axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From FILIPPO AGAZZI <filippo.aga...@studenti.unipr.it>
Subject Re: [Axis2] [Rampart] ws-trust negotiation and challenge extension support
Date Thu, 09 Feb 2012 12:03:54 GMT
Hi Amila,
thanks for your response. So you suggest to use
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT, instead of
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue<http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT>?
I've already think about this, but i don't understand what are the
advantages that i get using SCT action, rather than Issue action, if you
could explain me, i really appreciate.


2012/2/9 Amila Jayasekara <amilaj@wso2.com>


> Above could be a possible solution. But let me briefly describe how
> existing Rampart handles, this. In the current Rampart engine we have
> a specific client called “STSClient” [2]. STSClient is responsible for
> creating “RequestSecurityToken” with appropriate data. “STSClient”
> also sets an special action
> (http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT). If there is a
> security policy attached to STS client it will process approprate
> security and send. Once server side receives the message it will first
> process the security headers coming with “RequestSecurityToken”. (I
> guess in your case you have to modify this code to work without
> security headers for  “ RequestSecurityToken”).


This is a useful suggestion, but i'm not sure of which part of code i have
to modfy. Do you mean i have to modify rampart handler, to make it work
without security header? If i can do this, it could be a good way. And
then, modifying STSMessageReceiver, i could be able to establish an
exchange of RequestSecurityTokenReponse between STSClient and
STSMessageReceiver, are you suggesting this way? Another doubt: with this
scenario, i don't have to implement any Issuer?

Thank you very much!
Filippo A.



> Once security headers
> are processed, message will be routed to “STSMessageReceiver” [1]
> (Rampart identifies that message should be routed to
> STSMessageReceiver by looking at the action). “STSMessageReceiver” is
> responsible for processing “ RequestSecurityToken” and creating
> “RequestSecurityTokenResponse”. As per now we have a single round. But
> in your case you need to have several rounds of message exchanges
> before you negotiate a secret (establing a context).
> In summary, within Rampart we are handling communication with STS
> using a client and a message receiver. As per my understanding you
> should also be able to extend the current “ STSMessageReceiver”
> implementation and implement your logic.
>
>
>
> >
> > Any idea, suggestions is very very appreciated! Sorry for the lenght of
> this
> > message!!!
> > Thank a lot in advance,
> >
> > Best regards
> >
> > Filippo Agazzi
> >
> >
> > 2012/2/8 Prabath Siriwardena <prabath@wso2.com>
> >>
> >> Hi George,
> >>
> >> Sure.. you are somewhat out dated :-)
> >>
> >> The rampart STS has support for WS-Trust 1.3 as well as some parts of
> the
> >> WS-Trust 1.4  and we ship this with WSO2 Identity Server product - and
> the
> >> STS been used in real production scenarios..
> >>
> >> Hi Flippo,
> >>
> >> Yes, as you mentioned your requirement is not supported yet.. But we can
> >> help you building it.. Please provide further insights in to the
> >> requirement...
> >>
> >> Thanks & regards,
> >> -Prabath
> >>
> >> On Wed, Feb 8, 2012 at 8:29 AM, George Stanchev <Gstanchev@serena.com>
> >> wrote:
> >>>
> >>> Hi Filippo,
> >>>
> >>>
> >>>
> >>> I don’t believe the Axis2 STS is mature enough to support what you are
> >>> asking about. Neither rampart contains a general-purpose WS-Trust
> client.
> >>> AFAIK the main purpose of the Axis2 STS is to server SCTs for
> >>> WS-SecureConversation. Granted, I’ve stopped following its development
> for a
> >>> while so others might correct me if I am wrong.
> >>>
> >>>
> >>>
> >>> I am not sure anything you ask for is available as open source. You can
> >>> try checking out the Apache CFX STS implementation which was donated by
> >>> Talend which could be more mature. CXF also might have a more mature
> client.
> >>> Other than that, you can also check Sun’s OpenSSO or any other more
> >>> comprehensive SSO implementation. [1] contains some starting point
> links.
> >>>
> >>>
> >>>
> >>> George
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> [1] http://kantarainitiative.org/wordpress/programs/iop-saml/
> >>>
> >>>
> >>>
> >>> From: FILIPPO AGAZZI [mailto:filippo.agazzi@studenti.unipr.it]
> >>> Sent: Tuesday, February 07, 2012 7:28 AM
> >>> To: java-user@axis.apache.org
> >>> Subject: [Axis2] [Rampart] ws-trust negotiation and challenge extension
> >>> support
> >>>
> >>>
> >>>
> >>> Hi all,
> >>> i'm Filippo Agazzi, an Informatic Engineer student at University of
> >>> Parma, Italy. i'm working on a thesis about "Automated trust
> negotiation
> >>> using ws-* standard", and i need, as a basis, to have a client and a
> service
> >>> (probably a STS), challenging each other and exchanging multiple
> >>> RequestSecurityTokenReponse message, before a final message is sent by
> the
> >>> service to the client. I see that ws-Trust includes a negotation and
> >>> challenge framework; so my question is: is there any support or
> >>> implementation in axis2 and rampart (rahas) for this ws-trust
> extension?
> >>> I've already studied and successfully run the samples in rampart
> >>> distribution, for example "sample05", where client asks for a saml
> token to
> >>> a STS; but that is a single round trip, instead i need more rounds and
> i
> >>> need to insert xml custom element (for example wsp:Policy element) in
> >>> RequestSecurityToken and RequestSecurityTokenReponse messages. Here
> the link
> >>> to the standard section i refer to :
> >>>
> http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/os/ws-trust-1.4-spec-os.html#_Toc212615468
> .
> >>>
> >>> Eventhough there isn't any support/implementation in Axis2 for ws-trust
> >>> negotation and challeng extension, someone have any ideas on how this
> can be
> >>> done? Anyone, plese, can indicate me a way on how implement this? I've
> >>> searched a lot and widely on the web, but i can't find nothing really
> >>> useful, so i'm hard blocked on this point.
> >>>
> >>> Thank you very much in advance.
> >>>
> >>> Best regards.
> >>>
> >>> Filippo Agazzi
> >>>
> >>>
> >>
> >>
> >>
> >>
> >> --
> >> Thanks & Regards,
> >> Prabath
> >>
> >> Mobile : +94 71 809 6732
> >>
> >> http://blog.facilelogin.com
> >> http://RampartFAQ.com
> >>
> >
>
>
>
> --
> Mobile : +94773330538
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-user-help@axis.apache.org
>
>

Mime
View raw message