When I first tried out WS-Security WSS4J was quite new and used in axis1 by adding handlers, and it work quite nicely. I was at that time doing interop with WSE2.0, which already at that time had support for WS-SecurityPolicy (can't remember what version) which I liked because it was more explicit and craftet for that whereas the generic parameter controlled handlers were all generic. Since then a lot has happend and now there are specific parameters for WSS4J as I looked at in the post Rampart basic examples - how you add WS-Security to Axis2. But there's much more cause now there's also support for WS-SecurityPolicy and I'll take a first look at the policy samples in this post and hopefully soon find time to look deeper into one of them and try it out.
At the front page for the rampart module project the supported standards are listed:
- WS-Security 1.0
- WS-Secure Conversation - February 2005
- WS-Security Policy 1.1 - July 2005
- WS-Trust - February 2005
- WS-Trust - WS-SX spec - EXPERIMENTAL
I'm not sure how updated this information is and I haven't followed the ws-* track lately, but I think that those specs have matured into standards and I guess that rampart is almost up todate if not there already.
I had expected these samples to be analogies to the basic samples but they're not and they are quite more complex. There are a total of six samples where the last one demands custom setup of tomcat so I'll skip that one and take the first five ones. Since it's been some time since I last looked at these kind of policies I'm not into them yet and I'll just list the policy files here and then later analyse one of them more closely.
01. UsernameToken Authentication
The policy uses a TransportBinding and requires a SignedSupportingToken which is a UsernameToken and the inclusion of a TimeStamp.
1 <?xml version="1.0" encoding="UTF-8"?> 2 <!-- 3 ! 4 ! Copyright 2006 The Apache Software Foundation. 5 ! 6 ! Licensed under the Apache License, Version 2.0 (the "License"); 7 ! you may not use this file except in compliance with the License. 8 ! You may obtain a copy of the License at 9 ! 10 ! http://www.apache.org/licenses/LICENSE-2.0 11 ! 12 ! Unless required by applicable law or agreed to in writing, software 13 ! distributed under the License is distributed on an "AS IS" BASIS, 14 ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 ! See the License for the specific language governing permissions and 16 ! limitations under the License. 17 !--> 18 <!-- services.xml of sample-1 : UsernameToken--> 19 <service> 20 21 <operation name="echo"> 22 <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" /> 23 </operation> 24 25 <parameter 26 name="ServiceClass" 27 locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter> 28 29 <module ref="rampart" /> 30 <module ref="addressing" /> 31 32 <wsp:Policy 33 wsu:Id="UTOverTransport" 34 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 35 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 36 <wsp:ExactlyOne> 37 <wsp:All> 38 39 <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 40 <wsp:Policy> 41 <sp:TransportToken> 42 <wsp:Policy> 43 <sp:HttpsToken RequireClientCertificate="false" /> 44 </wsp:Policy> 45 </sp:TransportToken> 46 <sp:AlgorithmSuite> 47 <wsp:Policy> 48 <sp:Basic256 /> 49 </wsp:Policy> 50 </sp:AlgorithmSuite> 51 <sp:Layout> 52 <wsp:Policy> 53 <sp:Lax /> 54 </wsp:Policy> 55 </sp:Layout> 56 <sp:IncludeTimestamp /> 57 </wsp:Policy> 58 </sp:TransportBinding> 59 60 <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 61 <wsp:Policy> 62 <sp:UsernameToken 63 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" /> 64 </wsp:Policy> 65 </sp:SignedSupportingTokens> 66 67 <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 68 <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample01.PWCBHandler</ramp:passwordCallbackClass> 69 </ramp:RampartConfig> 70 71 </wsp:All> 72 </wsp:ExactlyOne> 73 </wsp:Policy> 74 75 </service>
02. Sign only
An AsymmetricBinding is used. Entire headers and body to be signed. Algorithm suite is TripleDesRsa15
33 <wsp:Policy 34 wsu:Id="SigOnly" 35 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 36 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 37 <wsp:ExactlyOne> 38 <wsp:All> 39 40 <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 41 <wsp:Policy> 42 43 <sp:InitiatorToken> 44 <wsp:Policy> 45 <sp:X509Token 46 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> 47 <wsp:Policy> 48 <sp:WssX509V3Token10 /> 49 </wsp:Policy> 50 </sp:X509Token> 51 </wsp:Policy> 52 </sp:InitiatorToken> 53 54 <sp:RecipientToken> 55 <wsp:Policy> 56 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> 57 <wsp:Policy> 58 <sp:WssX509V3Token10 /> 59 </wsp:Policy> 60 </sp:X509Token> 61 </wsp:Policy> 62 </sp:RecipientToken> 63 64 <sp:AlgorithmSuite> 65 <wsp:Policy> 66 <sp:TripleDesRsa15 /> 67 </wsp:Policy> 68 </sp:AlgorithmSuite> 69 70 <sp:Layout> 71 <wsp:Policy> 72 <sp:Strict /> 73 </wsp:Policy> 74 </sp:Layout> 75 76 <sp:IncludeTimestamp /> 77 78 <sp:OnlySignEntireHeadersAndBody /> 79 80 </wsp:Policy> 81 </sp:AsymmetricBinding> 82 83 <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 84 <wsp:Policy> 85 <sp:MustSupportRefKeyIdentifier /> 86 <sp:MustSupportRefIssuerSerial /> 87 </wsp:Policy> 88 </sp:Wss10> 89 90 <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 91 <sp:Body /> 92 </sp:SignedParts> 93 94 <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 95 <ramp:user>service</ramp:user> 96 <ramp:encryptionUser>client</ramp:encryptionUser> 97 <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample02.PWCBHandler</ramp:passwordCallbackClass> 98 <ramp:signatureCrypto> 99 <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 100 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 101 <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> 102 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> 103 </ramp:crypto> 104 </ramp:signatureCrypto> 105 </ramp:RampartConfig> 106 107 </wsp:All> 108 </wsp:ExactlyOne> 109 </wsp:Policy>
