'Antwort: Re: Problems using both InflowSecurity and OutflowSecurity'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    Antwort: Re: Problems using both InflowSecurity and OutflowSecurity
From:       mpollmeier () s-und-n ! de
Date:       2006-05-23 7:16:10
Message-ID: OF12144559.0D707DC0-ONC1257177.0026EDFB () sundn ! de
[Download RAW message or body]

Hi Ruchith,

thanks again, this works. But isn't this a bug? 
Why does it include a SignatureConfirmation if there is no signature to 
confirm?

If this behaviour is correct, the default value of enableSignatureConfirmation should \
be "false", shouldn't it?

Freundliche Grüße / With kind regards
Michael Pollmeier
-------------------------------------------------


Hi Michael,

Please add the following to both InflowConfiguration and
OutflowConfiguration in both service and client configs.

<enableSignatureConfirmation>false</enableSignatureConfirmation>

Thanks,
Ruchith

On 5/22/06, mpollmeier@s-und-n.de <mpollmeier@s-und-n.de> wrote:
> Hi all,
> 
> thanks Ruchith's fast tip I am now able to combine any actions either in
> the InflowSecurity OR the OutflowSecurity.
> But if I try and combine both of them, I get a strange behaviour.
> 
> The simplest case is the following. Client and Server config are as
> follows:
> <parameter name="OutflowSecurity">
> <action>
> <items>Timestamp</items>
> </action>
> </parameter>
> 
> <parameter name="InflowSecurity">
> <action>
> <items>Timestamp</items>
> </action>
> </parameter>
> 
> The SOAP-Response contains the following Security Header:
> 
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>  soapenv:mustUnderstand="true">
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>  wsu:Id="Timestamp-17940412">
> <wsu:Created>2006-05-22T16:03:47.031Z</wsu:Created>
> <wsu:Expires>2006-05-22T16:08:47.031Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse11:SignatureConfirmation
> xmlns:wsse11="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd"
>  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>  wsu:Id="SigConf-16398807" />
> </wsse:Security>
> 
> It is interesting that the response contains a
> "SignatureConfirmation"-element (the request does NOT contain one).
> Consistently the Client throws the following exception:
> 
> Exception in thread "main" org.apache.axis2.AxisFault: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV; nested
> exception is:
> org.apache.ws.security.WSSecurityException: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV
> at
> 
org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:336)
> at
> 
org.apache.axis2.security.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:82)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:381)
> at 
org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:473)
> at 
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:445)
> at
> 
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:355)

> at
> 
org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:279)

> at
> org.apache.ws.axis2.ReverseWSStub.reverseString(ReverseWSStub.java:109)
> at reverseTest.Test.main(Test.java:26)
> Caused by: org.apache.ws.security.WSSecurityException: WSHandler: Check
> Signature confirmation: got a SC element, but no stored SV
> at
> 
org.apache.ws.security.handler.WSHandler.checkSignatureConfirmation(WSHandler.java:294)

> at
> 
org.apache.axis2.security.WSDoAllReceiver.processMessage(WSDoAllReceiver.java:196)
> ... 8 more
> 
> 
> Other errors appear if I combine other actions. As mentioned, everything
> works fine if I just configure the security one-way, I can use any
> action-order.
> 
> 
> Freundliche Grüße / With kind regards
> Michael
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 





---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic