W3C drafts on Efficient XML Interchange, EXI - I didn't say binary XML

Even though I'm not up-todate with every WS-* standard I do think that I have reasonably knowledge of what's going on (to my advantage many of these standards are slowgoing). Therefore I was quite surprised when I stumbled upon EXI in late 2007 on the w3 news list: Efficient XML Interchange (EXI) Drafts: Format, Best Practices, Primer. Never heard of it before but it quickly beamed in on my radar as binary XML in disguise - it's not, well it's not really binary XML. I do believe that keeping it as text is a great advantage as I heard David Megginson cut out at an XML Conference some years ago, that maybe in the long run it'll all interoperate without the developers getting they're hands on it, but until then it sure does make debugging much easier (my phrasing).

The Efficient XML Interchange (EXI) Working Group has published three documents:

• EXI Primer
• Working Draft of EXI Format 1.0
• EXI Best Practices

Quickly onto the big question:

The Efficient XML Interchange Working Group is responsible for developing ways to exchange XML documents in ways that are as efficient as is practical without compromising the interoperability of XML itself. It also continues the work of the XML Binary Characterization Working Group. This Working Group is not about producing a closed, proprietary or obfuscated “binary XML” — The W3C is all about increasing interoperability!

Okay so what is it about:

EXI is a very compact representation for the Extensible Markup Language (XML) Information Set that is intended to simultaneously optimize performance and the utilization of computational resources. Using a relatively simple algorithm, which is amenable to fast and compact implementation, and a small set of data types, it reliably produces efficient encodings of XML event streams.

I would like Eclipse to be able to handle mid-sized XML files more easily, so if it can help me with that I might be interested.

Rampart policy samples for runing Axis2 with WS-SecurityPolicy

When I first tried out WS-Security WSS4J was quite new and used in axis1 by adding handlers, and it work quite nicely. I was at that time doing interop with WSE2.0, which already at that time had support for WS-SecurityPolicy (can't remember what version) which I liked because it was more explicit and craftet for that whereas the generic parameter controlled handlers were all generic. Since then a lot has happend and now there are specific parameters for WSS4J as I looked at in the post Rampart basic examples - how you add WS-Security to Axis2. But there's much more cause now there's also support for WS-SecurityPolicy and I'll take a first look at the policy samples in this post and hopefully soon find time to look deeper into one of them and try it out.

At the front page for the rampart module project the supported standards are listed:

• WS-Security 1.0
• WS-Secure Conversation - February 2005
• WS-Security Policy 1.1 - July 2005
• WS-Trust - February 2005
• WS-Trust - WS-SX spec - EXPERIMENTAL

I'm not sure how updated this information is and I haven't followed the ws-* track lately, but I think that those specs have matured into standards and I guess that rampart is almost up todate if not there already.

I had expected these samples to be analogies to the basic samples but they're not and they are quite more complex. There are a total of six samples where the last one demands custom setup of tomcat so I'll skip that one and take the first five ones. Since it's been some time since I last looked at these kind of policies I'm not into them yet and I'll just list the policy files here and then later analyse one of them more closely.

01. UsernameToken Authentication

The policy uses a TransportBinding and requires a SignedSupportingToken which is a UsernameToken and the inclusion of a TimeStamp.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!--
    3   !
    4   ! Copyright 2006 The Apache Software Foundation.
    5   !
    6   ! Licensed under the Apache License, Version 2.0 (the "License");
    7   ! you may not use this file except in compliance with the License.
    8   ! You may obtain a copy of the License at
    9   !
   10   !      http://www.apache.org/licenses/LICENSE-2.0
   11   !
   12   ! Unless required by applicable law or agreed to in writing, software
   13   ! distributed under the License is distributed on an "AS IS" BASIS,
   14   ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   15   ! See the License for the specific language governing permissions and
   16   ! limitations under the License.
   17   !-->
   18 <!-- services.xml of sample-1 : UsernameToken-->
   19 <service>
   20 
   21   <operation name="echo">
   22     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
   23   </operation>
   24 
   25   <parameter
   26     name="ServiceClass"
   27     locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter>
   28 
   29   <module ref="rampart" />
   30   <module ref="addressing" />
   31 
   32   <wsp:Policy
   33     wsu:Id="UTOverTransport"
   34     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   35     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   36     <wsp:ExactlyOne>
   37       <wsp:All>
   38 
   39         <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   40           <wsp:Policy>
   41             <sp:TransportToken>
   42               <wsp:Policy>
   43                 <sp:HttpsToken RequireClientCertificate="false" />
   44               </wsp:Policy>
   45             </sp:TransportToken>
   46             <sp:AlgorithmSuite>
   47               <wsp:Policy>
   48                 <sp:Basic256 />
   49               </wsp:Policy>
   50             </sp:AlgorithmSuite>
   51             <sp:Layout>
   52               <wsp:Policy>
   53                 <sp:Lax />
   54               </wsp:Policy>
   55             </sp:Layout>
   56             <sp:IncludeTimestamp />
   57           </wsp:Policy>
   58         </sp:TransportBinding>
   59 
   60         <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   61           <wsp:Policy>
   62             <sp:UsernameToken
   63               sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
   64           </wsp:Policy>
   65         </sp:SignedSupportingTokens>
   66 
   67         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   68           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample01.PWCBHandler</ramp:passwordCallbackClass>
   69         </ramp:RampartConfig>
   70 
   71       </wsp:All>
   72     </wsp:ExactlyOne>
   73   </wsp:Policy>
   74 
   75 </service>

02. Sign only

An AsymmetricBinding is used. Entire headers and body to be signed. Algorithm suite is TripleDesRsa15

   33   <wsp:Policy
   34     wsu:Id="SigOnly"
   35     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   36     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   37     <wsp:ExactlyOne>
   38       <wsp:All>
   39 
   40         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   41           <wsp:Policy>
   42 
   43             <sp:InitiatorToken>
   44               <wsp:Policy>
   45                 <sp:X509Token
   46                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   47                   <wsp:Policy>
   48                     <sp:WssX509V3Token10 />
   49                   </wsp:Policy>
   50                 </sp:X509Token>
   51               </wsp:Policy>
   52             </sp:InitiatorToken>
   53 
   54             <sp:RecipientToken>
   55               <wsp:Policy>
   56                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   57                   <wsp:Policy>
   58                     <sp:WssX509V3Token10 />
   59                   </wsp:Policy>
   60                 </sp:X509Token>
   61               </wsp:Policy>
   62             </sp:RecipientToken>
   63 
   64             <sp:AlgorithmSuite>
   65               <wsp:Policy>
   66                 <sp:TripleDesRsa15 />
   67               </wsp:Policy>
   68             </sp:AlgorithmSuite>
   69 
   70             <sp:Layout>
   71               <wsp:Policy>
   72                 <sp:Strict />
   73               </wsp:Policy>
   74             </sp:Layout>
   75 
   76             <sp:IncludeTimestamp />
   77 
   78             <sp:OnlySignEntireHeadersAndBody />
   79 
   80           </wsp:Policy>
   81         </sp:AsymmetricBinding>
   82 
   83         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   84           <wsp:Policy>
   85             <sp:MustSupportRefKeyIdentifier />
   86             <sp:MustSupportRefIssuerSerial />
   87           </wsp:Policy>
   88         </sp:Wss10>
   89 
   90         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   91           <sp:Body />
   92         </sp:SignedParts>
   93 
   94         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   95           <ramp:user>service</ramp:user>
   96           <ramp:encryptionUser>client</ramp:encryptionUser>
   97           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample02.PWCBHandler</ramp:passwordCallbackClass>
   98           <ramp:signatureCrypto>
   99             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  100               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  101               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  102               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  103             </ramp:crypto>
  104           </ramp:signatureCrypto>
  105         </ramp:RampartConfig>
  106 
  107       </wsp:All>
  108     </wsp:ExactlyOne>
  109   </wsp:Policy>

03. Sign and Encrypt messages

An AsymmetricBinding is used. Entire headers and body to be signed. EncryptionParts specifies the Body to be encrypted. Algorithm suite is TripleDesRsa15

   33   <wsp:Policy
   34     wsu:Id="SigEncr"
   35     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   36     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   37     <wsp:ExactlyOne>
   38       <wsp:All>
   39 
   40         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   41           <wsp:Policy>
   42 
   43             <sp:InitiatorToken>
   44               <wsp:Policy>
   45                 <sp:X509Token
   46                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   47                   <wsp:Policy>
   48                     <sp:WssX509V3Token10 />
   49                   </wsp:Policy>
   50                 </sp:X509Token>
   51               </wsp:Policy>
   52             </sp:InitiatorToken>
   53 
   54             <sp:RecipientToken>
   55               <wsp:Policy>
   56                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   57                   <wsp:Policy>
   58                     <sp:WssX509V3Token10 />
   59                   </wsp:Policy>
   60                 </sp:X509Token>
   61               </wsp:Policy>
   62             </sp:RecipientToken>
   63 
   64             <sp:AlgorithmSuite>
   65               <wsp:Policy>
   66                 <sp:TripleDesRsa15 />
   67               </wsp:Policy>
   68             </sp:AlgorithmSuite>
   69 
   70             <sp:Layout>
   71               <wsp:Policy>
   72                 <sp:Strict />
   73               </wsp:Policy>
   74             </sp:Layout>
   75 
   76             <sp:IncludeTimestamp />
   77 
   78             <sp:OnlySignEntireHeadersAndBody />
   79 
   80           </wsp:Policy>
   81         </sp:AsymmetricBinding>
   82 
   83         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   84           <wsp:Policy>
   85             <sp:MustSupportRefKeyIdentifier />
   86             <sp:MustSupportRefIssuerSerial />
   87           </wsp:Policy>
   88         </sp:Wss10>
   89 
   90         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   91           <sp:Body />
   92         </sp:SignedParts>
   93 
   94         <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   95           <sp:Body />
   96         </sp:EncryptedParts>
   97 
   98         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   99           <ramp:user>service</ramp:user>
  100           <ramp:encryptionUser>client</ramp:encryptionUser>
  101           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample03.PWCBHandler</ramp:passwordCallbackClass>
  102 
  103           <ramp:signatureCrypto>
  104             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  105               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  106               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  107               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  108             </ramp:crypto>
  109           </ramp:signatureCrypto>
  110 
  111           <ramp:encryptionCypto>
  112             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  113               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  114               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  115               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  116             </ramp:crypto>
  117           </ramp:encryptionCypto>
  118 
  119         </ramp:RampartConfig>
  120 
  121       </wsp:All>
  122     </wsp:ExactlyOne>
  123   </wsp:Policy>

