Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-67

Problems with namespaces prefixes when encrypting or signing

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.2
    • None
    • rampart-policy
    • None
    • Windows XP SP2, Java 1.6, Tomcat 6.0

    Description

      I found a strange behaviour in my service policy: I'm trying to encrypt ServiceGroupId and some of my payload elements.

      For example, in my service policy I have:

      sp:EncryptedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <sp:XPath>descendant::ns3:getPatientsResponse</sp:XPath>
      </sp:EncryptedElements>

      If the client sends elements defined with that prefix, there's no problem when decrypting them in the service. But when I need to encrypt elements like that, to send them back to the client, I have the exception:

      org.apache.axis2.AxisFault: java.lang.RuntimeException: org.jaxen.UnresolvableException: Cannot resolve namespace prefix 'ns3'
      at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:178)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:261)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at prg.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:581) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Unknown Source) Caused by: java.lang.RuntimeException: org.jaxen.UnresolvableException: Cannot resolve namespace prefix 'ns3'
      at org.apache.rampart.util.RampartUtil.getPartsAndElements(RampartUtil.java:705)
      at org.apache.rampart.util.RampartUtil.getEncryptedParts(RampartUtil.java:564)
      at org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:67) at org.apache.rampart.RampartEngine.process(RampartEngine.java:88)
      at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:71)
      at org.apache.axis2.engine.Phase.invoke(Phase.java:383)
      at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:203)
      at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:131)
      at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:279) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:116) ... 14 more Caused by: org.jaxen.UnresolvableException: Cannot resolve namespace prefix 'ns3' at org.jaxen.expr.DefaultNameStep.matches(DefaultNameStep.java:340) at org.jaxen.expr.DefaultNameStep.evaluate(DefaultNameStep.java:209)
      at org.jaxen.expr.DefaultLocationPath.evaluate(DefaultLocationPath.java:140)
      at org.jaxen.expr.DefaultXPathExpr.asList(DefaultXPathExpr.java:102)
      at org.jaxen.BaseXPath.selectNodesForContext(BaseXPath.java:680)
      at org.jaxen.BaseXPath.selectNodes(BaseXPath.java:219)
      at org.apache.rampart.util.RampartUtil.getPartsAndElements(RampartUtil.java:690) ... 23 more

      validateSystem works OK but the validate, doesn't.

      In the case of encrypting ServiceGroupID, it says it cannot resolve prefix 'axis2'. With other elements such as addressing headers and timestamp there is no problem.

      For some operations, I have a response like this:

      <ns3:getPrimitiveDataResponse xmlns:ns3="http://op_messages.medici_link/xsd">
      <parameterData xmlns="http://op_messages.medici_link/xsd">
      <annotations \
      xmlns="http://external.communication_data_model.medici_link/xsd" \
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" \
      />
      <dataSegments \
      xmlns="http://external.communication_data_model.medici_link/xsd"> \
      <beginMsec>1186069490203</beginMsec> <endMsec>1186069490203</endMsec>
      <data>
      <xop:Include \
      href="cid:1.urn:uuid:A1C749B6FA326E166A1186069490615@apache.org" \
      xmlns:xop="http://www.w3.org/2004/08/xop/include" /> </data>
      </dataSegments>
      </parameterData>
      </ns3:getPrimitiveDataResponse>

      and I want to sign and encrypt annotations and dataSegments so I put that in the policy but none of them are encrypted nor signed and neither I get any exception.

      It seems that rampart isn't able to find them. I tried identifying them in the policy with descendant::ns3:dataSegments and descendant::dataSegments. Maybe this happens because they are defined in another namespace and they have no prefix in the message.

      Attachments

        1. JIRA70.rar
          274 kB
          Jorge Fernández
        2. WebServiceTest.rar
          86 kB
          Jorge Fernández

        Activity

          People

            nandana.cse Nandana Mihindukulasooriya
            informaticu007-pfc Jorge Fernández
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: