axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nandana Mihindukulasooriya" <nandana....@gmail.com>
Subject Re: How to stop calling PWCallback logic for authentication using SecureConversation
Date Mon, 28 Jan 2008 03:19:38 GMT
Hi Bhushan,
           In your scenario, the policy should be like the one given below.
That is because you only need the Username token as
a supporting token for establishing the Security Context Token. So the
Username token should be in the bootstrap policy of
the secure conversation token and not in the main policy.

<wsp:Policy
    wsu:Id="SecureConversation_UserNameOverTransport"
    xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
    xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding>
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken
                                RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens>
                <wsp:Policy>
                    <sp:SecureConversationToken
                        sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
                        <wsp:Policy>
                            <sp:BootstrapPolicy>
                                <wsp:Policy>
                                    <sp:TransportBinding>
                                        <wsp:Policy>
                                            <sp:TransportToken>
                                                <wsp:Policy>
                                                    <sp:HttpsToken

RequireClientCertificate="false"/>
                                                </wsp:Policy>
                                            </sp:TransportToken>
                                            <sp:AlgorithmSuite>
                                                <wsp:Policy>
                                                    <sp:Basic256/>
                                                </wsp:Policy>
                                            </sp:AlgorithmSuite>
                                            <sp:Layout>
                                                <wsp:Policy>
                                                    <sp:Lax/>
                                                </wsp:Policy>
                                            </sp:Layout>
                                            <sp:IncludeTimestamp/>
                                        </wsp:Policy>
                                    </sp:TransportBinding>
                                    <sp:SignedSupportingTokens>
                                        <wsp:Policy>
                                            <sp:UsernameToken
                                                sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
                                                <wsp:Policy>
                                                    <sp:WssUsernameToken10/>
                                                </wsp:Policy>
                                            </sp:UsernameToken>
                                        </wsp:Policy>
                                    </sp:SignedSupportingTokens>
                                </wsp:Policy>
                            </sp:BootstrapPolicy>
                        </wsp:Policy>
                    </sp:SecureConversationToken>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

Regards,
Nandana

On Jan 24, 2008 9:24 PM, Bhushan Gupte <bgupte@arccorp.com> wrote:

>  Hi Nandana,
>
> I am trying to merge the policy's of Sample01 and Sample04 from the "
> samples/policy".
>
> I am trying to test a policy to pass SecureConversation Token without
> using encryption certificate (X.509) as defined in policy of Sample04.
>
> As the web service URI will be on secure HTTP connection (https) can we
> have a policy with Secure Conversation Token (as we are passing multiple
> messages) and not have one more encryption layer of X509 in the policy file?
>
> I am testing with this modified policy, can you please check what I am
> missing in this:
>
>  <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>
>         <wsp:ExactlyOne>
>
>           <wsp:All>
>
>                 <sp:TransportBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>
>                   <wsp:Policy>
>
>                         <***sp:SecureConversationToken* sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
>
>                           <wsp:Policy>
>
>                                 <sp:HttpsToken
> RequireClientCertificate="false"/>
>
>                           </wsp:Policy>
>
>                         </***sp:SecureConversationToken*>
>
>                         <sp:AlgorithmSuite>
>
>                           <wsp:Policy>
>
>                                 <sp:Basic256/>
>
>                           </wsp:Policy>
>
>                         </sp:AlgorithmSuite>
>
>                         <sp:Layout>
>
>                           <wsp:Policy>
>
>                                 <sp:Lax/>
>
>                           </wsp:Policy>
>
>                         </sp:Layout>
>
>                         <sp:IncludeTimestamp/>
>
>                   </wsp:Policy>
>
>                 </sp:TransportBinding>
>
>                 <sp:SignedSupportingTokens xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>
>                         <wsp:Policy>
>
>                                 <sp:UsernameToken sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> />
>
>                   </wsp:Policy>
>
>                 </sp:SignedSupportingTokens>
>
>
>
>                 <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
>
>                         <ramp:user>client</ramp:user>
>
>                         <ramp:passwordCallbackClass>
> org.apache.rampart.samples.policy.sample04
> .PWCBHandler</ramp:passwordCallbackClass>
>
>                 </ramp:RampartConfig>
>
>
>
>           </wsp:All>
>
>         </wsp:ExactlyOne>
>
> </wsp:Policy>
>
> Thanks
>
> Bhushan
>
>  ***From:* Nandana Mihindukulasooriya [mailto:nandana.cse@gmail.com<nandana.cse@gmail.com>
> ]
> ***Sent:* Wednesday, January 23, 2008 10:03 PM
> ***To:* axis-user@ws.apache.org
> ***Subject:* Re: How to stop calling PWCallback logic for authentication
> using SecureConversation
>
> Hi Bhushan,
>
> Can you post the modified  policy you are using  for this scenario so we
> can debug and see ?
>
> In real project scenario the PWCallback class will contain calls to LDAP
> for authentication and the whole purpose we are trying to implement
> WS-SecureConversation in addition to WS-Security is that we can to Secure
> Conversation between messages and not have to do LDAP authentication for
> every message.
>
> Yes, I also wonder why we need to call the PWCallback once a SCT is
> established.
>
> Thanks,
> Nandana
>
>
>
>
> Bhushan Gupte
>
> * ****[1]*         OMElement response = client.sendReceive
> (getPayload("Hello
>
> world1"));
>
>         System.out.println("Response 1 : " + response);
>
>         response = client.sendReceive(getPayload("Hello world2"));
>
>         System.out.println("Response 2 : " + response);
>
>         response = client.sendReceive(getPayload("Hello world3"));
>
>         System.out.println("Response 3 : " + response);
>
> ***[2]*        for (int i = 0; i < callbacks.length; i++) {
>
>             WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
>
>             String id = pwcb.getIdentifer();
>
>             if("client".equals(id)) {
>
>                 pwcb.setPassword("apache");
>
>             } else if("service".equals(id)) {
>
>                 pwcb.setPassword("apache");
>
>             }
>
>         }
>
>


-- 
Nandana Mihindukulasooriya
Software Engineer
WSO2 inc.

http://nandana83.blogspot.com/
http://nandanasm.wordpress.com/

Mime
View raw message