Hi Jeff, On Mon, Jun 9, 2008 at 8:05 AM, Jeff Davis <[EMAIL PROTECTED]> wrote:
> Thanks for another timely response! > > Sounds like the message level policies for endpoints is the best solution. > I > can hold off further work on this until that becomes available. Can you please file a JIRA for this, so that I can start on this soon. > > > If I need something sooner, I guess one approach would be to use a custom > mediator to add the SOAP header, WS-Security stuff, and then not to > enableSec when sending the message? That way, I don't presume Rampart would > have any expectations about expecting wsse in the response. Exactly correct. But from the point of time line for the message level policy fix, it will take at most two more days with all the other work. If we look at the 1.2.1 release it will take about 3 weeks. Thanks, Ruwan > > > jeff > > On Sun, Jun 8, 2008 at 6:26 PM, Ruwan Linton <[EMAIL PROTECTED]> > wrote: > > > Hi Jeff, > > > > Nice to hear that you got it to work :-) ; See my comments in-line... > > > > On Mon, Jun 9, 2008 at 3:59 AM, Jeff Davis <[EMAIL PROTECTED]> wrote: > > > > > I'm sure you guys are sick of hearing from me by now :-). > > > > > > That change you guys had suggested corrected the issue with the ReplyTo > > > being generated. That's the good news! I do have one last issue (I am > so > > > close to getting everything entirely working). I believe this is also > do > > to > > > a buggy Amazon WS implementation. That is, there response doesn't > contain > > > any WSSE security stuff in their response. Here's an example of what I > > > receive from them: > > > > > > Jeff, I guess this is accepted and known as *message level policies*, so > > the > > in-message contains a security policy and the out-message does not. > > > > > > > > > > > > > <soapenv:Envelope xmlns:soapenv=" > > http://schemas.xmlsoap.org/soap/envelope/ > > > "> > > > <soapenv:Header> > > > <wsa:RelatesTo xmlns:wsa="http://www.w3.org/2005/08/addressing"; > > > > > > > > > >urn:uuid:A25F54392EB2D8B86E1212962691230477001-1880534923</wsa:RelatesTo> > > > <wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing"; > > > >http://www.w3.org/2005/08/addressing/anonymous</wsa:To> > > > <wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing > > > ">ListDomains:Response</wsa:Action> > > > <wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing"; > > > > >urn:uuid:337570bf-2dd7-4e5d-a578-3a57800ec5e4</wsa:MessageID> > > > </soapenv:Header> > > > <soapenv:Body> > > > <ListDomainsResponse xmlns=" > > > http://sdb.amazonaws.com/doc/2007-11-07/ > > > "> > > > <ListDomainsResult> > > > <DomainName>test</DomainName> > > > </ListDomainsResult> > > > <ResponseMetadata> > > > > > <RequestId>337570bf-2dd7-4e5d-a578-3a57800ec5e4</RequestId> > > > <BoxUsage>0.0000071759</BoxUsage> > > > </ResponseMetadata> > > > </ListDomainsResponse> > > > </soapenv:Body> > > > </soapenv:Envelope> > > > > > > > > > Apparently Rampart anticipates a WS-Security in the response, but as > you > > > can > > > see, it's not present. I've tried identifying where in the WS-Policy > > > configuration I can have that turned off, but I don't see anything. > > > > > > I could probably add it myself, but not sure how to do this without > > > resorting to a custom mediator of some sort, since I don't believe XSTL > > or > > > Script mediators have access to the SOAP header in the response? > > > > > > Actually both the Script mediator and the XSLT mediator has the access to > > SOAP headers, but