Bug 4403 - Secure calls for secure context establishment
: Secure calls for secure context establishment
Status: NEW
: Java WS Security
Authentication
: development
: PC Windows XP
: P3 enhancement
: 4.2.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2006-05-15 14:57 by
Modified: 2006-09-27 14:31 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-05-15 14:57:36
> Are you looking to establish a session like in Secure Conversation ? 
> You can request the client to do secure conversation and secure 
> message, by specifying both in your client security descriptor. But I 
> am not sure what the server side security really expects - can you elaborate some more ?
>
> Rachana
>

Yes, we want to do both secure conversation and secure message:
The first request must be the <RequestSecurityToken> request AND this first
request must be secured with the client certificate through secure message.

But if I specify BOTH elements in client security descriptor the
<GSISecureMessage> is
ignored:
there are no <wsse> elements at all, only soap header with <wsa> Elements and
soap body with <RequestSecurityToken>.


The soap request contains <wsse> Elements ONLY if I specify <GSISecureMessage>
without <GSISecureConversation>.

Ina



I append the request as we receive it from the .net client with both secure
message and secure conversation - perhaps this helps in clarification:

---------------------------- snip ---------------------------------

<inputMessage utc="12.05.2006 14:44:27"
messageId="urn:uuid:62e0fc2a-b390-4804-a9c5-16c8c204bbf0">
      <processingStep description="Unprocessed message">

        <env:Envelope
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:env="http://www.w3.org/2003/05/soap-envelope">
          <env:Header>
            <wsa:Action
wsu:Id="Id-86ad57cc-bfca-4e94-96c6-969fa1369235">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</wsa:Action>
            <wsa:MessageID
wsu:Id="Id-558973ac-5eb5-47f6-b6c4-1e73978dbb02">urn:uuid:62e0fc2a-b390-4804-a9c5-16c8c204bbf0</wsa:MessageID>
            <wsa:ReplyTo wsu:Id="Id-5c553e9f-f390-4305-88e5-406b1dab3ee1">

<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
            </wsa:ReplyTo>
            <wsa:To
wsu:Id="Id-cec6cc1e-d234-4184-8750-c49502709ceb">http://localhost/GlobusServices/Service1.asmx</wsa:To>
            <tns:resourceID wsu:Id="Id-891b7fc8-ff34-4896-a067-b074ee015595"
xmlns:tns="http://gcg.cs.virginia.edu/wsrf">4cdf2e2e-dfaa-4856-b4c9-7b35be0085f0</tns:resourceID>
            <wsse:Security env:mustUnderstand="true">
              <wsu:Timestamp
wsu:Id="Timestamp-b0f5aa63-a8d0-45c9-8cea-5141f34e13c7">
                <wsu:Created>2006-05-12T14:44:22Z</wsu:Created>
                <wsu:Expires>2006-05-12T14:49:22Z</wsu:Expires>
              </wsu:Timestamp>
              <wsse:BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-3f0059b1-7d7c-4de6-b50e-28fe86680ec8">MIICvjCCAiegAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJERTERMA8GA1UEChMIWkRWLVRlc3QxHjAcBgNVBAMTFVJhdW1zY2hpZmYgRW50ZXJwcmlzZTAeFw0wNTA1MDgwMDAwMDBaFw0wNzA1MDgwMDAwMDBaMGoxCzAJBgNVBAYTAkRFMREwDwYDVQQKEwhaRFYtVGVzdDEeMBwGA1UEAxMVUmF1bXNjaGlmZiBFbnRlcnByaXNlMRYwFAYDVQQLEw1NYXNjaGluZW5yYXVtMRAwDgYDVQQDEwdTY290dGllMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCTVn72TRkvCapzbg9F8g60hIwid94SfcwvNk3JQcJ85lcgfRDuWBEpibv9i9JogP4YfYWf+wGPtmgEPkq+1HoOI9ADPhnnUwIo6zj4PEDVMRbPQh7NSdZVIC9s5WKjXUsPnxTMuWwma6kLrhTRaFCF0573n0SbEne5CE69Xuq+qQIBEaOBnzCBnDAdBgNVHQ4EFgQUVwLfxNEOoNWQza1UbdnMJyhTfTAwaAYDVR0jBGEwX4AUjqQXKBNUCq5rQbyh+NZr4yoYGB2hRKRCMEAxCzAJBgNVBAYTAkRFMREwDwYDVQQKEwhaRFYtVGVzdDEeMBwGA1UEAxMVUmF1bXNjaGlmZiBFbnRlcnByaXNlggEAMBEGCWCGSAGG+EIBAQQEAwIE8DANBgkqhkiG9w0BAQUFAAOBgQBnQ2nZ+jIqapHR2d6nTsFMSoYkHlWUQhYaGSrJNHCgFqaRehTNLw4ulvQ1oq7dh2vsMn7cjMD1ZPJI65buY2l1bXOpGOztUkJ4p2salg+E8ducGhD1nrHY286TCvvVxq3GzGeVY+Ydj7CraKuaWJQldyQ3u23EB
cvWvGFJwppeXA==</wsse:BinarySecurityToken>
              <xenc:EncryptedKey
Id="SecurityToken-81967352-db70-4336-bec8-99b141e0376e"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                  <ds:DigestMethod
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                </xenc:EncryptionMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                  <wsse:SecurityTokenReference>
                    <wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">4DQZzuXi9VhpOn1Mol7shSQYWIg=</wsse:KeyIdentifier>
                  </wsse:SecurityTokenReference>
                </KeyInfo>
                <xenc:CipherData>

