Apache Rampart 1.8.0 Release Notes

Apache Rampart 1.8.0 is a major release designed for compatibility with Axis2 1.8.2.

A huge amount of effort went into upgrading everything possible up to jakarta - namely opensaml to 4.3 and ws-wss4j to 3.0.3.

This will be the last javax based release. The next Rampart release will be 2.0.0 and will support Axis2 2.0.0, Jakarta, servlet 6.0 and EE 10. This should happen soon as the hardwork in Axis2 2.0.0 has been done already. The biggest expected challenge will be the OpenSAML upgrade from 4.x which supports javax, to 5.x which supports jakarta.

The Apache Rampart project and our top level Axis project covering Axis2 needs committers!

GitHub PR's are welcome too. If you have an interest in a feature that Rampart lacks or simply found a bug you can help with, please think about contributing.

Jira issues completed for 1.8.0:

Sub-task

  • [RAMPART-234] - Allow custom https listeners to populate the client certificate chain in the message context

Bug

  • [RAMPART-325] - NullPointerException with UsernameToken Policy and MTOM Policy without Rampart Config in WSDL
  • [RAMPART-331] - Unreachable code in org.apache.rahas.STSMessageReceiver.invokeBusinessLogic() - "dispatcher" is never null at end of try
  • [RAMPART-361] - Rampart can not accept Username token which is generated from WCF client. Due to name space qualified password type attribute in username token
  • [RAMPART-374] - Not Able to use custom validator for USERNAME_TOKEN during server side validation
  • [RAMPART-388] - NPE in RampartUtil#setKeyIdentifierType (line #1389) wss (web service security options assertion) is null.
  • [RAMPART-390] - SupportingToken assertions do not support multiple nested protection assertions
  • [RAMPART-396] - NullPointerException using STS, Trust and entropy
  • [RAMPART-423] - STS implementation may lead to performance reduction
  • [RAMPART-432] - Axis2 BSP compliance
  • [RAMPART-435] - Unable to set timestampTTLand timestampMaxSkew values through a rampart callbackorg.apache.axis2.AxisFault: The message has expired
  • [RAMPART-437] - SHA256 not supported for DigestAlgorithm for TransportBinding when specified correctly in policy.xml
  • [RAMPART-441] - rampart-config.xsd is outdated
  • [RAMPART-448] - NullPointerException in RampartUtil.setKeyIdentifierType() when signing response
  • [RAMPART-449] - NoClassDefFoundError with Axis2 1.8.0
  • [RAMPART-452] - Rampart Dependency on Outdated Version of WSS4J 1.6.x

New Feature

  • [RAMPART-261] - Ability to Toggle "mustUnderstand" flag in security header.
  • [RAMPART-417] - Support for transport binding Kerberos v5 authentication
  • [RAMPART-433] - Support for Kerberos v5 delegated authentication

Improvement

  • [RAMPART-205] - Setting WSSConfig properties from RampartConfig
  • [RAMPART-335] - X509V3 KeyIdentifier cannot be set dynmaically
  • [RAMPART-339] - Sample 09 for rampart policy samples -(different security policies to secure request and response messages with policy attachments)
  • [RAMPART-369] - Rampart project need a DOAP file.
  • [RAMPART-420] - Allow WS-Security timestamps to be spoofed and BSP checking disabled
  • [RAMPART-440] - update OpenSAML to 2.6.1
  • [RAMPART-451] - remove xalan dependency due to it being end of life

Request

  • [RAMPART-453] - Request to release the next latest rampart-trust version

Question

  • [RAMPART-436] - Proper settings to use WS-Security(UsernameToken) with Rampart 1.7.0
  • [RAMPART-442] - Help ASAP

Documentation