Signing BinarySecurityToken in Sign only - X509 Authentication scenario

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Signing BinarySecurityToken in Sign only - X509 Authentication scenario

cdangerv
Hello,
I tried out the Commodity Quote Sample shipped with WSO2 WSAS 3.0 (see
http://wso2.org/project/wsas/java/3.0.1/docs/wso2wsas-3.0.1-docs/commodity_quote_guide.html),
scenario 2: Sign only - X509 Authentication.
When I look at the client request with WSO2 WSAS SOAP message tracer,
only the timestamp part of the security header and the body of the
message are signed. The <wsse:BinarySecurityToken> part of the
security header is not signed (no reference to this part in the
SignedInfo element). Why?
How do I make it signed? Do I have to force it some way in the
client's securitypolicy file? Is it a Rampart issue?

My problem is I have to make it communicate with a weblogic component
that expects it to be signed.

Thanks for any help.

Regards,
--Cyril

_______________________________________________
Wsas-java-user mailing list
[hidden email]
https://wso2.org/cgi-bin/mailman/listinfo/wsas-java-user
Reply | Threaded
Open this post in threaded view
|

Re: Signing BinarySecurityToken in Sign only - X509 Authentication scenario

Selvaratnam Uthaiyashankar-2
Hi Cyril,

On Wed, Jul 29, 2009 at 4:24 AM, Cyril
DANGERVILLE<[hidden email]> wrote:
> Hello,
> I tried out the Commodity Quote Sample shipped with WSO2 WSAS 3.0 (see
> http://wso2.org/project/wsas/java/3.0.1/docs/wso2wsas-3.0.1-docs/commodity_quote_guide.html),
> scenario 2: Sign only - X509 Authentication.
> When I look at the client request with WSO2 WSAS SOAP message tracer,
> only the timestamp part of the security header and the body of the
> message are signed. The <wsse:BinarySecurityToken> part of the
> security header is not signed (no reference to this part in the
> SignedInfo element). Why?

This is the correct behavior.  <wsse:BinarySecurityToken> contains the
public certificate which should be used to validate the signature. It
will not be included in the signature.

> How do I make it signed? Do I have to force it some way in the
> client's securitypolicy file? Is it a Rampart issue?
>
> My problem is I have to make it communicate with a weblogic component
> that expects it to be signed.

This might be a problem of inconsistency of server and client policy
files. Can you get the policy/WSDL from the service and attach it?
Also attach the SOAP request/reply captured using message tracer.
Possibly the server might expect the addressing headers to be signed,
in that case, you have to modify the client side policy.

Regards,
Shankar

>
> Thanks for any help.
>
> Regards,
> --Cyril
>
> _______________________________________________
> Wsas-java-user mailing list
> [hidden email]
> https://wso2.org/cgi-bin/mailman/listinfo/wsas-java-user
>

_______________________________________________
Wsas-java-user mailing list
[hidden email]
https://wso2.org/cgi-bin/mailman/listinfo/wsas-java-user
Reply | Threaded
Open this post in threaded view
|

Re: Signing BinarySecurityToken in Sign only - X509 Authentication scenario

cdangerv
On Wed, Jul 29, 2009 at 8:27 AM, Uthaiyashankar<[hidden email]> wrote:

> Hi Cyril,
>
> On Wed, Jul 29, 2009 at 4:24 AM, Cyril
> DANGERVILLE<[hidden email]> wrote:
>> Hello,
>> I tried out the Commodity Quote Sample shipped with WSO2 WSAS 3.0 (see
>> http://wso2.org/project/wsas/java/3.0.1/docs/wso2wsas-3.0.1-docs/commodity_quote_guide.html),
>> scenario 2: Sign only - X509 Authentication.
>> When I look at the client request with WSO2 WSAS SOAP message tracer,
>> only the timestamp part of the security header and the body of the
>> message are signed. The <wsse:BinarySecurityToken> part of the
>> security header is not signed (no reference to this part in the
>> SignedInfo element). Why?
>
> This is the correct behavior.  <wsse:BinarySecurityToken> contains the
> public certificate which should be used to validate the signature. It
> will not be included in the signature.
>
>> How do I make it signed? Do I have to force it some way in the
>> client's securitypolicy file? Is it a Rampart issue?
>>
>> My problem is I have to make it communicate with a weblogic component
>> that expects it to be signed.
>
> This might be a problem of inconsistency of server and client policy
> files. Can you get the policy/WSDL from the service and attach it?
> Also attach the SOAP request/reply captured using message tracer.
> Possibly the server might expect the addressing headers to be signed,
> in that case, you have to modify the client side policy.
>
I managed to get Rampart to sign the <wsse:BinarySecurityToken> and
now it works with my weblogic component. The "weblogic component" I am
referring to, and that I want my Axis2/Rampart client to communicate
with, is a helloworld proxy service in Oracle Service Bus 10gR3. For
info, it relies on Weblogic for all the web service security stuff.
Below is what you asked for:

