I am trying to send username and a password over web services using axis2 and rampart. I want to send the password as a digest, but for some reason the password is only sent in cleartext. According to several sources, it should happen when I add the to both services.xml and axis2.xml, but it doesnt seem to work. I have also tried to add Digest under the sub-header. Relevant sections of services.xml (server side) and axis2.xml (client side) is given below. Can anybody see anything wrong?
My axis2.xml
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>test</ramp:user>
<ramp:passwordCallbackClass>sec.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
My services.xml
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>sec.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The problem with you configuration is that namespaces that you use suggest Axis to interpret it as WSS 1.1 configuration. As far as I can tell from Axis sources, it does not support hashing passwords from username token. Probably it is a feature available from WSS 1.2.
You need to define supporting token using WSS 1.2 namespaces:
<sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
That will hash the password with nonce and created by default.
I found you may need to add something like this:
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/
ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Ref: http://www.ibm.com/developerworks/java/library/j-jws4/index.html
Related
I have read that there is no way to create a message with ws-security from httprio, only modifying the xml that is generated, in the beforeexecute, overwriting the stream content.
But I want to know how sign the body section from that xml.
In JBoss this is the example (https://docs.jboss.org/author/display/WFLY10/WS-Security.html) but I don't find classes or methods in Delphi for do it.
The wsdl definition include a wsp section not readed when imported the wsdl definition
<wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" wsu:Id="SecurityServiceSignThenEncryptPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:SignBeforeEncrypting/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Then I need rewrite the xml before request with a token and the body encrypted with that token.
I need encrypt the body with a token, that is how jboss do it.
No user or password. Only encrypt the message.
My original xml normal for call webservice look as:
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<shawAny xmlns="http://showany.com/webservices">
<Value xmlns="">1360814</nroCertificado>
<autenticacion xmlns=""> <signWSAA>EISgwe7vyrAtvpe/uBy1Vj9IyYRGjjZfY4isNTLYDhl33BeqPWHjJ5NXU5+UMBSxjAO84bCydJJmCiDlATZq725EThMppowyO2CcAYBET8zBdqlXqaVMT12OHFnSH5QHc5aG4SkrgubPXqCeJO5Lcb/T6irySorBaYG647K33/8=</signWSAA>
<CN>dnra</CN> <ticketWSAA>CjxhdXRoPgoJPGlkIHVuaXF1ZV9pZD0iNzQwMDE0NjUyIiBzcmM9IkM9UFksIE89ZG5hLCBPVT1zb2ZpYSwgQ049d3NhYXRlc3QiIGdlbl90aW1lPSIyMDIwLTA3LTIwVDEwOjI5OjI3LjYzMi0wNDowMCIgZXhwX3RpbWU9IjIwMjAtMDctMjFUMTA6Mjk6MjcuNjMyLTA0OjAwIi8+Cgk8b3BlcmF0aW9uIHZhbHVlPSJncmFudGVkIiB0eXBlPSJsb2dpbiI+CgkJPGxvZ2luIHVpZD0iQz1QWSwgTz1ETlJBLCBPVT1USSwgQ049ZG5yYSIgc2VydmljZT0ic2VydmljaW9jZXJuYWMiIGF1dGhtZXRob2Q9ImNtcyI+CgkJPC9sb2dpbj4KCTwvb3BlcmF0aW9uPgo8L2F1dGg+Cg==</ticketWSAA>