I don't see none of these to be fitting to your problem > > because Rampart is going to throw an error upon receiving this message if > > you engage security to the outbound message. By the way, what is your new > > configuration. Are you forwarding the message from the client without > > modifying the security headers? Or do you engage security on the outbound > > message on the endpoint? > > > > If it is the former, we should be able to use a custom mediator, but if > > that > > is the later we need a small improvement on the Synapse side, which > Asankha > > has pointed. (Message level policies for the outbound messages on > endpoint > > level) > > > > > > > > > > > > > Upon conclusion of this whole exercise, I will get something written up > > for > > > others who wish to use Synapse in conjunction with Amazon's web > services. > > > > > > This is perfect. I will help you through to get this working. If we need > to > > implement message level policies for endpoints I can work on that soon so > > that we can include that on the point release that we are planing soon > > after > > the 1.2 with AXIOM improvements. > > > > Thanks, > > Ruwan > > > > > > > As > > > you know, AWS is becoming very popular, especially EC2 and S3. My hope > > is > > > to use Synapse as proxy/mediator that will receive outbound, non > > > WS-Security > > > calls to AWS add on the appropriate WS-Security, then forward to AWS. > > > > > > jeff > > > > > > On Sun, Jun 8, 2008 at 12:35 PM, Paul Fremantle <[EMAIL PROTECTED]> > > wrote: > > > > > > > Ruwan > > > > > > > > I think its enough to set the anonymous one as long as we send it. > > > > That might just fix everything. > > > > > > > > Paul > > > > > > > > On Sun, Jun 8, 2008 at 2:22 PM, Ruwan Linton <[EMAIL PROTECTED] > > > > > > wrote: > > > > > Hi Jeff and Paul, > > > > > > > > > > I was able to reproduce the issue, basically whatever we specify as > > the > > > > > ReplyTo header Addressing module changes it to anonymous for the > > > outbound > > > > > message and neglects sending it. So setting the ReplyTo header is > not > > > > > effective for the moment. Jeff, could you please file a JIRA for > > this. > > > At > > > > > the same time I had a look at what Paul proposed and it seems to > work > > > but > > > > > still it is just the anonymous address but not the one we set. You > > > could > > > > use > > > > > the property mediator at the axis2-client scope to set this > property > > as > > > > > follows to include the anonymous header; > > > > > > > > > > <syn:property name="includeOptionalHeaders" value="true" > > > > > scope="axis2-client"/> > > > > > > > > > > Or if you use separateListener attribute to true with the > > > > enableAddressing > > > > > tag then you can see the non anonymous ReplyTo header is being sent > > to > > > > the > > > > > service. > > > > > > > > > > I will look for a solution to this issue ASAP. Thanks Jeff for > > pointing > > > > this > > > > > out. > > > > > > > > > > Thanks, > > > > > Ruwan > > > > > > > > > > On Sun, Jun 8, 2008 at 1:40 PM, Paul Fremantle <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > > >> Jeff > > > > >> > > > > >> Thanks for the feedback. Please can you submit your code as a > > sample? > > > > >> We will definitely try to fix the bug. I agree rampart should not > be > > > > >> causing addressing headers to appear. The reason that the > anonymous > > > > >> header is being stripped out is because the WS-A spec says that no > > > > >> reply-to is