04. SecureConversation

The secure session is bootstrapped using a SymetricBinding which uses derived keys based on an ephemeral key. Messages in the secure conversation:

• Includes a timestamp
• All headers are signed along with the timestamp
• Signature encrypted
• Body encrypted

Algorithm suite is Basic128Rsa15

   30   <module ref="rampart" />
   31   <module ref="rahas" />
   32   <module ref="addressing" />
   33 
   34   <wsp:Policy
   35     wsu:Id="SecConvPolicy"
   36     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   37     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   38     <wsp:ExactlyOne>
   39       <wsp:All>
   40 
   41         <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   42           <wsp:Policy>
   43 
   44             <sp:ProtectionToken>
   45               <wsp:Policy>
   46                 <sp:SecureConversationToken
   47                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   48                   <wsp:Policy>
   49                     <sp:RequireDerivedKeys />
   50                     <sp:BootstrapPolicy>
   51                       <wsp:Policy>
   52 
   53                         <sp:EncryptedParts>
   54                           <sp:Body />
   55                         </sp:EncryptedParts>
   56 
   57                         <sp:SymmetricBinding>
   58                           <wsp:Policy>
   59                             <sp:ProtectionToken>
   60                               <wsp:Policy>
   61                                 <sp:X509Token
   62                                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   63                                   <wsp:Policy>
   64                                     <sp:RequireDerivedKeys />
   65                                     <sp:RequireThumbprintReference />
   66                                     <sp:WssX509V3Token10 />
   67                                   </wsp:Policy>
   68                                 </sp:X509Token>
   69                               </wsp:Policy>
   70                             </sp:ProtectionToken>
   71                             <sp:AlgorithmSuite>
   72                               <wsp:Policy>
   73                                 <sp:Basic128Rsa15 />
   74                               </wsp:Policy>
   75                             </sp:AlgorithmSuite>
   76                             <sp:Layout>
   77                               <wsp:Policy>
   78                                 <sp:Strict />
   79                               </wsp:Policy>
   80                             </sp:Layout>
   81                             <sp:IncludeTimestamp />
   82                             <sp:EncryptSignature />
   83                             <sp:OnlySignEntireHeadersAndBody />
   84                           </wsp:Policy>
   85                         </sp:SymmetricBinding>
   86 
   87                         <sp:EndorsingSupportingTokens>
   88                           <wsp:Policy>
   89                             <sp:X509Token
   90                               sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   91                               <wsp:Policy>
   92                                 <sp:RequireThumbprintReference />
   93                                 <sp:WssX509V3Token10 />
   94                               </wsp:Policy>
   95                             </sp:X509Token>
   96                           </wsp:Policy>
   97                         </sp:EndorsingSupportingTokens>
   98 
   99                         <sp:Wss11>
  100                           <wsp:Policy>
  101                             <sp:MustSupportRefKeyIdentifier />
  102                             <sp:MustSupportRefIssuerSerial />
  103                             <sp:MustSupportRefThumbprint />
  104                             <sp:MustSupportRefEncryptedKey />
  105                             <sp:RequireSignatureConfirmation />
  106                           </wsp:Policy>
  107                         </sp:Wss11>
  108 
  109                         <sp:Trust10>
  110                           <wsp:Policy>
  111                             <sp:MustSupportIssuedTokens />
  112                             <sp:RequireClientEntropy />
  113                             <sp:RequireServerEntropy />