</autenticacion>
</showAny>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope
and then ws-security must look as:
<?xml version="1.0" encoding="UTF8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509"
wsu:Id="x509cert00">CjxhdXRoPgoJPGlkIHVuaXF1ZV9pZD0iMTYwMTE4MTMwIiBzcmM9IkM9UFksIE89ZG5hLCBPVT1zb2ZpYSwgQ049d3NhYXRlc3QiIGdlbl90aW1lPSIyMDIwLTA3LTIwVDE1OjUzOjMyLjAxMC0wNDowMCIgZXhwX3RpbWU9IjIwMjAtMDctMjFUMTU6NTM6MzIuMDEwLTA0OjAwIi8+Cgk8b3BlcmF0aW9uIHZhbHVlPSJncmFudGVkIiB0eXBlPSJsb2dpbiI+CgkJPGxvZ2luIHVpZD0iQz1QWSwgTz1ETlJBLCBPVT1USSwgQ049ZG5yYSIgc2VydmljZT0ic2VydmljaW9jZXJuYWMiIGF1dGhtZXRob2Q9ImNtcyI+CgkJPC9sb2dpbj4KCTwvb3BlcmF0aW9uPgo8L2F1dGg+Cg==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse SOAP-ENV"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#TheBody"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>VhsSnaEAFsY0OYegKQh99v9csXg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>axkNSVJdFcJWvd9H2TFYC5AvKLs8c3aMxeXKr0ZrQFWUp7fGivPtAAbQAlO2Wju14sy+TM1POyRd8blkJLLYVcFokrRj7X2SshbKasIosH9aWVoMdl8cL7G1SmUBguxekuI4N++yAAHJZotBka575Eaj3bNlSMNTZL5K2hqTFxal/oIExwDMNAmtCpiEapHgaW7mXgqibttNKhxrGmAGidBnHVGgqMcbM3l6aWhD8F6L4IK1PuB1LQoW/n8wkeO2+PrUzIqQ4LY5+Bx69OZjNHcuiC7HdwMNH9+aMipa7b3Q3DZ0+Qi4k/DWbT3kxterYnOWk6XULifV0F2pH3lg4Q==</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#x509cert00" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="TheBody">
<getVersion xmlns="http://msgsec.wssecfvt.ws.ibm.com"/>
MIIDjjCCAnagAwIBAgIIU/FocaP2GcUwDQYJKoZIhvcNAQEFBQAwVTEWMBQGA1UE
AwwNU0lGUm9vdENBMjA0ODETMBEGCgmSJomT8ixkARkWA1NJRjETMBEGCgmSJomT
8ixkARkWA0NPTTERMA8GCgmSJomT8ixkARkWAVAwHhcNMjAwNjE4MjAxNDUxWhcN
MzAwNjE2MjAxNDUxWjA4MQ0wCwYDVQQDDARkbnJhMQswCQYDVQQLDAJUSTENMAsG
A1UECgwERE5SQTELMAkGA1UEBhMCUFkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDWtyo5ASPoLtHGdAaj9CXBtiMnaGZQ6ERjeDvg+2czWKcbpIBUCl4C
hpOfcWobR5+gF7br3wYzhkg4GqyXIcDqlZQiRNRD8gnR0Q0ZFo0AMtabEGnOrSTJ
e5Wi+2af4Ku5kETSah7zWnv58OELQYzPVh2wxc2v0uuQ9N0riF16d1Do3knuqP4U
rz0/qXokpcIUpWt9FnWK7ux0fmaBipPDQeYPxBlIFKrGwIzj8JjWHliWJ3e1lyab
Qz2l9rkVi+gvbHixazie/sU0zcz7rMYbvM1/kD0ScRbvbr9i6xKPns97GWS2t2Q+
vnN9bQqOqPJTlJKpCJPBPV23W1FJ3HD3AgMBAAGjfzB9MB0GA1UdDgQWBBSevr6z
DFqKIIXrnlrF12ViI9iJgjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIwsCl6R
oTkooHzDxwykypf6IsWtMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAIjTQ7NFHCdHLdp5z3zL
sqeuq6e7CEYng0i3uW/xFgzKg20W7xh99KgmPiVjEBNMxsXhbMqEtvuOOF4aj+HH
fmMa0wvLzrKD0symhnBlLZCQbDrRsk6KkGuqcPn40csQ12O8G8kEqjuf2SoYkHye
bXDL2+fwdpX+SgLwWy88xSjwPHPT4IqbuYFn7uFzpgUOCDVNFUl++gMkNVW+MR6S
OBqfc84dVAANhThH7rwxnPiQ8/8l2BLUgGhFyZqDHlmUbsnd6QTCLFSREV3m3Mra
uoRs/tuAdlGM/01C65eNPsajaWXmkoM3EZk+SLt5+038DECfRkkuLToA8W2783H1
pIQ=
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
You do not need to write and append the XML for the security header manually.
The Delphi SOAP implementation has TSOAPHeader objects for that.