equivalent to anonymous, so there is a bug in Amazon. > > > > >> However, there is a way in Axis2 to turn this behaviour off. > > > > >> > > > > >> options.setProperty(AddressingConstants.INCLUDE_OPTIONAL_HEADERS, > > > > >> Boolean.TRUE); > > > > >> > > > > >> So another way to sort that out will be to set that property on > the > > > > Axis2 > > > > >> MC. > > > > >> > > > > >> Paul > > > > >> > > > > >> On Sun, Jun 8, 2008 at 6:24 AM, Jeff Davis <[EMAIL PROTECTED]> > > > wrote: > > > > >> > Turns out my work-around really didn't solve the problem > (because > > > > >> > Axis/Rampart is anticipating a WS-Addressing reply, and since > I've > > > > >> stripped > > > > >> > it out downstream, I'd have to add it back manually). > > > > >> > > > > > >> > The crux of the issue is that I cannot figure out how to added > > this: > > > > >> > > > > > >> > <wsa:ReplyTo><wsa:Address> > > > > http://www.w3.org/2005/08/addressing/anonymous > > > > >> > </wsa:Address></wsa:ReplyTo> > > > > >> > > > > > >> > To my WS-Addressing part of my SOAP header. > > > > >> > > > > > >> > I believe it ought to be present, but it's not, as I've > confirmed > > > > through > > > > >> > TCPMon. I've tried everything I can think of to get it to > appear, > > > but > > > > >> thus > > > > >> > far have had no luck. > > > > >> > > > > > >> > Thanks, > > > > >> > > > > > >> > jeff > > > > >> > > > > > >> > On Sat, Jun 7, 2008 at 9:23 PM, Jeff Davis <[EMAIL PROTECTED]> > > > > wrote: > > > > >> > > > > > >> >> Maybe it's not a bug but a feature request :-). > > > > >> >> > > > > >> >> I see two issues: > > > > >> >> > > > > >> >> 1) WS-Security automatically adds undesirable WS-Addressing > > > elements > > > > >> (IMO, > > > > >> >> this should only happen when enableAddressing is specified). I > > > don't > > > > see > > > > >> >> anything in the WS-Security spec that indicates WS-Addressing > is > > > > >> required. I > > > > >> >> don't see a way to turn this behavior off in Synapse, without > > > > resorting > > > > >> to a > > > > >> >> workaround such as I demonstrated (i.e., chaining together 2 > > > > sequences, > > > > >> >> within one removing the undesirable WS-Addressing elements). > > > > >> >> > > > > >> >> 2) I didn't see a a way to add the ReplyTo WS-Addressing > element > > > (and > > > > >> it's > > > > >> >> child node Address) using the header mechanism (or property, > for > > > that > > > > >> >> matter). This was the crux of my issue, as, for some reason, > > Amazon > > > > >> expected > > > > >> >> a ReplyTo. I suspect this is probably easily possible, but just > > > > wasn't > > > > >> able > > > > >> >> to figure it out. > > > > >> >> > > > > >> >> Btw, I was able to successfully interact with Amazon's SimpleDB > > > now! > > > > I > > > > >> hope > > > > >> >> to writeup a blog entry on my findings (I am actually also > > writing > > > > the > > > > >> book > > > > >> >> called Open Source SOA from Manning, and I am including a big > > > chapter > > > > on > > > > >> >> Synapse, which I am a huge fan of). > > > > >> >> > > > > >> >> To be honest, a lot of this WS-Security stuff is rather new to > > me, > > > so > > > > >> I'm > > > > >> >> feverishly trying to get a handle on it (the Manning book SOA > > > > Security > > > > >> has > > > > >> >> been a big help). I have used PasswordDigest mechanism a lot, > but > > > not > > > > >> that > > > > >> >> signing with x509 certs as much. > > > > >> >> > > > > >> >> jeff > > > > >> >> > > > > >> >> > > > > >> >> On