  114                           </wsp:Policy>
  115                         </sp:Trust10>
  116 
  117                       </wsp:Policy>
  118                     </sp:BootstrapPolicy>
  119                   </wsp:Policy>
  120                 </sp:SecureConversationToken>
  121               </wsp:Policy>
  122             </sp:ProtectionToken>
  123 
  124             <sp:AlgorithmSuite>
  125               <wsp:Policy>
  126                 <sp:Basic128Rsa15 />
  127               </wsp:Policy>
  128             </sp:AlgorithmSuite>
  129 
  130             <sp:Layout>
  131               <wsp:Policy>
  132                 <sp:Strict />
  133               </wsp:Policy>
  134             </sp:Layout>
  135 
  136             <sp:IncludeTimestamp />
  137             <sp:EncryptSignature />
  138             <sp:OnlySignEntireHeadersAndBody />
  139 
  140           </wsp:Policy>
  141         </sp:SymmetricBinding>
  142 
  143         <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  144           <wsp:Policy>
  145             <sp:MustSupportRefKeyIdentifier />
  146             <sp:MustSupportRefIssuerSerial />
  147             <sp:MustSupportRefThumbprint />
  148             <sp:MustSupportRefEncryptedKey />
  149           </wsp:Policy>
  150         </sp:Wss11>
  151 
  152         <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  153           <wsp:Policy>
  154             <sp:MustSupportIssuedTokens />
  155             <sp:RequireClientEntropy />
  156             <sp:RequireServerEntropy />
  157           </wsp:Policy>
  158         </sp:Trust10>
  159 
  160         <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  161           <sp:Body />
  162         </sp:EncryptedParts>
  163 
  164         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
  165           <ramp:user>service</ramp:user>
  166           <ramp:encryptionUser>client</ramp:encryptionUser>
  167           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04.PWCBHandler</ramp:passwordCallbackClass>
  168 
  169           <ramp:signatureCrypto>
  170             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  171               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  172               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  173               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  174             </ramp:crypto>
  175           </ramp:signatureCrypto>
  176 
  177           <ramp:encryptionCypto>
  178             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  179               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  180               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  181               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  182             </ramp:crypto>
  183           </ramp:encryptionCypto>
  184 
  185         </ramp:RampartConfig>
  186 
  187       </wsp:All>
  188     </wsp:ExactlyOne>
  189   </wsp:Policy>
  190 
  191   <parameter name="sct-issuer-config">
  192     <sct-issuer-config>
  193       <cryptoProperties>
  194         <crypto provider="org.apache.ws.security.components.crypto.Merlin">
  195           <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
  196           <property name="org.apache.ws.security.crypto.merlin.file">sts.jks</property>
  197           <property name="org.apache.ws.security.crypto.merlin.keystore.password">password</property>
  198         </crypto>
  199       </cryptoProperties>
  200       <addRequestedAttachedRef />
  201       <addRequestedUnattachedRef />
  202 
  203       <!--
  204         Key computation mechanism
  205         1 - Use Request Entropy
  206         2 - Provide Entropy
  207         3 - Use Own Key
  208       -->
  209       <keyComputation>3</keyComputation>
  210 
  211       <!--
  212         proofKeyType element is valid only if the keyComputation is set to 3
  213         i.e. Use Own Key
  214 
  215         Valid values are: EncryptedKey & BinarySecret
  216       -->
  217       <proofKeyType>BinarySecret</proofKeyType>
  218     </sct-issuer-config>
  219   </parameter>
  220 
  221   <parameter name="token-canceler-config">
  222     <token-canceler-config>
  223 
  224     </token-canceler-config>
  225   </parameter>