Service policy/WSDL
===============
I have attached my service's WSDL (simple hello world) with the policy
inside as you asked.  Unfortunately, it actually supports only a
subset of the standards that Weblogic supports. In particular,
WS-SecurityPolicy format cannot be used for signature policy.
Therefore, the policy in the attached WSDL is in Weblogic proprietary
format. It is Weblogic predefined policy for digital signature:
Sign.xml. See http://download.oracle.com/docs/cd/E12840_01/wls/docs103/webserv_sec/message.html#wp238771
for the description of the policy.

Client side policy
=============
You will find below my client's rampart policy.xml which signs
<wsse:BinarySecurityToken> and works with my OSB proxy service. What
matters is the <sp:ProtectTokens/> line (...with-token-protect.xml). I
am using rampart 1.4.

----BEGIN RAMPART POLICY--

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  <wsp:ExactlyOne>
    <wsp:All>
     <sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:InitiatorToken>
            <wsp:Policy>
              <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                <wsp:Policy>
                  <sp:WssX509V3Token10/>
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:InitiatorToken>
          <sp:RecipientToken>
            <wsp:Policy>
              <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                <wsp:Policy>
                  <sp:WssX509V3Token10/>
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:RecipientToken>
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:TripleDesRsa15/>
            </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict/>
            </wsp:Policy>
          </sp:Layout>
          <sp:IncludeTimestamp/>
          <sp:ProtectTokens/>
          <sp:OnlySignEntireHeadersAndBody/>
        </wsp:Policy>
      </sp:AsymmetricBinding>
          <sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <sp:Body/>
      </sp:SignedParts>
          <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:MustSupportRefKeyIdentifier/>
          <sp:MustSupportRefIssuerSerial/>
        </wsp:Policy>
      </sp:Wss10>
       
        <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
        <ramp:user>client</ramp:user>  
          <ramp:passwordCallbackClass>com.ecerami.www.wsdl.helloservice_wsdl.PCWBHandler</ramp:passwordCallbackClass>
        <ramp:signatureCrypto>
        <ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
        <ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                        <ramp:property
name="org.apache.ws.security.crypto.merlin.file">ressources/client.jks</ramp:property>
                        <ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">mystorepass</ramp:property>
                        </ramp:crypto>
        </ramp:signatureCrypto>
        </ramp:RampartConfig>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

--END RAMPART POLICY--

I have attached the SOAP request/reply (files ending
...-with-token-protect.xml).

Now, if I remove/comment <sp:ProtectTokens/> in the client policy, I
get the request/reply attached (files ending
...without-token-protect.xml). The reply is a SOAP fault.

So, it seems OSB/Weblogic considers signing BinarySecurityToken as a
correct behavior.
I think this can be useful to know if you are doing interoperability
tests between WSO2WSAS/Rampart and OSB (or Weblogic I assume).

Regards,
--Cyril

_______________________________________________
Wsas-java-user mailing list
[hidden email]
https://wso2.org/cgi-bin/mailman/listinfo/wsas-java-user

Helloworld_with_OSB_sign_policy.wsdl (4K) Download Attachment
request-from-Rampart-client-without-token-protect.xml (5K) Download Attachment
reply-from-OSB-to-rampart-client-without-token-protect.xml (640 bytes) Download Attachment
request-from-Rampart-client-with-token-protect.xml (6K) Download Attachment
reply-from-OSB-to-rampart-client-with-token-protect.xml (7K) Download Attachment