axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nandana Mihindukulasooriya <nandana....@gmail.com>
Subject Re: Adding security header to STSClient in rahas
Date Fri, 13 Mar 2009 09:56:58 GMT
Can you post the SOAP message ? In the case of symmetric binding username
token header is encrypted.

thanks,
nandana

On Thu, Mar 12, 2009 at 5:06 PM, Håkon Sagehaug
<Hakon.Sagehaug@bccs.uib.no>wrote:

>
>
> ---------- Forwarded message ----------
> From: Håkon Sagehaug <Hakon.Sagehaug@bccs.uib.no>
> Date: 2009/3/12
> Subject: Re: Adding security header to STSClient in rahas
> To: rampart-dev@ws.apache.org
>
>
> Hi
>
> what I read out of the code is that if username and password is set in
> options it should be picked up, but I set it in option and still no
> unsername token header.
>
> Here is my policy, if anyone sees something wrong it's highly appreciated
>
> <wsp:Policy wsu:Id="SigOnly"
>     xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>     <wsp:All>
>         <sp:SymmetricBinding>
>             <wsp:Policy>
>                 <sp:ProtectionToken>
>                     <wsp:Policy>
>                         <sp:X509Token
>                             sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>                             <wsp:Policy>
>                                 <sp:RequireDerivedKeys />
>                                 <sp:RequireThumbprintReference />
>                                 <sp:WssX509V3Token10 />
>                             </wsp:Policy>
>                         </sp:X509Token>
>                     </wsp:Policy>
>                 </sp:ProtectionToken>
>                 <sp:AlgorithmSuite>
>                     <wsp:Policy>
>                         <sp:Basic256 />
>                     </wsp:Policy>
>                 </sp:AlgorithmSuite>
>                 <sp:Layout>
>                     <wsp:Policy>
>                         <sp:Lax />
>                     </wsp:Policy>
>                 </sp:Layout>
>                 <sp:IncludeTimestamp />
>                 <sp:OnlySignEntireHeadersAndBody />
>             </wsp:Policy>
>         </sp:SymmetricBinding>
>         <sp:SupportingTokens
>             xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> ">
>             <wsp:Policy>
>                 <sp:UsernameToken
>                     sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
> />
>             </wsp:Policy>
>         </sp:SupportingTokens>
>         <sp:SignedParts>
>             <sp:Body />
>         </sp:SignedParts>
>         <sp:Wss11 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>             <wsp:Policy>
>                 <sp:MustSupportRefKeyIdentifier />
>                 <sp:MustSupportRefIssuerSerial />
>                 <sp:MustSupportRefThumbprint />
>                 <sp:MustSupportRefEncryptedKey />
>             </wsp:Policy>
>         </sp:Wss11>
>         <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
>             <ramp:user>client</ramp:user>
>             <ramp:encryptionUser>service
>             </ramp:encryptionUser>
>             <ramp:passwordCallbackClass>PWCBHandler
>             </ramp:passwordCallbackClass>
>             <ramp:signatureCrypto>
>                 <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
>                     <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>                     <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">
>                        clientTrustStore.jks
>                                 </ramp:property>
>                     <ramp:property
>
>  name="org.apache.ws.security.crypto.merlin.keystore.password">pass</ramp:property>
>                 </ramp:crypto>
>             </ramp:signatureCrypto>
>         </ramp:RampartConfig>
>     </wsp:All>
> </wsp:Policy>
>
> 2009/3/11 Martin Gainty <mgainty@hotmail.com>
>
>
>>    /**
>>     * Sets the crypto information required to process the RSTR.