Sat, Jun 7, 2008 at 8:42 PM, Ruwan Linton < > > > [EMAIL PROTECTED] > > > > > > > > > >> >> wrote: > > > > >> >> > > > > >> >>> Hi Jeff, > > > > >> >>> > > > > >> >>> What is the bug from your POV? I am sorry, I don't see a bug > > > > here..... > > > > >> >>> > > > > >> >>> Well you could go ahead and file a JIRA so that we can > evaluate > > > what > > > > is > > > > >> >>> the > > > > >> >>> issue that you have faced and see whether is there something > > wrong > > > > with > > > > >> >>> Synapse, but I assume this is rather a configuration error. > > > > >> >>> > > > > >> >>> Thanks, > > > > >> >>> Ruwan > > > > >> >>> > > > > >> >>> > > > > >> >>> On Sun, Jun 8, 2008 at 7:45 AM, Jeff Davis < > [EMAIL PROTECTED]> > > > > wrote: > > > > >> >>> > > > > >> >>> > As a follow-up, I was running it through tcpmon, which is > why > > it > > > > had > > > > >> the > > > > >> >>> > strange address. > > > > >> >>> > > > > > >> >>> > Yes, I am running the latest 1.2 build from the URL provided > > me > > > > last > > > > >> >>> > Thursday, I believe. > > > > >> >>> > > > > > >> >>> > Should I submit this is a bug? > > > > >> >>> > > > > > >> >>> > On Sat, Jun 7, 2008 at 8:11 PM, Ruwan Linton < > > > > [EMAIL PROTECTED] > > > > >> > > > > > >> >>> > wrote: > > > > >> >>> > > > > > >> >>> > > Hi Jeff, > > > > >> >>> > > > > > > >> >>> > > If you enable addressing to the outbound message then > > synapse > > > > >> should > > > > >> >>> be > > > > >> >>> > > sending the ReplyTo header as appropriate. May be amazon > is > > > not > > > > >> >>> accepting > > > > >> >>> > > anonymous ReplyTo headers, so assuming that you are using > > the > > > > 1.2 > > > > >> >>> build > > > > >> >>> > > here > > > > >> >>> > > is the proposed solution to this; > > > > >> >>> > > > > > > >> >>> > > <definitions xmlns="http://ws.apache.org/ns/synapse";> > > > > >> >>> > > <localEntry key="sec_policy" > > > > >> >>> > > > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/> > > > > >> >>> > > > > > > >> >>> > > <in> > > > > >> >>> > > <send> > > > > >> >>> > > <endpoint name="secure"> > > > > >> >>> > > <address uri="http://localhost:8086";> > > > > >> >>> > > <enableSec policy="sec_policy"/> > > > > >> >>> > > <enableAddressing > > separateListener="true"/> > > > > >> >>> > > </address> > > > > >> >>> > > </endpoint> > > > > >> >>> > > </send> > > > > >> >>> > > </in> > > > > >> >>> > > <out> > > > > >> >>> > > <header name="wsse:Security" action="remove" > > > xmlns:wsse=" > > > > >> >>> > > http://www.w3.org/2005/08/addressing"/> > > > > >> >>> > > <send/> > > > > >> >>> > > </out> > > > > >> >>> > > </definitions> > > > > >> >>> > > > > > > >> >>> > > The above configuration should work, but please note that > > you > > > > need > > > > >> to > > > > >> >>> > > change > > > > >> >>> > > the address uri of the endpoint in the above configuration > > > from > > > > " > > > > >> >>> > > http://localhost:8086"; to "AMAZON_URL" > > > > >> >>> > > > > > > >> >>> > > If this is not working could you please attach the TCPMon > > out > > > > put > > > > >> of > > > > >> >>> the > > > > >> >>> > > outbound message which is going to AMAZON (after changing > > > > important > > > > >> >>> > > information) and the message received from AMAZON. If you > > > don't > > > > >> want > > > > >> >>> to > > > > >> >>> > > post > > > > >> >>> > > it publicly you may send it to me (mailto:[EMAIL PROTECTED]< > > > > >> >>> [EMAIL PROTECTED] > > > > >> >>> > >) > > > > >> >>> > > > > > > >> >>> > > Thanks, > > > > >> >>> > > Ruwan > > > > >> >>> > > > > > > >> >>> > > On Sun, Jun 8, 2008 at 7:01 AM, Jeff Davis < > > > [EMAIL PROTECTED]> > > > > >> >>> wrote: > > > > >> >>> > > > > > > >> >>> > > > I did a little research, and I haven't seen anything in > > the > > > > >> standard > > > > >> >>> > that > > > > >> >>> > > > indicates WS-Security requires WS-Addressing. > > > Unfortunately, > > > > it > > > > >> >>> > doesn't > > > > >> >>> > > > appear as though setting the header has any impact > > (further, > > > > if > > > > >> it > > > > >> >>> did, > > > > >> >>> > > the > > > > >> >>> > > > ReplyTo has a child element for the Address, so not sure > > how > > > > that > > > > >> >>> would > > > > >> >>> > > be > > > > >> >>> > > > added). Here's my configuration: > > > > >> >>> > > > > > > > >> >>> > > > <definitions xmlns="http://ws.apache.org/ns/synapse";> > > > > >> >>> > > > <localEntry key="sec_policy" > > > > >> >>> > > > > > > > src="file:repository/conf/sample/resources/policy/amazon.xml"/> > > > > >> >>> > > > > > > > >> >>> > > > <in> > > > > >> >>> > > > <header name="ReplyTo" action="set" value=""/> > > > > >> >>> > > > <send> > > > > >> >>> > > > <endpoint name="secure"> > > > > >> >>> > > > <address uri="http://localhost:8086";> > > > > >> >>> > > > <enableSec policy="sec_policy"/> > > > > >> >>> > > > <enableAddressing/> > > > > >> >>> > > > </address> > > > > >> >>> > > > </endpoint> > > > > >> >>> > > > </send> > > > > >> >>> > > > </in> > > > > >> >>> > > > <out> > > > > >> >>> > > > <send/> > > > > >> >>> > > > </out> > > > > >> >>> > > > </definitions> > > > > >> >>> > > > > > > > >> >>> > > > In lieu of the above header, I also tried: > > > > >> >>> > > > > > > > >> >>> > > > <header name="wsse:Security" action="remove" > > > > >> >>> > > > xmlns:wsse="http://www.w3.org/2005/08/addressing > "/> > > > > >> >>> > > > > > > > >> >>> > > > (I also tried removing the <enableAddressing/> node for > > each > > > > >> test). > > > > >> >>> > > > > > > > >> >>> > > > To recap my issue, it seems as though Amazon AWS (at > least > > > for > > > > >> >>> SimpleDB > > > > >> >>> > > > service) requires the ReplyTo WS-Addressing element, if > > > > >> >>> WS-Addressing > > > > >> >>> > is > > > > >> >>> > > > used. I haven't found a way to remove WS-Addressing > > > generated > > > > >> >>> > > automatically > > > > >> >>> > > > by Synapse when WS-Security is used, and I haven't > figure > > > out > > > > how > > > > >> to > > > > >> >>> > add > > > > >> >>> > > > ReplyTo (and it's child Address node) to the outbound > > > message. > > > > >> >>> > > > > > > > >> >>> > > > Anyone have any work-arounds? Maybe I'll try chaining > > > together > > > > >> some > > > > >> >>> > > things > > > > >> >>> > > > to see if I can devise something. > > > > >> >>> > > > > > > > >> >>> > > > Thanks, > > > > >> >>> > > > > > > > >> >>> > > > jeff > > > > >> >>> > > > > > > > >> >>> > > > > > > > >> >>> > > > On Sat, Jun 7, 2008 at 9:25 AM, Asankha C. Perera < > > > > >> [EMAIL PROTECTED] > > > > >> >>> > > > > > >> >>> > > > wrote: > > > > >> >>> > > > > > > > >> >>> > > > > Hi Jeff > > > > >> >>> > > > > > > > > >> >>> > > > >> To be honest, I'm not entirely certain how to add it > in > > > the > > > > >> >>> Header > > > > >> >>> > > > >> mediator, > > > > >> >>> > > > >> as you allude to. I did try various permutations of > > using > > > > the > > > > >> >>> > property > > > > >> >>> > > > and > > > > >> >>> > > > >> header nodes within the <in>, but nothing ever > > appeared. > > > > >> >>> > > > >> > > > > >> >>> > > > >> > > > > >> >>> > > > > I am sorry.. I had made a mistake in my reply > earlier.. > > to > > > > set > > > > >> the > > > > >> >>> > > > ReplyTo > > > > >> >>> > > > > header to something, you will use "<header > > name="ReplyTo" > > > > >> >>> > value="..."