Re: [esb-java-user] Problems with ws-security enabled on proxy service

[Jens Goldhammer]

Hello Ruwan,
you are right with the header removal, but I wondered why the response 
from synapse 2 to synapse 1 does not contain any usernametoken, but the 
timestamp?? Maybe I am not deep enough in the ws-security-framework, but 
I thought, the response and the request have both to be authorized?!?

Thanks,
Jens

Ruwan Linton schrieb:
Hi Jens,

I think it is simple, you will have to add a header mediator to remove 
the security header in to the outSequence of the proxy service of 
synapse1 config, please see the modified config in synapse1 config below.

Thanks,
Ruwan


*synapse 1 config file:*

<syn:proxy name="GooglemapsProxy" transports="https http" 
startOnLoad="true" statistics="enable" trace="enable">
       <syn:target>
           <syn:inSequence>
               <syn:log level="full" separator=","/>
               <syn:send>
                   <syn:endpoint 
key="endpoints/googlemaps_endpoint.xml"/>
               </syn:send>
           </syn:inSequence>
           <syn:outSequence>
<syn:header name="wsse:Security" action="remove"
              
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/> 

               <syn:log level="full" separator=","/>
               <syn:send/>
           </syn:outSequence>
       </syn:target>
       <syn:publishWSDL key="WSDL/GoogleMapsService.wsdl"/>
   </syn:proxy>

*googlemaps_endpoint.xml:*

<endpoint xmlns="http://ws.apache.org/ns/synapse";>
   <address 
uri="http://localhost:8182/Googlemaps/services/GoogleMapsService";>
       <enableAddressing/>
   </address>
</endpoint>



*synapse 2 config file:*

<syn:proxy name="GooglemapsProxy" transports="https http" 
startOnLoad="true" statistics="enable" trace="enable" 
onError="myFaultHandler">
       <syn:target>
           <syn:inSequence>
                   <syn:log level="full" separator=","/>
                   <syn:roleBasedRouting>
                           <!-- possible values are: http-header, 
ws-security -->
                           <syn:authentificationType>
                               ws-security
                           </syn:authentificationType>
                           <!-- possible values are: jdbc, ldap, 
acegi-security !!!ONLY IMPLEMENTED JDBC!!!-->
                           <syn:realm type="jdbc">
                               <syn:driverurl>
                                   jdbc:derby:UserDatabase;create=true
                               </syn:driverurl>
                               <syn:drivername>
                                   org.apache.derby.jdbc.EmbeddedDriver
                               </syn:drivername>
                               <syn:username>wso2esb</syn:username>
                               <syn:password>wso2esb</syn:password>
                           </syn:realm>
                   </syn:roleBasedRouting>
               <syn:header name="wsse:Security" action="remove"
               
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/> 

               <syn:log level="full" separator=","/>
               <syn:send>
                   <syn:endpoint 
key="endpoints/googlemaps_endpoint.xml"/>
               </syn:send>
           </syn:inSequence>
           <syn:outSequence>
               <syn:log level="full" separator=","/>
               <syn:send/>
           </syn:outSequence>
       </syn:target>
       <syn:publishWSDL key="WSDL/GoogleMapsService.wsdl"/>
       <syn:policy key="policy/policy_1.xml"/>
       <syn:enableSec/>
   </syn:proxy>
*
googlemaps_endpoint.xml:*

<endpoint xmlns="http://ws.apache.org/ns/synapse";>
   <address 
uri="http://pc234:8182/Googlemaps/services/GoogleMapsService";>
       <enableAddressing/>
   </address>
</endpoint>

*policy_1.xml for both instances of synapse:

*<wsp:Policy wsu:Id="UTOverTransport" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
 <wsp:All>
   <sp:TransportBinding 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
     <wsp:Policy>
       <sp:TransportToken>
         <wsp:Policy>
           <sp:HttpsToken RequireClientCertificate="false"/>
         </wsp:Policy>
       </sp:TransportToken>
       <sp:AlgorithmSuite>
         <wsp:Policy>
           <sp:Basic256/>
         </wsp:Policy>
       </sp:AlgorithmSuite>
       <sp:Layout>
         <wsp:Policy>
           <sp:Lax/>
         </wsp:Policy>
       </sp:Layout>
       <sp:IncludeTimestamp/>
     </wsp:Policy>
   </sp:TransportBinding>
   <sp:SignedSupportingTokens 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
       <wsp:Policy>
           <sp:UsernameToken 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"; 
/>
     </wsp:Policy>
   </sp:SignedSupportingTokens>
     <ramp:RampartConfig 
xmlns:ramp="http://ws.apache.org/rampart/policy";>
       <ramp:user>bob</ramp:user>
       <ramp:encryptionUser>bob</ramp:encryptionUser>
       
<ramp:passwordCallbackClass>org.wso2.esb.mediator.RoleBasedPasswordCallbackhandler</ramp:passwordCallbackClass> 

   </ramp:RampartConfig>
 </wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>*
*
I have debugged two synapse instances and password is set correctly
Any idea for fixing the problem?

Thanks,
Jens

_______________________________________________
Esb-java-user mailing list
[EMAIL PROTECTED]
http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user