We are implementing WS-Security Policy on our web services with the following framework/module/specification.
Apache Axis2 1.6.2
Apache Rampart 1.6.2
WS-Security Policy 1.2(namespace:http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702)
We are facing the following issues while creating/consuming the service.
- Axis2 wsdl generation logic ignores
<sp:NoPassword/>
assertion. After debugging,I realized that it is because of the logic in org.apache.ws.secpolicy.model.UsernameToken (rampart-policy-1.6.2.jar) that expects<sp:WssUsernameToken11 />
( or<sp:WssUsernameToken10 />
) to be specified - again when I specify that, the<sp:NoPassword/>
is created as child element of<sp:WssUsernameToken11 />
which was causing<sp:NoPassword/>
to get ignored on the client (consumer) side. - In the implementation of
org.apache.rampart.PolicyBasedResultsValidator/handleSupportingTokens
method - NoPassword scenario is not considerd ; hence it always fails saying "org.apache.axis2.AxisFault: UsernameToken missing in request". - On the consumer side, for WS Security policy 1.2 to work, we had to remove rahas-1.6.2.mar from client side rampart repository;there is a JIRA ticket too - https://issues.apache.org/jira/browse/RAMPART-371
Please suggest if I missed something here.
来源:https://stackoverflow.com/questions/18990151/in-apache-axis2-rampart-while-generating-wsdl-and-validating-policy-is-ws-secu