<xenc:CipherValue>uw/A0q5s/HORrVocXMtbm1Bc+yj6lvTkPeGPGxuMb55mPbcLp//gYBU+0nd+0QS9F51mSnXQDul7Ps5ML8BxsNPL4cdrqLsnvRU+aL+nut91g+zrGP7w1nmxKgoEsrZQ/J3d7vm6f74Si399Fazmj920K2WfpA8h2JoiMTljRfw=</xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                  <xenc:DataReference
URI="#Enc-256b01d4-8e87-476b-8d8a-a7bac4805aca" />
                </xenc:ReferenceList>
              </xenc:EncryptedKey>
              <Signature Id="Sig-6254f6a8-a517-40ea-9fe6-3d5ef00c99d1"
xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                  <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                  <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"
/>
                  <Reference URI="#Id-86ad57cc-bfca-4e94-96c6-969fa1369235">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>zpy2M9SaNEmZkdDlWw6Uso4cHJg=</DigestValue>
                  </Reference>
                  <Reference URI="#Id-558973ac-5eb5-47f6-b6c4-1e73978dbb02">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>QjYyLM3NELTeGS/Ki8hUjEXj4fc=</DigestValue>
                  </Reference>
                  <Reference URI="#Id-5c553e9f-f390-4305-88e5-406b1dab3ee1">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>KoAwaN1ArR4SRofLVYaM9pxYXqg=</DigestValue>
                  </Reference>
                  <Reference URI="#Id-cec6cc1e-d234-4184-8750-c49502709ceb">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>bwo8VmVc0oV1hKCCE7o7BA0hYsI=</DigestValue>
                  </Reference>
                  <Reference URI="#Id-891b7fc8-ff34-4896-a067-b074ee015595">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>id3JxhuOCs2XqJO9hjZU60J4bsE=</DigestValue>
                  </Reference>
                  <Reference
URI="#Timestamp-b0f5aa63-a8d0-45c9-8cea-5141f34e13c7">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>zsN5H8BG6IRKTEouGs//2bvDK5Q=</DigestValue>
                  </Reference>
                  <Reference URI="#Id-dac95a58-7a0d-40e5-890b-9ce45eada7cc">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>1B/5Btrrthb12aCsJqyBXUwJAB0=</DigestValue>
                  </Reference>
                </SignedInfo>
                <SignatureValue>7sZTXRWyW0h/hL6Ab/D2WjrSTmA=</SignatureValue>
                <KeyInfo>
                  <wsse:SecurityTokenReference>
                    <wsse:Reference
URI="#SecurityToken-81967352-db70-4336-bec8-99b141e0376e"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
/>
                  </wsse:SecurityTokenReference>
                </KeyInfo>
              </Signature>
              <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                  <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                  <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                  <Reference URI="#Sig-6254f6a8-a517-40ea-9fe6-3d5ef00c99d1">
                    <Transforms>
                      <Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>OuXZJh/VPrVSjgUtt5P+aIckv7I=</DigestValue>
                  </Reference>
                </SignedInfo>