/> > > > > >> >>> > > > > format.. If you are familiar with using TCPMon, you > can > > > > place > > > > >> it > > > > >> >>> > > between > > > > >> >>> > > > > your service and Amazon and route the message through > it > > > to > > > > get > > > > >> a > > > > >> >>> > trace > > > > >> >>> > > > of > > > > >> >>> > > > > the messages. This will help you and us to solve any > > > > problems. > > > > >> >>> > > > > > > > > >> >>> > > > >> Obviously, Amazon's service is not entirely compliant > > > with > > > > the > > > > >> >>> > > > WS-Security > > > > >> >>> > > > >> standards. Even in their section under WS-Security > > SOAP, > > > > they > > > > >> >>> state > > > > >> >>> > > that > > > > >> >>> > > > >> "if > > > > >> >>> > > > >> you're using WS-Addressing, we recommend you also > sign > > > the > > > > >> Action > > > > >> >>> > and > > > > >> >>> > > To > > > > >> >>> > > > >> header elements" (I haven't figured out how to do > that > > > yet, > > > > >> but > > > > >> >>> I'll > > > > >> >>> > > dig > > > > >> >>> > > > >> into that). > > > > >> >>> > > > >> > > > > >> >>> > > > >> > > > > >> >>> > > > > If you are ok to share your configuration/scenario > with > > us > > > > or > > > > >> let > > > > >> >>> us > > > > >> >>> > > try > > > > >> >>> > > > > some simple sample to reproduce the issue you are > > facing, > > > > one > > > > >> of > > > > >> >>> the > > > > >> >>> > > > > developers would be able to tell you exactly whats > > wrong, > > > > and > > > > >> what > > > > >> >>> > you > > > > >> >>> > > > could > > > > >> >>> > > > > do to get past the problem > > > > >> >>> > > > > > > > > >> >>> > > > > asankha > > > > >> >>> > > > > > > > > >> >>> > > > > > > > >> >>> > > > > > > >> >>> > > > > > > >> >>> > > > > > > >> >>> > > -- > > > > >> >>> > > Ruwan Linton > > > > >> >>> > > http://www.wso2.org - "Oxygenating the Web Services > > Platform" > > > > >> >>> > > > > > > >> >>> > > > > > >> >>> > > > > >> >>> > > > > >> >>> > > > > >> >>> -- > > > > >> >>> Ruwan Linton > > > > >> >>> http://www.wso2.org - "Oxygenating the Web Services Platform" > > > > >> >>> > > > > >> >> > > > > >> >> > > > > >> > > > > > >> > > > > >> > > > > >> > > > > >> -- > > > > >> Paul Fremantle > > > > >> Co-Founder and CTO, WSO2 > > > > >> Apache Synapse PMC Chair > > > > >> OASIS WS-RX TC Co-chair > > > > >> > > > > >> blog: http://pzf.fremantle.org > > > > >> [EMAIL PROTECTED] > > > > >> > > > > >> "Oxygenating the Web Service Platform", www.wso2.com > > > > >> > > > > > > > > > > > > > > > > > > > > -- > > > > > Ruwan Linton > > > > > http://www.wso2.org - "Oxygenating the Web Services Platform" > > > > > > > > > > > > > > > > > > > > > -- > > > > Paul Fremantle > > > > Co-Founder and CTO, WSO2 > > > > Apache Synapse PMC Chair > > > > OASIS WS-RX TC Co-chair > > > > > > > > blog: http://pzf.fremantle.org > > > > [EMAIL PROTECTED] > > > > > > > > "Oxygenating the Web Service Platform", www.wso2.com > > > > > > > > > > > > > > > -- > > Ruwan Linton > > http://www.wso2.org - "Oxygenating the Web Services Platform" > > > -- Ruwan Linton http://www.wso2.org - "Oxygenating the Web Services Platform"
