Il giorno mer, 07/09/2005 alle 11.46 +0200, Laurent COLLET ha scritto:
> With WSS4J the BinarySecurityToken is after the UsernameToken. I try
> to add a second BST but I don't find any other way than adding a new
> signature on my wsdd file like this
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="action" value="Timestamp Signature
> NoSerialization" />
> <parameter name="user"
> value="c441dda96a365ebdc25f344d1a59211d_435e19e1-be28-4dd4-817c-f1e0c5bbc233"
> />
> <parameter name="passwordCallbackClass" value="ws.PWCallback"
> />
> <parameter name="signaturePropFile" value="crypto.properties"
> />
> <parameter name="signatureParts" value="
> {}{}Body;
> {}{http://schemas.xmlsoap.org/ws/2004/08/addressing}Action;
> {}{http://schemas.xmlsoap.org/ws/2004/08/addressing}MessageID;
> {}{http://schemas.xmlsoap.org/ws/2004/08/addressing}To;
>
> {}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;";
> />
> <parameter name="signatureKeyIdentifier"
> value="DirectReference" />
> </handler>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="action" value="Signature" />
> <parameter name="user"
> value="c441dda96a365ebdc25f344d1a59211d_435e19e1-be28-4dd4-817c-f1e0c5bbc233"
> />
> <parameter name="passwordCallbackClass" value="ws.PWCallback"
> />
> <parameter name="signaturePropFile" value="crypto.properties"
> />
> <parameter name="signatureParts" value="" />
> <parameter name="signatureKeyIdentifier"
> value="DirectReference" />
> </handler>
> But the SOAP message generate an error "An error was discovered
> processing the <Security> header". I think this error is due to the
> second <Signature> element introduced.
>
> So, my questions are:
> - Do you think that the interop problem is due to this lack of one
> BinarySecurityToken?
> - If yes, is it possible to add a second BinarySecurityToken without
> adding a new <signature> element?
>
In dotnet.xml seems to me that the second BST
(SecurityToken-fb1690aa-a03b-45b7-a50b-ab66373d4c94) isn't used at all,
the signature is generated only using the second one
(SecurityToken-82c05b4c-3cb7-4e48-9d87-17a0855ff52b), that's just the
right one.
I don't know why .NET appends the first token (it's CN=Serveur.Net2) but
it depends on some configuration setting of the security framework for
sure. For example the Policy may include a global SecurityToken
Assertion to make sure that all requests attach a specific certificate.
If it's the case, I think that WSS4J doesn't support a "fast" way to
perform this action (probably you can do that "manually", but I don't
think it's so simple).
Bye,
Davide Romanini
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
