Dear all: I have problems with rampart 1.3 using a configuration based on WS-Policy. With the policy below I try to have the <soapenv:Body> signed, but not the <wsu:Timestamp> (just for the sake of the example). I think this should be accomplished by this policy:
<?xml version="1.0" encoding="UTF-8"?> <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/In cludeToken/Never"> <wsp:Policy> <sp:RequireKeyIdentifierReference/> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> <sp:SignedParts> <sp:Body /> </sp:SignedParts> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256Sha256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> </wsp:Policy> </sp:Wss11> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>WSAnyUser</ramp:user> <ramp:encryptionUser>WSTestSuite</ramp:encryptionUser> <ramp:passwordCallbackClass>de.computernoma.wstestsuite.axis2.service.PW CBHandler</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:prop erty> <ramp:property name="org.apache.ws.security.crypto.merlin.file">resources/WSClient.jks< /ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.alias">WSClient</ram p:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">storePass< /ramp:property> </ramp:crypto> </ramp:signatureCrypto> <ramp:encryptionCypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:prop erty> <ramp:property name="org.apache.ws.security.crypto.merlin.file">resources/WSClient.jks< /ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">storePass< /ramp:property> </ramp:crypto> </ramp:encryptionCypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> It does not work, though, because the signature includes the <wsu:Timestamp>, but not the <soapenv:Body>, as you can see in the following message: <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" soapenv:mustUnderstand="true"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" wsu:Id="Timestamp-31457736"> <wsu:Created>2007-09-06T11:21:43.150Z</wsu:Created> <wsu:Expires>2007-09-06T11:26:43.150Z</wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey Id="EncKeyId-26553312"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so ap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509SubjectKeyIdentifier">GbIgSztgwfY27b9zC3/Ti2/C7nA= </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>DgV5l5lasGy+h4xtaGx3qRfdv8v2t4ew6iHAnE0SZ1Ex4zu413Zmbd afEryvJN8XkBQ1gFBX+LuDA6qNYG41f+6UjMRlfehKyxvoEVI0dkjugHjEI8u2QNZSp2/CK8 jUaz9PrFlrTh1ksVtb5u4A8/XwUVKQydafEMTltd8vio8=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList/> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-16391045"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#Timestamp-31457736"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>Piezs8O4/HuITSnnBhF57Y9vh5Q=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>QiRyERqWKzqZzHTAzppXzqMssWE=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-2411975"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" wsu:Id="STRId-4317866"> <wsse:Reference URI="#EncKeyId-26553312" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1 .0#SAMLAssertionID"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> <wsa:To>http://localhost:5556/axis2/services/WSTestSuite/</wsa:To> <wsa:MessageID>urn:uuid:C4E4D468A6AAFCEE581189077703512</wsa:MessageID> <wsa:Action>urn:DoCalculation</wsa:Action> </soapenv:Header> <soapenv:Body> <ns1:CalculationRequest xmlns:ns1="http://computernoma.de/WSTestSuite/types/";> <operator>+</operator> <values> <value>1</value> <value>2</value> <value>3</value> </values> </ns1:CalculationRequest> </soapenv:Body> </soapenv:Envelope> Also, this message contains a reference to a SAML-Token that I can see nowhere in the Envelope. Instead, I think it should be a reference to an <xenc:EncryptedKey>. It seems that this causes problems on the receiver side (WSSecurityException: "Reference URI is null"). So my questions are: 1) How can I sign the Body of the message and *not* sign the Timestamp? 2) Is it correct that the ValueType of the <wsse:Reference> is given as a SAML-1.0-Token? 3) Is there any good documentation on writing policy files for rampart (or in general)? 4) Why is there a Signature included in the SOAP-Message if I don't specify any SignedParts or SignedElements or Timestamp at all in the policy? Thanks for any clarification. Regards, Till. -- Till Haselmann [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
