I'm using Axis 2 1.5.4 to deploy web services on JBoss 6.0.0 and using Apache Rampart 1.5.2 to implement UserName Token security for the web services. My services gets deployed successfully and I can see the web services policy in the WSDL.
But when I launch the web service through SOAP UI , it doesn't ask for any security information and directly calls my web service method and does not even invoke the PasswordCallBackHandler class. The same service and security works with Tomcat but not with JBoss.
Sample from my WSDL:
<?xml version="1.0" encoding="UTF-8" ?>
- <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:ns1="http://org.apache.axis2/xsd" xmlns:ns="http://ws.apache.org/axis2" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" targetNamespace="http://ws.apache.org/axis2">
- <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken">
- <wsp:ExactlyOne>
- <wsp:All>
- <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
- <wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Below is my services.xml:
<service>
<module ref="rampart" />
<parameter name="ServiceClass" locked="false">SimpleService</parameter>
<operation name="echo">
<messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>MyHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
Am I missing some configurations from JBoss? Please help me in resolving the issue as I am totally stuck.
Related
I have read that there is no way to create a message with ws-security from httprio, only modifying the xml that is generated, in the beforeexecute, overwriting the stream content.
But I want to know how sign the body section from that xml.
In JBoss this is the example (https://docs.jboss.org/author/display/WFLY10/WS-Security.html) but I don't find classes or methods in Delphi for do it.
The wsdl definition include a wsp section not readed when imported the wsdl definition
<wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" wsu:Id="SecurityServiceSignThenEncryptPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:SignBeforeEncrypting/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Then I need rewrite the xml before request with a token and the body encrypted with that token.
I need encrypt the body with a token, that is how jboss do it.
No user or password. Only encrypt the message.
My original xml normal for call webservice look as:
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<shawAny xmlns="http://showany.com/webservices">
<Value xmlns="">1360814</nroCertificado>
<autenticacion xmlns=""> <signWSAA>EISgwe7vyrAtvpe/uBy1Vj9IyYRGjjZfY4isNTLYDhl33BeqPWHjJ5NXU5+UMBSxjAO84bCydJJmCiDlATZq725EThMppowyO2CcAYBET8zBdqlXqaVMT12OHFnSH5QHc5aG4SkrgubPXqCeJO5Lcb/T6irySorBaYG647K33/8=</signWSAA>
<CN>dnra</CN> <ticketWSAA>CjxhdXRoPgoJPGlkIHVuaXF1ZV9pZD0iNzQwMDE0NjUyIiBzcmM9IkM9UFksIE89ZG5hLCBPVT1zb2ZpYSwgQ049d3NhYXRlc3QiIGdlbl90aW1lPSIyMDIwLTA3LTIwVDEwOjI5OjI3LjYzMi0wNDowMCIgZXhwX3RpbWU9IjIwMjAtMDctMjFUMTA6Mjk6MjcuNjMyLTA0OjAwIi8+Cgk8b3BlcmF0aW9uIHZhbHVlPSJncmFudGVkIiB0eXBlPSJsb2dpbiI+CgkJPGxvZ2luIHVpZD0iQz1QWSwgTz1ETlJBLCBPVT1USSwgQ049ZG5yYSIgc2VydmljZT0ic2VydmljaW9jZXJuYWMiIGF1dGhtZXRob2Q9ImNtcyI+CgkJPC9sb2dpbj4KCTwvb3BlcmF0aW9uPgo8L2F1dGg+Cg==</ticketWSAA>
</autenticacion>
</showAny>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope
and then ws-security must look as:
<?xml version="1.0" encoding="UTF8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509"
wsu:Id="x509cert00">CjxhdXRoPgoJPGlkIHVuaXF1ZV9pZD0iMTYwMTE4MTMwIiBzcmM9IkM9UFksIE89ZG5hLCBPVT1zb2ZpYSwgQ049d3NhYXRlc3QiIGdlbl90aW1lPSIyMDIwLTA3LTIwVDE1OjUzOjMyLjAxMC0wNDowMCIgZXhwX3RpbWU9IjIwMjAtMDctMjFUMTU6NTM6MzIuMDEwLTA0OjAwIi8+Cgk8b3BlcmF0aW9uIHZhbHVlPSJncmFudGVkIiB0eXBlPSJsb2dpbiI+CgkJPGxvZ2luIHVpZD0iQz1QWSwgTz1ETlJBLCBPVT1USSwgQ049ZG5yYSIgc2VydmljZT0ic2VydmljaW9jZXJuYWMiIGF1dGhtZXRob2Q9ImNtcyI+CgkJPC9sb2dpbj4KCTwvb3BlcmF0aW9uPgo8L2F1dGg+Cg==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse SOAP-ENV"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#TheBody"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>VhsSnaEAFsY0OYegKQh99v9csXg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>axkNSVJdFcJWvd9H2TFYC5AvKLs8c3aMxeXKr0ZrQFWUp7fGivPtAAbQAlO2Wju14sy+TM1POyRd8blkJLLYVcFokrRj7X2SshbKasIosH9aWVoMdl8cL7G1SmUBguxekuI4N++yAAHJZotBka575Eaj3bNlSMNTZL5K2hqTFxal/oIExwDMNAmtCpiEapHgaW7mXgqibttNKhxrGmAGidBnHVGgqMcbM3l6aWhD8F6L4IK1PuB1LQoW/n8wkeO2+PrUzIqQ4LY5+Bx69OZjNHcuiC7HdwMNH9+aMipa7b3Q3DZ0+Qi4k/DWbT3kxterYnOWk6XULifV0F2pH3lg4Q==</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#x509cert00" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="TheBody">
<getVersion xmlns="http://msgsec.wssecfvt.ws.ibm.com"/>
MIIDjjCCAnagAwIBAgIIU/FocaP2GcUwDQYJKoZIhvcNAQEFBQAwVTEWMBQGA1UE
AwwNU0lGUm9vdENBMjA0ODETMBEGCgmSJomT8ixkARkWA1NJRjETMBEGCgmSJomT
8ixkARkWA0NPTTERMA8GCgmSJomT8ixkARkWAVAwHhcNMjAwNjE4MjAxNDUxWhcN
MzAwNjE2MjAxNDUxWjA4MQ0wCwYDVQQDDARkbnJhMQswCQYDVQQLDAJUSTENMAsG
A1UECgwERE5SQTELMAkGA1UEBhMCUFkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDWtyo5ASPoLtHGdAaj9CXBtiMnaGZQ6ERjeDvg+2czWKcbpIBUCl4C
hpOfcWobR5+gF7br3wYzhkg4GqyXIcDqlZQiRNRD8gnR0Q0ZFo0AMtabEGnOrSTJ
e5Wi+2af4Ku5kETSah7zWnv58OELQYzPVh2wxc2v0uuQ9N0riF16d1Do3knuqP4U
rz0/qXokpcIUpWt9FnWK7ux0fmaBipPDQeYPxBlIFKrGwIzj8JjWHliWJ3e1lyab
Qz2l9rkVi+gvbHixazie/sU0zcz7rMYbvM1/kD0ScRbvbr9i6xKPns97GWS2t2Q+
vnN9bQqOqPJTlJKpCJPBPV23W1FJ3HD3AgMBAAGjfzB9MB0GA1UdDgQWBBSevr6z
DFqKIIXrnlrF12ViI9iJgjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIwsCl6R
oTkooHzDxwykypf6IsWtMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAIjTQ7NFHCdHLdp5z3zL
sqeuq6e7CEYng0i3uW/xFgzKg20W7xh99KgmPiVjEBNMxsXhbMqEtvuOOF4aj+HH
fmMa0wvLzrKD0symhnBlLZCQbDrRsk6KkGuqcPn40csQ12O8G8kEqjuf2SoYkHye
bXDL2+fwdpX+SgLwWy88xSjwPHPT4IqbuYFn7uFzpgUOCDVNFUl++gMkNVW+MR6S
OBqfc84dVAANhThH7rwxnPiQ8/8l2BLUgGhFyZqDHlmUbsnd6QTCLFSREV3m3Mra
uoRs/tuAdlGM/01C65eNPsajaWXmkoM3EZk+SLt5+038DECfRkkuLToA8W2783H1
pIQ=
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
You do not need to write and append the XML for the security header manually.
The Delphi SOAP implementation has TSOAPHeader objects for that.
Example:
type
TMySoapHeader = class(TSOAPHeader)
private
FSomeData: string;
published
property SomeData: string read FSomeData write FSomeData;
end;
To apply the header before sending it, use:
(Webservice as ISOAPHeaders).Send(header);
I've created WS-Sec headers (for Username/Password auth) in the past, which I added add GitHub: https://github.com/ronaldhoek/SOAPStuff
[EIDT] Recently added the BinarySecurityToken part to the Security header for version '200401'.
These could help you build the headers required for this service.
i starting to use wso2EI in my company.
We have a requirement to invoke a service that exposes ones of our provider. This service is a SOAP webservice with signature in body through a keystore (they send me a pfx) and the idea is to use the wso2EI to invoke that service to consume internaly through this application.
So, I create a proxy service and the Policy.xml. When i try call the proxy service without the Policy.xml and i put a harcoded request it works fine. But when i put the Policy im facing the following error:
[-1234] [] [PassThroughMessageProcessor-351] ERROR {org.apache.synapse.core.axis2.Axis2Sender} - Unexpected error during sending message out
java.lang.NullPointerException
at sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:58)
at sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:163)
at sun.security.provider.JavaKeyStore$JKS.engineGetCertificateChain(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetCertificateChain(KeyStoreDelegator.java:101)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetCertificateChain(JavaKeyStore.java:70)
at java.security.KeyStore.getCertificateChain(KeyStore.java:1048)
at org.apache.ws.security.components.crypto.CryptoBase.getCertificates(CryptoBase.java:468)
at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:313)
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:351)
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:266)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:762)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457)
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:603)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:547)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:384)
at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65)
at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:123)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:224)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:415)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
The proxy is:
<in><header>
<sec:OriginPoint xmlns:sec="http://esb.xxx.com/sec/">cd</sec:OriginPoint>
</header>
<send buildmessage="true">
<endpoint>
<address uri="https://xxx.xxx.xxx.xxx:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter">
<enableSec policy="gov:ws-policy/Policy.xml"/>
</address>
</endpoint>
</send>
</in>
<out>
<log level="full"/>
<send/>
</out>
and the policy:
<wsp:Policy wsu:Id="signingpolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefEmbeddedToken/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">xx/xx/xx/certificado.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">xxx</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
UPDATE
After setting the org.apache.synapse.transport.http.wire with DEBUG option i started to view the resoponse in the log but the servirce continues failing.