WS-Trust

RST - Resquest Security Token Service - Issuing a SAML token - issuing a token

   19 <service>
   20   <!--operation name="echo">
   21     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
   22     </operation>
   23     <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter-->
   24 
   25   <module ref="rampart" />
   26   <module ref="addressing" />
   27   <module ref="rahas" />
   28 
   29   <parameter name="saml-issuer-config">
   30     <saml-issuer-config>
   31       <issuerName>SAMPLE_STS</issuerName>
   32       <issuerKeyAlias>service</issuerKeyAlias>
   33       <issuerKeyPassword>apache</issuerKeyPassword>
   34       <cryptoProperties>
   35         <crypto provider="org.apache.ws.security.components.crypto.Merlin">
   36           <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
   37           <property name="org.apache.ws.security.crypto.merlin.file">service.jks</property>
   38           <property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>
   39         </crypto>
   40       </cryptoProperties>
   41       <timeToLive>300000</timeToLive>
   42       <keySize>256</keySize>
   43       <addRequestedAttachedRef />
   44       <addRequestedUnattachedRef />
   45 
   46       <!--
   47         Key computation mechanism
   48         1 - Use Request Entropy
   49         2 - Provide Entropy
   50         3 - Use Own Key
   51       -->
   52       <keyComputation>2</keyComputation>
   53 
   54       <!--
   55         proofKeyType element is valid only if the keyComputation is set to 3
   56         i.e. Use Own Key
   57 
   58         Valid values are: EncryptedKey & BinarySecret
   59       -->
   60       <proofKeyType>BinarySecret</proofKeyType>
   61       <trusted-services>
   62         <service alias="client">http://localhost:8080/axis2/services/SimpleService</service>
   63       </trusted-services>
   64     </saml-issuer-config>
   65   </parameter>
   66 
   67   <wsp:Policy
   68     wsu:Id="SigOnly"
   69     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   70     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   71     <wsp:ExactlyOne>
   72       <wsp:All>
   73 
   74         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   75           <wsp:Policy>
   76             <sp:InitiatorToken>
   77               <wsp:Policy>
   78                 <sp:X509Token
   79                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   80                   <wsp:Policy>
   81                     <sp:WssX509V3Token10 />
   82                   </wsp:Policy>
   83                 </sp:X509Token>
   84               </wsp:Policy>
   85             </sp:InitiatorToken>
   86             <sp:RecipientToken>
   87               <wsp:Policy>
   88                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   89                   <wsp:Policy>
   90                     <sp:WssX509V3Token10 />
   91                   </wsp:Policy>
   92                 </sp:X509Token>
   93               </wsp:Policy>
   94             </sp:RecipientToken>
   95             <sp:AlgorithmSuite>
   96               <wsp:Policy>
   97                 <sp:TripleDesRsa15 />
   98               </wsp:Policy>
   99             </sp:AlgorithmSuite>
  100             <sp:Layout>
  101               <wsp:Policy>
  102                 <sp:Strict />
  103               </wsp:Policy>
  104             </sp:Layout>
  105             <sp:IncludeTimestamp />
  106             <sp:OnlySignEntireHeadersAndBody />
  107           </wsp:Policy>
  108         </sp:AsymmetricBinding>
  109 
  110         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  111           <wsp:Policy>
  112             <sp:MustSupportRefKeyIdentifier />
  113             <sp:MustSupportRefIssuerSerial />
  114           </wsp:Policy>
  115         </sp:Wss10>
  116 
  117         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  118           <sp:Body />
  119         </sp:SignedParts>
  120 
  121         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
  122 
  123           <ramp:user>service</ramp:user>
  124           <ramp:encryptionUser>client</ramp:encryptionUser>
  125           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample05.PWCBHandler</ramp:passwordCallbackClass>
  126 
  127           <ramp:signatureCrypto>
  128             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  129               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  130               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  131               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  132             </ramp:crypto>
  133           </ramp:signatureCrypto>
  134 
  135         </ramp:RampartConfig>
  136 
  137       </wsp:All>
  138     </wsp:ExactlyOne>
  139   </wsp:Policy>
  140 
  141 </service>

There's a lot of detail and information to catch up on, but it'll probably not turn out as bad as looks here at first glance. One thing I do like is that the references to keystores are in the same context and thereby closer coupled, since I do remember fiddling with all those seperate and loosely couples files.

SOAP and the Byte Order Mark (BOM)

I've known about Byte Order Mark in the context of XML. But how about in the context of SOAP? To my simple understanding (SOAP) web services is all about exchanging XML Documents (mostly over HTTP), so since Byte Order Marks are part of the XML Specification it should also be part of SOAP. Since I've never thought or heard of it before nor of problems related to it I decided to look a bit closer.

In Wikipedia the Byte Order Mark the definition goes like:

A byte-order mark (BOM) is the Unicode character at code point U+FEFF ("zero-width no-break space") when that character is used to denote the endianness of a string of UCS/Unicode characters encoded in UTF-16 or UTF-32. It is conventionally used as a marker to indicate that text is encoded in UTF-8, UTF-16 or UTF-32.

In most character encodings the BOM is a pattern which is unlikely to be seen in other contexts (it would usually look like a sequence of obscure control codes). If a BOM is misinterpreted as an actual character within Unicode text then it will generally be invisible due to the fact it is a zero-width no-break space. Use of the U+FEFF character for non-BOM purposes has been deprecated in Unicode 3.2 (which provides an alternative, U+2060, for those other purposes), allowing U+FEFF to be used solely with the semantic of BOM.

Next place to look is the XML Specification, where some terms/defintions are needed. In 2 Documents

[Definition: A data object is an XML document if it is well-formed, as defined in this specification. In addition, the XML document is valid if it meets certain further constraints.]

Each XML document has both a logical and a physical structure. Physically, the document is composed of units called entities. An entity may refer to other entities to cause their inclusion in the document. A document begins in a "root" or document entity. Logically, the document is composed of declarations, elements, comments, character references, and processing instructions, all of which are indicated in the document by explicit markup. The logical and physical structures MUST nest properly, as described in 4.3.2 Well-Formed Parsed Entities.

Then down in 4.3.3 Character Encoding in Entities (my strong):

Each external parsed entity in an XML document may use a different encoding for its characters. All XML processors MUST be able to read entities in both the UTF-8 and UTF-16 encodings. The terms "UTF-8" and "UTF-16" in this specification do not apply to character encodings with any other labels, even if the encodings or labels are very similar to UTF-8 or UTF-16.

