrC+FaY92xQ6heGzszim+X/EyE7ulxJTS+tPtARUq3L5wd429MgsSoxt4Qw1mFnK9YRTnBUlV
NJx8SV5JvhCs3DxQy5B7j11fVdxcVUTOBva9i0x+OCuxqMeALsJb/r+Yy/Ou2hIX/NGLQcP9mWIW
NxyVo8+Qn+H9rIts2nquCjkvi08CzM2dTxngz0DAosQn4IROouXyqXbrkaAZoLglNrfWxqHobMJF
BVtszlh96FiBAkjSIyOPd3KGVKEBrT4bSRXlH/jW8z8t</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
0
---------------------------------
Sé un Mejor Amante del Cine
¿Quieres saber cómo? ¡Deja que otras personas te ayuden!.