The error is this:
[2019-03-19 16:29:29,620] [-1] [] [PassThroughMessageProcessor-2] ERROR {org.apache.axis2.transport.base.threads.NativeWorkerPool} - Uncaught exception
java.lang.NullPointerException
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:265)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:221)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:263)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
The proxy server is still the same.
UPDATE 2
Finally i made it !!!. The problem were in the proxy service and the security mediator. Here is the final proxy service. Thanks to all!!:
<inSequence>
<header>
<sec:OriginPoint xmlns:sec="http://esb.firstdata.com/sec/">cencosud</sec:OriginPoint>
</header>
<send>
<endpoint>
<address uri="https://172.24.4.215:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter">
<enableAddressing/>
<enableSec outboundPolicy="gov:ws-policy/Policy.xml"/>
</address>
</endpoint>
</send>
</inSequence>
</target>
<description/>
</proxy>
Two things stand out to me: It seems, based on the error, that you have some keystore or certificate alias issue. A few things to try:
A common mistake is to import the certificate without aliasname.
Inspect the keystore to see if the name is correct.
I do not see a callbackhandler mentioned? Did you implement one?
Some more info here including an examplepolicy and callbackhandler project
We have to implement a proxy service based in a wsdl, and we have to use a security policy like this
<localEntry xmlns="http://ws.apache.org/ns/synapse" key="policy">
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ --></wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ --></wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:ProtectTokens/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</localEntry>
How can we do? what steps we have to follow to implement it? do we need any rampart configuration??
Thanks in advance.
You need to use the WSO2 Developer Studio IDE for this task...
Step 1: Create a registry resource project for store your policy.
Step2: Apply the security policy to your proxy service.
Step 3: Create a composite application and deploy the proxy and the
security policy to the WSO2 ESB.
Take a look a this: https://docs.wso2.com/display/ESB500/Applying+Security+to+a+Proxy+Service
We are running a WSO2 ESB 5.0 server. We want to create a service that transforms a normal SOAP message to a signed version and delivers this to an endpoint.
We are getting the message:
Caused by: org.apache.ws.security.WSSecurityException: General
security error (No certificates for user wso2carbon were found for
signature)
Why do I get this message? I do not understand the meaning of this.
Update: I figured out, that the user in the rampart config should be the Alias of the key that you want to use to sign. And the password handler Should return the password of the alias key
The synapse (wso2 esb) service is:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="__mke_siging_out"
startOnLoad="true"
statistics="disable"
trace="disable"
transports="https">
<target>
<inSequence>
<send>
<endpoint>
<address uri="http://foo.bar.host/services/default/Echo/echo_client_ep">
<enableSec policy="gov:/policies/__mke_sign_out.xml"/>
</address>
</endpoint>
</send>
</inSequence>
<outSequence>
<header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
action="remove"
name="wsse:Security"
scope="default"/>
<send/>
</outSequence>
<faultSequence/>
</target>
<description/>
</proxy>
The rampart configuration is, pointing to a JKS keystore in which private/pub certificate is loaded and protected by a password:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</sp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>wso2carbon</rampart:user>
<rampart:passwordCallbackClass>nl.rsg.it.igw.passwordcallback.Handler</rampart:passwordCallbackClass>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
I figured out, that the user in the rampart config should be the Alias of the key that you want to use to sign. And the password handler Should return the password of the alias key.
How can I authorise a client (in this case a client is an application) to use a web service within .NET,
For example:
I want a 3rd pary application to call a method but not allow other applications within the network to call this method.
I want to avoid transport layer authorisation and use message based authorisation.
You should take a look at the WS-Security and WS-Policy standards. The best way is to have the client application sign all requests (with a private key) and check this signature on the server side.
We use a setup like this, with the following WS-Policy definitions in the WSDL:
<!--Endpoint Policy-->
<wsp:Policy wsu:Id="Endpoint_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<!-- sp:Basic256/-->
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<!--End of Endpoint Policy-->
<!--Message Policy1-->
<wsp:Policy wsu:Id="Sign_message_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<!--End of Message Policy1-->
You then reference these policies in the binding part of the WSDL. Example:
<binding name="ExampleServiceSOAP" type="foobar:ExampleServicePort">
<!-- WS-Security -->
<wsp:PolicyReference URI="#Endpoint_policy" />
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="getSomething">
<soap:operation soapAction="getSomething" style="document"/>
<input>
<!-- WS-Security -->
<wsp:PolicyReference URI="#Sign_message_policy" />
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>
The simplest (and the most "portable") thing will be to use HTTP Authentication.