Entities encoded in UTF-16 MUST and entities encoded in UTF-8 MAY begin with the Byte Order Mark described by Annex H of [ISO/IEC 10646:2000], section 2.4 of [Unicode], and section 2.7 of [Unicode3] (the ZERO WIDTH NO-BREAK SPACE character, #xFEFF). This is an encoding signature, not part of either the markup or the character data of the XML document. XML processors MUST be able to use this character to differentiate between UTF-8 and UTF-16 encoded documents.

..............

In the absence of information provided by an external transport protocol (e.g. HTTP or MIME), it is a fatal error for an entity including an encoding declaration to be presented to the XML processor in an encoding other than that named in the declaration, or for an entity which begins with neither a Byte Order Mark nor an encoding declaration to use an encoding other than UTF-8. Note that since ASCII is a subset of UTF-8, ordinary ASCII entities do not strictly need an encoding declaration.

And a little more in Appendix F.1 Detection Without External Encoding Information.

In an older article in MSDN Library Archived the interoperability aspect is raised:Web Services Interoperability and SOAP () under XML Problems

The second set of possible interop issues are those involving XML parsing and XSD schema handling. SOAP uses XML and XML Schemas at its core, so interoperable handling of both is requisite for SOAP interop.

An interesting example of an interop issue involving both XML parsing and HTTP transports relates to the Byte Order Mark, or BOM. When sending data over HTTP, you can specify the encoding of the data, such as UTF-16 or UTF-8, in the Content-Type header. You can also indicate the encoding of a piece of XML by inserting a set of bytes that specify the encoding used. When sending UTF-16, the BOM is needed, even if the encoding is present in the Content-Type header (to indicate big-endian or little-endian), but for UTF-8 it is unnecessary.

The first three characters here are hex for the Byte Order Mark indicating UTF-8, but as you can see, the Content-Type also stated this. Some implementations send the BOM for UTF-8, even though they don't need to. Others are unable to process XML with any BOM. The solution here is to avoid sending it unless needed, and to correctly handle it. The correct handling of BOM is essential in processing UTF-16 messages, as BOM is required in this case. Although there is no single way to resolve such issues ahead of time, the best solution once issues are recognized is to refer to the actual specifications (usually found at the W3C) that describe the standards; then apply those specifications as the arbiter of any problem.

The sentence The solution here is to avoid sending it unless needed, and to correctly handle it sounds a little easy, but a variant of be strict on what you send and lax on what you receive which is a clever strategy though it's doesn't make it as easy for you as it should!

What to conclude?

The WS-I Basic Profile 1.0 addresses this issue in 3.1.3 Unicode BOMs:

XML 1.0 allows UTF-8 encoding to include a BOM; therefore, receivers of envelopes must be prepared to accept them. The BOM is mandatory for XML encoded as UTF-16.

R4001 A RECEIVER MUST accept envelopes that include the Unicode Byte Order Mark (BOM).

So it is intuitive as in what goes for XML goes for XML in SOAP.

Runnning the Axis2 Rampart sample "04. Message integrity and non-repudiation with signature"

In a the post Rampart basic examples - how you add WS-Security to Axis2 I listed all the great examples. In this post I'll actually run one of the samples and show the generated messages. I'll take the fourth sample Message integrity and non-repudiation with signature since it's simple and adds great value with both integrity and authentication since only the sender can sign with the X509 certificate (except when the certificate is shared like here :-).

In the binary distribution of Rampart in the samples/basic folder the README.txt explains how to the run the samples:

You can use the ant build script provided here to run these samples.

Exmaple: Running sample - 01
    - Start two shell instnaces and change to the directory where this file is
    - To start the service:
      $ ant service.01
    - To run client:
      $ ant client.01

--------------------------------------------------------------------------------
NOTE: To view the messages exchanged
    - Change the "client.port" property in the "build.xml" to an available port
          E.g. : >property name="client.port" value="9080"/<
        - Setup tcpmon (http://ws.apache.org/commons/tcpmon/) to listen on the above
          port and to point to port 8080 (value of the service.port property)

which is quite easy, though I needed to do a couple of small fixes.

The Service (serverside)

First I wanted to start the service/server. Here's what I did to get it running:

• setup the environment variable AXIS2_HOME. I first downloaded the Axis2 nightly to end up with a problem with running the client so I'll suggest you use Axis2 version 1.3.
• Prepare to show messages with TCPMon by changing the client.port property:

  <property name="client.port" value="9999"/>

• In <macrodef name="create.service.repo"> I changed:

  <copy file="${modules.dir}/${rampart.mar}" tofile="${service.repos.dir}/sample@{sample.number}/modules/${rampart.mar}" overwrite="true"/>
  

  to

  <copy file="../../${rampart.mar}" tofile="${service.repos.dir}/sample@{sample.number}/modules/${rampart.mar}" overwrite="true"/>
  

• Added the following fileset to the classpath on both the javac and java tasks:

  <fileset dir="../../lib">
    <include name="*.jar"/>
  </fileset>
  

Then I was able to start the service (where <RAMPART_DIR> is where I unzipped Rampart-1.3):

$ ant service.04
Buildfile: build.xml

check.dependency:

service.04:
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules
    [javac] Compiling 2 source files to <RAMPART_DIR>/samples/basic/build/temp
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp/META-INF
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp
      [jar] Building jar: <RAMPART_DIR>/samples/basic/build/service_repositories/sample04/services/sample04.aar
   [delete] Deleting directory <RAMPART_DIR>/samples/basic/build/temp
     [java] [SimpleHTTPServer] Starting
     [java] [SimpleHTTPServer] Using the Axis2 Repository <RAMPART_DIR>/samples/basic/build/service_repositories/sample04
     [java] [SimpleHTTPServer] Listening on port 8080
     [java] 2008-01-11 20:21:10,948 INFO  org.apache.axis2.deployment.ModuleDeployer - Deploying module: addressing-SNAPSHOT - file:<RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules/addressing-SNAPSHOT.mar
     [java] 2008-01-11 20:21:11,737 INFO  org.apache.axis2.deployment.ModuleDeployer - Deploying module: rampart-1.3 - file:<RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules/rampart-1.3.mar
     [java] 2008-01-11 20:21:12,036 INFO  org.apache.axis2.deployment.ServiceDeployer - Deploying Web service: sample04.aar - file:<RAMPART_DIR>/samples/basic/build/service_repositories/sample04/services/sample04.aar
     [java] 2008-01-11 20:21:12,096 INFO  org.apache.axis2.transport.http.server.DefaultConnectionListener - Listening on port 8080
     [java] [SimpleHTTPServer] Started

The client

Running the client is very much like the service, though I first got this error when I used the Axis2 nightly:

     [java] Exception in thread "main" org.apache.axis2.deployment.DeploymentException: javax/jms/BytesMessage
     [java]     at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:596)
     [java]     at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:117)
     [java]     at org.apache.axis2.deployment.DeploymentEngine.populateAxisConfiguration(DeploymentEngine.java:628)
     [java]     at org.apache.axis2.deployment.FileSystemConfigurator.getAxisConfiguration(FileSystemConfigurator.java:115)
     [java]     at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64)
     [java]     at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:180)
     [java]     at org.apache.rampart.samples.sample04.Client.main(Unknown Source)
     [java] Caused by: java.lang.NoClassDefFoundError: javax/jms/BytesMessage
     [java]     at java.lang.Class.getDeclaredConstructors0(Native Method)
     [java]     at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389)
     [java]     at java.lang.Class.getConstructor0(Class.java:2699)
     [java]     at java.lang.Class.newInstance0(Class.java:326)
     [java]     at java.lang.Class.newInstance(Class.java:308)
     [java]     at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:581)
     [java]     ... 6 more
     [java] Java Result: 1

looks like theree's been some changes to the deployment file format though I haven't checked it out. After also doing the last two steps for the serverside for the clientside target I was able to run the client:

     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/client_repositories/sample04/conf
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/client_repositories/sample04/modules
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/client_repositories/sample04/modules
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp_client
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp_client
     [java] <ns:echoResponse xmlns:ns="http://sample04.samples.rampart.apache.org"<>ns:return>Hello world</ns:return></ns:echoResponse>

Nice, but hard to tell whether WS-Security actually was used so let's have a look at the messages that was exchanged.

The messages

Request

The request had the following HTTP headers:

POST /axis2/services/sample04 HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "urn:echo"
User-Agent: Axis2
Host: localhost:9999
Transfer-Encoding: chunked

and the SOAP request, where the SOAP-header carries the WS-Security elements:

    1 <?xml version='1.0' encoding='UTF-8'?>
    2 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    3   <soapenv:Header>
    4     <wsse:Security
    5       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    6       soapenv:mustUnderstand="1">
    7       <wsse:BinarySecurityToken
    8         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    9         EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
   10         ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
   11         wsu:Id="CertId-148082">
   12         MIICTDC....UiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==
   13       </wsse:BinarySecurityToken>
   14       <ds:Signature
   15         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   16         Id="Signature-21878616">
   17         <ds:SignedInfo>
   18           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   19           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
   20           <ds:Reference URI="#id-24778599">
   21             <ds:Transforms>
   22               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   23             </ds:Transforms>
   24             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
   25             <ds:DigestValue>aIRDYzmMgF/dcP7cUJS6B6T7q8k=</ds:DigestValue>
   26           </ds:Reference>
   27         </ds:SignedInfo>
   28         <ds:SignatureValue>
   29           TVbeyvg....9SH/13k1qpki9...+ZZM+9sIsFs=
   30         </ds:SignatureValue>
   31         <ds:KeyInfo Id="KeyId-6400263">
   32           <wsse:SecurityTokenReference
   33             xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   34             wsu:Id="STRId-3115866">
   35             <wsse:Reference
   36               URI="#CertId-148082"
   37               ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
   38           </wsse:SecurityTokenReference>
   39         </ds:KeyInfo>
   40       </ds:Signature>
   41       <wsu:Timestamp
   42         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   43         wsu:Id="Timestamp-20735553">
   44         <wsu:Created>2008-01-11T19:46:23.656Z</wsu:Created>
   45         <wsu:Expires>2008-01-11T19:51:23.656Z</wsu:Expires>
   46       </wsu:Timestamp>
   47     </wsse:Security>
   48   </soapenv:Header>
   49   <soapenv:Body
   50     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   51     wsu:Id="id-24778599">
   52     <ns1:echo xmlns:ns1="http://sample04.samples.rampart.apache.org">
   53       <param0>Hello world</param0>
   54     </ns1:echo>
   55   </soapenv:Body>
   56 </soapenv:Envelope>

Response

The response had these HTTP headers:

HTTP/1.1 200 OK
Date: Fri, 11 Jan 2008 19:46:24 GMT
Server: Simple-Server/1.1
Transfer-Encoding: chunked
Content-Type: text/xml; charset=UTF-8

and the SOAP response which is symmetrical to the request:

    1 <?xml version='1.0' encoding='UTF-8'?>
    2 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    3   <soapenv:Header>
    4     <wsse:Security
    5       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    6       soapenv:mustUnderstand="1">
    7       <wsse:BinarySecurityToken
    8         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    9         EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
   10         ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
   11         wsu:Id="CertId-2150700">
   12         MIICTjCCAbcCBEbJZQEw....AqNbjO7+Jbm6+3pyYagQoBpdHZLnR....A3+5xl4VI.......bGxa4+vIbbV4CaUG5s5x
   13       </wsse:BinarySecurityToken>
   14       <ds:Signature
   15         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   16         Id="Signature-6302571">
   17         <ds:SignedInfo>
   18           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   19           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
   20           <ds:Reference URI="#id-26343425">
   21             <ds:Transforms>
   22               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   23             </ds:Transforms>
   24             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
   25             <ds:DigestValue>f0hkA2SGmWtioGBaLwlfsGbSgMk=</ds:DigestValue>
   26           </ds:Reference>
   27           <ds:Reference URI="#SigConf-18206828">
   28             <ds:Transforms>
   29               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   30             </ds:Transforms>
   31             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
   32             <ds:DigestValue>W1coTKqCERwIlbeiGL83w7pAEi4=</ds:DigestValue>
   33           </ds:Reference>
   34         </ds:SignedInfo>
   35         <ds:SignatureValue>
   36           IgzqToPMv...ZNrYDe/29JFnAkl....BAYOZMtCPs2XG0btNpX2BegULxk=
   37         </ds:SignatureValue>
   38         <ds:KeyInfo Id="KeyId-7435043">
   39           <wsse:SecurityTokenReference
   40             xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   41             wsu:Id="STRId-4070344">
   42             <wsse:Reference
   43               URI="#CertId-2150700"
   44               ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
   45           </wsse:SecurityTokenReference>
   46         </ds:KeyInfo>
   47       </ds:Signature>
   48       <wsu:Timestamp
   49         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   50         wsu:Id="Timestamp-18092261">
   51         <wsu:Created>2008-01-11T19:46:24.558Z</wsu:Created>
   52         <wsu:Expires>2008-01-11T19:51:24.558Z</wsu:Expires>
   53       </wsu:Timestamp>
   54       <wsse11:SignatureConfirmation
   55         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
   56         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   57         Value="TVbeyvgLy...1QgDj8Nau0Fp+ZZM+9sIsFs="
   58         wsu:Id="SigConf-18206828" />
   59     </wsse:Security>
   60   </soapenv:Header>
   61   <soapenv:Body
   62     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   63     wsu:Id="id-26343425">
   64     <ns:echoResponse xmlns:ns="http://sample04.samples.rampart.apache.org">
   65       <ns:return>Hello world</ns:return>
   66     </ns:echoResponse>
   67   </soapenv:Body>
   68 </soapenv:Envelope>

Looking at the configuration for the serverside:

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature</items>
   35       <signaturePropFile>service.properties</signaturePropFile>
   36     </action>
   37   </parameter>
   38 
   39   <parameter name="OutflowSecurity">
   40     <action>
   41       <items>Timestamp Signature</items>
   42       <user>service</user>
   43       <passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass>
   44       <signaturePropFile>service.properties</signaturePropFile>
   45       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   46     </action>
   47   </parameter>

I can be seen that in verifying the request there's a demand for the Timestamp and the certificate used for the signature to be accepted based on the properties in service.properties. In this specific request the public part is embedded in the BinarySecurityToken and only the path or the specific certificate is to be checked. In the response the DirectReference makes the public part of the X509 certificate embedded with BinarySecurityToken and the password callback is needed to access the private key for creating the signature.