<SignatureValue>ZD7GKQNLJ9tVV1Roaft+BP/0MpfZv/9cZxkVPkHqvYIBAtYbfzfJ/wCkqnPUybYqAMW3GDyHIz5+rj8m3jQf7hSdrVh+h4hIzVGdLQ1AxuWZGI1jBZmEtdU2QQPb4o8HzHBI7lFM/rhSQDJcQwyfH63+FOQSqO81PjSAu6IkXac=</SignatureValue>
                <KeyInfo>
                  <wsse:SecurityTokenReference>
                    <wsse:Reference
URI="#SecurityToken-3f0059b1-7d7c-4de6-b50e-28fe86680ec8"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
                  </wsse:SecurityTokenReference>
                </KeyInfo>
              </Signature>
            </wsse:Security>
          </env:Header>
          <env:Body wsu:Id="Id-dac95a58-7a0d-40e5-890b-9ce45eada7cc">
            <xenc:EncryptedData Id="Enc-256b01d4-8e87-476b-8d8a-a7bac4805aca"
Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
              <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
              <xenc:CipherData>

<xenc:CipherValue>ufDoSyj+veYTiVqmYevVP85Aq8OB2yPN35EKYuanTVzRkx27iArUTCQ+sGB/UdxEJN10Ic7h4CINlHhSA7VSErrNWv2qXYDYKrPiHx0MuyfyzATGZsqTfMa4QmSgOjY2F8gLCZJCdeBA/I/H+07rkrvSbZ9xSb5vtDZY+jE7jamy8Wkq0DqLB3XIG/saCY2nbLwjMd3k3nbqiewDP+WnBbQ95CaXrCQ8EPPLE/0Nt8UYBOCXW1x+HuW2C3JlBEckMw0yGwdzzSVDLowYMcRkVcArCrHAVgH88oWlqEQF1epvXUPqHZj6kCDNNlhe+6Ed7ZbsL+8ApQr70Hd7A6iJqEMh3bFgNrmddXOEHUMo6Oxd6N/kiHXOPCM5cEPiZyfDBklHdriHGfn7e+hV9xnjdnVd1eZXxDAcUhzWkvICY8XW8V7OhbvBLqBvTA5ZafCeyI+Sh0pmsjOSkVT1ZIfT0wWnZcIdmafpW+mzGhFdXNS/Ur513C8jtV0KbHNGVZcioYE5Ud9WbiprhJ2JFsYMudv8FydHmDRgsxwcSaVqmI+lOQhAV5u/Da8g3ZwrM66sMhJx6rddES2rNlt9nwzoUdSyAjHvxlDv4SvwsvGbLViANEQPfEZoECczjpGBgkwD5PffBQ2+RQ7UffgBEB+IuejuxMlH65Z29tzr8i3XGPXDsVDM70PfF1RAsh0dWro2P1y4tety7t8UpoJ+2CADSaIGSTbfvWN1CJ6jc7PL8XrNln7C8i4PUPZ0Pb7TSZe67C6q53OhdPi+C7N6bX0mz3SX5eknt1xfsCsdMMi8GMU=</xenc:CipherValue>
              </xenc:CipherData>
            </xenc:EncryptedData>
          </env:Body>
        </env:Envelope>

      </processingStep>
      <processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.RequireSoapHeaderAssertion+RequireSoapHeaderFilter"
/>
      <processingStep description="Exited SOAP filter
Microsoft.Web.Services3.Design.RequireSoapHeaderAssertion+RequireSoapHeaderFilter"
/>
      <processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ServiceInputFilter"
/>
      <processingStep description="Exited SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ServiceInputFilter"
/>
      <processingStep description="Processing of the message was terminated by
SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ServiceInputFilter"
/>
      <processingStep description="Processed message">

        <env:Envelope
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:env="http://www.w3.org/2003/05/soap-envelope">
          <env:Header>
            <tns:resourceID wsu:Id="Id-891b7fc8-ff34-4896-a067-b074ee015595"
xmlns:tns="http://gcg.cs.virginia.edu/wsrf">4cdf2e2e-dfaa-4856-b4c9-7b35be0085f0</tns:resourceID>
          </env:Header>
          <env:Body wsu:Id="Id-dac95a58-7a0d-40e5-890b-9ce45eada7cc">
            <wst:RequestSecurityToken
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">

<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>

<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
              <wst:Entropy>
                <wst:BinarySecret
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey">B7uY8jt5labCH+TjGpz12w==</wst:BinarySecret>
              </wst:Entropy>
              <wst:Lifetime>
                <wsu:Expires>2006-05-12T18:44:21Z</wsu:Expires>
              </wst:Lifetime>
            </wst:RequestSecurityToken>
          </env:Body>
        </env:Envelope>

      </processingStep>
    </inputMessage>

---------------------------- snip ---------------------------------