Example:
type
TMySoapHeader = class(TSOAPHeader)
private
FSomeData: string;
published
property SomeData: string read FSomeData write FSomeData;
end;
To apply the header before sending it, use:
(Webservice as ISOAPHeaders).Send(header);
I've created WS-Sec headers (for Username/Password auth) in the past, which I added add GitHub: https://github.com/ronaldhoek/SOAPStuff
[EIDT] Recently added the BinarySecurityToken part to the Security header for version '200401'.
These could help you build the headers required for this service.
Using Liberty 19.0.09, I have this Exception "Incorrect inclusion value".
javax.xml.ws.soap.SOAPFaultException: Incorrect inclusion value: null.
Caused by:
java.lang.RuntimeException - Incorrect inclusion value: null
at org.apache.cxf.ws.security.policy.model.Token.setInclusion(Token.java:82)
I have tried multiple configurations without success. Here is the code I am using to access this WS :
>DocumentMgmtHttpService service = new DocumentMgmtHttpService();
>HandlerResolver resolver = service.getHandlerResolver();
>DocumentMgmt docmgmt = service.getDocumentMgmtHttpPort();
>BindingProvider bp = (BindingProvider) docmgmt;
>bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "xxxx");
>bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "xxxxx");
>SearchDocumentResponseType response=null;
then the request and the call
Where should I be looking ?
I have configure ( 3 features below ) + handlers + CallBackHandler ( as a feature on the server )
server.xml
<wsSecurityClient id="default"
ws-security.callback-handler="com.xxx.xxxx.callbackhandler.CallBackHandler"
ws-security.signature.username="portal_certificate"
ws-security.username="CN=portalx509.xxxxxxxxxx, OU=IT, O=xxxxxxxxx, L=xxxxxxxx, ST=xxxxx, C=CA"
ws-security.encryption.username="portal_certificate">
<signatureProperties
org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.keystore.alias="portal_certificate"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.truststore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.private.password="{xor}PDc+MTg6Nis="/>
<encryptionProperties
org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.keystore.alias="portal_certificate"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.type="jceks"
org.apache.ws.security.crypto.merlin.truststore.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.keystore.private.password="{xor}PDc+MTg6Nis="
/>
- **ibm-ws-bnd.xml**
<ws:webservices-bnd xmlns:ws="http://websphere.ibm.com/xml/ns/javaee" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd" version="1.0">
<ws:webservice-endpoint-properties enableLoggingInOutInterceptor="true" />
<ws:service-ref name="service/DocumentMgmtHttpService">
<ws:port name="DocumentMgmtHttpPort" namespace="http://ibm.com/ws/jaxws/transport/security/" ssl-ref="SSL01" />
<ws:properties http.conduit.tlsClientParameters.disableCNCheck="true" />
</ws:service-ref>
</ws:webservices-bnd>
policy-attachements-client.xml ( in WEB-INF )
<?xml version="1.0" encoding="UTF-8"?>
<attachments
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:PolicyAttachment
wsdlNamespace="http://www.xxxxx.xx/EnterpriseMgmt/DocumentMgmt/V1">
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>https://xxxxxxxxxxxxxx:8442/ti/DocumentMgmt/V1
</wsa:Address>
</wsa:EndpointReference>
<wsp:URI>https://xxxxxxxxxxxxxxxx:8442/ti/DocumentMgmt/V1#wsdl11.service(DocumentMgmtHttpService)</wsp:URI>
</wsp:AppliesTo>
<wsp:Policy
wsu:Id="X509AsymmetricMutualAndUntAuthentication">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="true">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All />
<wsam:AnonymousResponses />
<wsam:NonAnonymousResponses />
</wsp:ExactlyOne>
</wsp:Policy>
</wsam:Addressing>
<sp:SignedEncryptedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200712/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200712/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SupportingTokens>
<wsp:Policy wsu:Id="request:username_token">
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200712/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:SignedParts>
<sp:Body />
<sp:Header
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header
Namespace="http://www.nbfg.ca/fw/serviceHeaders" />
</sp:SignedParts>
<sp:SignedElements>
<sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='UsernameToken']</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='UsernameToken']</sp:XPath>
</sp:SignedElements>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsp:PolicyAttachment>
</attachments>
Any help ? Thanks a lot in advance.
in your policy-attachments-client.xml, the IncludeToken value is not correct. Update all the IncludeToken values and change "200712" to "200702".
We have to implement a proxy service based in a wsdl, and we have to use a security policy like this
<localEntry xmlns="http://ws.apache.org/ns/synapse" key="policy">
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ --></wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
<!-- sp:WssX509V3Token10/ --></wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:ProtectTokens/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</localEntry>
How can we do? what steps we have to follow to implement it? do we need any rampart configuration??
Thanks in advance.
You need to use the WSO2 Developer Studio IDE for this task...
Step 1: Create a registry resource project for store your policy.
Step2: Apply the security policy to your proxy service.
Step 3: Create a composite application and deploy the proxy and the
security policy to the WSO2 ESB.
Take a look a this: https://docs.wso2.com/display/ESB500/Applying+Security+to+a+Proxy+Service
I need to call Soap service from groovy. I want to use groovy-wslite library.
I have no problem with simple services but I have trouble with service using WS-Security and WS-Reliable Messaging. I have sample configuration on the client site:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IRestrictionImport" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IRestrictionImport"
contract="RestrictionImportService.IRestrictionImport" name="WSHttpBinding_IRestrictionImport" />
</client>
</system.serviceModel>
</configuration>
WSDL:
wsdl:definitions name="RestrictionImport" targetNamespace="http://zeto.bialystok.pl"><wsp:Policy wsu:Id="WSHttpBinding_IRestrictionImport_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
https://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc
I have username and password for authentication.
I tried to call service fro groovy using this XML:
def client = new SOAPClient("https://test.ceidg.gov.pl/ceidg.public.api/APIService.svc")
response = client.send(
"""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/">
<soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security mode="TransportWithMessageCredential" soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-C42BA6EAC6DBDE07EC14636522574269">
<wsse:Username>USER</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AceynGmXO0uy+sRgBBEj8Q==</wsse:Nonce>
<wsu:Created>$data</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<wsa:MessageID>uuid:$uuid</wsa:MessageID><ActivityId CorrelationId="c2fa49e7-fb82-41fe-81d3-065e985a3df6" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">cbe1563c-0609-40dd-aa81-3ddcbebb0424</ActivityId><wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address></wsa:ReplyTo><wsa:To soap:mustUnderstand="1">http://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc</wsa:To>
</soap:Header>
<soap:Body>
<tem:AddFileToImport>
<tem:fileName>?</tem:fileName>
<tem:importData>cid:1388108976858</tem:importData>
</tem:AddFileToImport>
</soap:Body>
</soap:Envelope>""")
but i`m getting error:
wslite.soap.SOAPFaultException: s:Sender - The message with To 'http://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc' cannot be processed at the receiver, due to an AddressFilter mismatch at the EndpointDispatcher. Check that the sender and receiver's EndpointAddresses agree
Any ideas?
How can I authorise a client (in this case a client is an application) to use a web service within .NET,
For example:
I want a 3rd pary application to call a method but not allow other applications within the network to call this method.
I want to avoid transport layer authorisation and use message based authorisation.
You should take a look at the WS-Security and WS-Policy standards. The best way is to have the client application sign all requests (with a private key) and check this signature on the server side.
We use a setup like this, with the following WS-Policy definitions in the WSDL:
<!--Endpoint Policy-->
<wsp:Policy wsu:Id="Endpoint_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<!-- sp:Basic256/-->
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<!--End of Endpoint Policy-->
<!--Message Policy1-->
<wsp:Policy wsu:Id="Sign_message_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<!--End of Message Policy1-->
You then reference these policies in the binding part of the WSDL. Example:
<binding name="ExampleServiceSOAP" type="foobar:ExampleServicePort">
<!-- WS-Security -->
<wsp:PolicyReference URI="#Endpoint_policy" />
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="getSomething">
<soap:operation soapAction="getSomething" style="document"/>
<input>
<!-- WS-Security -->
<wsp:PolicyReference URI="#Sign_message_policy" />
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>
The simplest (and the most "portable") thing will be to use HTTP Authentication.