>>     *
>>     * @param crypto    Crypto information
>>     * @param cbHandler Callback handler to provide the private key
>> password to
>>     *                  decrypt
>>     */
>>    public void setCryptoInfo(Crypto crypto, CallbackHandler cbHandler) {
>>        this.crypto = crypto;
>>        this.cbHandler = cbHandler;
>>    }
>>
>> Test Harness from RampartUtil:
>> public static String getToken(RampartMessageData rmd, OMElement
>> rstTemplate,
>>            String issuerEpr, String action, Policy issuerPolicy) throws
>> RampartException {
>>
>>        try {
>>            //First check whether the user has provided the token
>>            MessageContext msgContext = rmd.getMsgContext();
>>            String customTokeId = (String) msgContext
>>
>>  .getProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN);
>>            if(customTokeId != null) {
>>                return customTokeId;
>>            } else {
>>
>>                Axis2Util.useDOOM(false);
>>
>>                STSClient client = new STSClient(rmd.getMsgContext()
>>                        .getConfigurationContext());
>>                // Set request action
>>                client.setAction(action);
>>
>>                client.setRstTemplate(rstTemplate);
>>
>>                // Set crypto information
>>                Crypto crypto =
>> RampartUtil.getSignatureCrypto(rmd.getPolicyData().getRampartConfig(),
>>
>>  rmd.getMsgContext().getAxisService().getClassLoader());
>>                CallbackHandler cbh = RampartUtil.getPasswordCB(rmd);
>>                client.setCryptoInfo(crypto, cbh);
>>
>> which is called from BindingBuilder:
>>  protected WSSecUsernameToken addUsernameToken(RampartMessageData rmd)
>> throws RampartException {
>>
>>        log.debug("Adding a UsernameToken");
>>
>>        RampartPolicyData rpd = rmd.getPolicyData();
>>
>>        //Get the user
>>        //First try options
>>        Options options = rmd.getMsgContext().getOptions();
>>        String user = options.getUserName();
>>        if(user == null || user.length() == 0) {
>>            //Then try RampartConfig
>>            if(rpd.getRampartConfig() != null) {
>>                user = rpd.getRampartConfig().getUser();
>>            }
>>        }
>>
>>        if(user != null && !"".equals(user)) {
>>            log.debug("User : " + user);
>>
>>            //Get the password
>>
>>            //First check options object for a password
>>            String password = options.getPassword();
>>
>>            if((password == null || password.length() == 0) &&
>>                    rpd.getRampartConfig() != null) {
>>
>>                //Then try to get the password from the given callback
>> handler
>>                CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
>>
>> where RampartPolicyData has mutator method for recipientToken
>> /*** @param recipientToken The recipientToken to set. */
>>    public void setRecipientToken(Token recipientToken) {
>>        this.recipientToken = recipientToken;
>>    }
>>
>> and in the RecipientBuilder.java
>>  /**
>>     * Evaluate policy data that is specific to asymmetric binding.
>>     *
>>     * @param binding
>>     *            The asymmetric binding data
>>     * @param rpd
>>     *            The WSS4J data to initialize
>>     */
>>    private static void asymmetricBinding(AsymmetricBinding binding,
>>            RampartPolicyData rpd) throws WSSPolicyException {
>>        TokenWrapper tokWrapper = binding.getRecipientToken();
>>        TokenWrapper tokWrapper1 = binding.getInitiatorToken();
>>        if (tokWrapper == null && tokWrapper1 == null) {
>>            // this is an error - throw something
>>        }
>>        rpd.setRecipientToken(((RecipientToken)
>> tokWrapper).getReceipientToken());
>>        rpd.setInitiatorToken(((InitiatorToken)
>> tokWrapper1).getInitiatorToken());
>>    }
>>
>> the key is to make sure Rec<e>ipientToken is included in the binding
>> /** in the case of AssymetricBinding ******/
>>    public PolicyComponent normalize() {
>>
>>        if (isNormalized()) {
>>            return this;
>>        }
>>
>>        AlgorithmSuite algorithmSuite = getAlgorithmSuite();
>>        List configs = algorithmSuite.getConfigurations();
>>
>>        Policy policy = new Policy();
>>        ExactlyOne exactlyOne = new ExactlyOne();
>>
>>        policy.addPolicyComponent(exactlyOne);
>>
>>        All wrapper;
>>        AsymmetricBinding asymmetricBinding;
>>
>>        for (Iterator iterator = configs.iterator(); iterator.hasNext();) {
>>            wrapper = new All();
>>            asymmetricBinding = new AsymmetricBinding();
>>
>>            asymmetricBinding.setAlgorithmSuite((AlgorithmSuite) iterator
>>                    .next());
>>            asymmetricBinding
>>
>>  .setEntireHeadersAndBodySignatures(isEntireHeadersAndBodySignatures());
>>            asymmetricBinding.setIncludeTimestamp(isIncludeTimestamp());
>>            asymmetricBinding.setInitiatorToken(getInitiatorToken());
>>            asymmetricBinding.setLayout(getLayout());
>>            asymmetricBinding.setProtectionOrder(getProtectionOrder());
>>            asymmetricBinding.setRecipientToken(getRecipientToken());
>> /********here is where the recipientToken is inserted to the Binding
>> *******/
>> Martin
>> ______________________________________________
>> Disclaimer and confidentiality note
>> Everything in this e-mail and any attachments relates to the official
>> business of Sender. This transmission is of a confidential nature and Sender
>> does not endorse distribution to any party other than intended recipient.
>> Sender does not necessarily endorse content contained within this
>> transmission.
>>
>>
>>
>>
>> > Date: Wed, 11 Mar 2009 08:55:09 +0100
>> > Subject: Re: Adding security header to STSClient in rahas
>> > From: Hakon.Sagehaug@bccs.uib.no
>> > To: rampart-dev@ws.apache.org
>> >
>> > Hi
>> >
>> > Yes, I've got this in the policy
>> >
>> > <sp:SupportingTokens
>> >                 xmlns:sp="
>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> >                 <wsp:Policy>
>> >                     <sp:UsernameToken
>> >                         sp:IncludeToken="
>> >
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>> "
>> > />
>> >                 </wsp:Policy>
>> >             </sp:SupportingTokens>
>> >
>> > After I define the symmetricbinding element. Do you know if what I asked
>> > about how to test if the callback handler should provide a password to
>> the
>> > keystore or actually check username and password was correct?
>> >
>> > cheers, Håkon
>> >
>> >
>> > 2009/3/10 Massimiliano Masi <masi@math.unifi.it>
>> >
>> > > Hi,
>> > >
>> > > Did you add in your STS policy something like:
>> > >
>> > >  <wsp:Policy>
>> > >              <sp:UsernameToken sp:IncludeToken="
>> > > http://docs.oasis-open.org/ws-s
>> > > x/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>> > >                <wsp:Policy>
>> > >                        <sp:HashPassword />
>> > >                    </wsp:Policy>
>> > >              </sp:UsernameToken>
>> > >            </wsp:Policy>
>> > >
>> > >
>> > >
>> > >
>> > > Quoting Håkon Sagehaug <Hakon.Sagehaug@bccs.uib.no>:
>> > >
>> > >  Hi all,
>> > >>
>> > >> I wanted to add username/password token in my request to my sts
>> service.
>> > >> I'm
>> > >> using the STSClient from rahas and tried with this
>> > >>
>> > >> Options options = new Options();
>> > >>        options.setUserName("user");
>> > >>        options.setPassword("pass");
>> > >>        options.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
>> > >>                loadPolicy("policy/sts_policy.xml"));
>> > >>        stsClient.setOptions(options);
>> > >>
>> > >> But the messages don't have a security header.
>> > >>
>> > >> Alos how should I configure the callback handler, since it need to
>> both
>> > >> validate the username password and fetch the certificate for
>> validating
>> > >> the
>> > >> signed message. Should it be something like this
>> > >>
>> > >> if(pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN){
>> > >>   /* Do password validation*/
>> > >> }
>> > >>
>> > >> if(pwcb.getUsage() == WSPasswordCallback.SIGNATURE){
>> > >> /* Do set password for keystore*/
>> > >> }
>> > >>
>> > >> cheers, Håkon
>> > >> --
>> > >> Håkon Sagehaug, Scientific Programmer
>> > >> Parallab, Bergen Center for Computational Science (BCCS)
>> > >> UNIFOB AS (University of Bergen Research Company)
>> > >>
>> > >>
>> > >
>> > >
>> > > ----------------------------------------------------------------
>> > > This message was sent using IMP, the Internet Messaging Program.
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > Håkon Sagehaug, Scientific Programmer
>> > Parallab, Bergen Center for Computational Science (BCCS)
>> > UNIFOB AS (University of Bergen Research Company)
>>
>> _________________________________________________________________
>> Windows Live™: Life without walls.
>> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009
>
>
>
>
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
>
>
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>

Mime
View raw message