03. Sign and Encrypt messages
An AsymmetricBinding is used. Entire headers and body to be signed. EncryptionParts specifies the Body to be encrypted. Algorithm suite is TripleDesRsa15
33 <wsp:Policy 34 wsu:Id="SigEncr" 35 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 36 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 37 <wsp:ExactlyOne> 38 <wsp:All> 39 40 <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 41 <wsp:Policy> 42 43 <sp:InitiatorToken> 44 <wsp:Policy> 45 <sp:X509Token 46 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> 47 <wsp:Policy> 48 <sp:WssX509V3Token10 /> 49 </wsp:Policy> 50 </sp:X509Token> 51 </wsp:Policy> 52 </sp:InitiatorToken> 53 54 <sp:RecipientToken> 55 <wsp:Policy> 56 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> 57 <wsp:Policy> 58 <sp:WssX509V3Token10 /> 59 </wsp:Policy> 60 </sp:X509Token> 61 </wsp:Policy> 62 </sp:RecipientToken> 63 64 <sp:AlgorithmSuite> 65 <wsp:Policy> 66 <sp:TripleDesRsa15 /> 67 </wsp:Policy> 68 </sp:AlgorithmSuite> 69 70 <sp:Layout> 71 <wsp:Policy> 72 <sp:Strict /> 73 </wsp:Policy> 74 </sp:Layout> 75 76 <sp:IncludeTimestamp /> 77 78 <sp:OnlySignEntireHeadersAndBody /> 79 80 </wsp:Policy> 81 </sp:AsymmetricBinding> 82 83 <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 84 <wsp:Policy> 85 <sp:MustSupportRefKeyIdentifier /> 86 <sp:MustSupportRefIssuerSerial /> 87 </wsp:Policy> 88 </sp:Wss10> 89 90 <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 91 <sp:Body /> 92 </sp:SignedParts> 93 94 <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 95 <sp:Body /> 96 </sp:EncryptedParts> 97 98 <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 99 <ramp:user>service</ramp:user> 100 <ramp:encryptionUser>client</ramp:encryptionUser> 101 <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample03.PWCBHandler</ramp:passwordCallbackClass> 102 103 <ramp:signatureCrypto> 104 <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 105 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 106 <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> 107 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> 108 </ramp:crypto> 109 </ramp:signatureCrypto> 110 111 <ramp:encryptionCypto> 112 <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 113 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 114 <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> 115 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> 116 </ramp:crypto> 117 </ramp:encryptionCypto> 118 119 </ramp:RampartConfig> 120 121 </wsp:All> 122 </wsp:ExactlyOne> 123 </wsp:Policy>
04. SecureConversation
The secure session is bootstrapped using a SymetricBinding which uses derived keys based on an ephemeral key. Messages in the secure conversation:
- Includes a timestamp
- All headers are signed along with the timestamp
- Signature encrypted
- Body encrypted
Algorithm suite is Basic128Rsa15
30 <module ref="rampart" /> 31 <module ref="rahas" /> 32 <module ref="addressing" /> 33 34 <wsp:Policy 35 wsu:Id="SecConvPolicy" 36 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 37 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 38 <wsp:ExactlyOne> 39 <wsp:All> 40 41 <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 42 <wsp:Policy> 43 44 <sp:ProtectionToken> 45 <wsp:Policy> 46 <sp:SecureConversationToken 47 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> 48 <wsp:Policy> 49 <sp:RequireDerivedKeys /> 50 <sp:BootstrapPolicy> 51 <wsp:Policy> 52 53 <sp:EncryptedParts> 54 <sp:Body /> 55 </sp:EncryptedParts> 56 57 <sp:SymmetricBinding> 58 <wsp:Policy> 59 <sp:ProtectionToken> 60 <wsp:Policy> 61 <sp:X509Token 62 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> 63 <wsp:Policy> 64 <sp:RequireDerivedKeys /> 65 <sp:RequireThumbprintReference /> 66 <sp:WssX509V3Token10 /> 67 </wsp:Policy> 68 </sp:X509Token> 69 </wsp:Policy> 70 </sp:ProtectionToken> 71 <sp:AlgorithmSuite> 72 <wsp:Policy> 73 <sp:Basic128Rsa15 /> 74 </wsp:Policy> 75 </sp:AlgorithmSuite> 76 <sp:Layout> 77 <wsp:Policy> 78 <sp:Strict /> 79 </wsp:Policy> 80 </sp:Layout> 81 <sp:IncludeTimestamp /> 82 <sp:EncryptSignature /> 83 <sp:OnlySignEntireHeadersAndBody /> 84 </wsp:Policy> 85 </sp:SymmetricBinding> 86 87 <sp:EndorsingSupportingTokens> 88 <wsp:Policy> 89 <sp:X509Token 90 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> 91 <wsp:Policy> 92 <sp:RequireThumbprintReference /> 93 <sp:WssX509V3Token10 /> 94 </wsp:Policy> 95 </sp:X509Token> 96 </wsp:Policy> 97 </sp:EndorsingSupportingTokens> 98 99 <sp:Wss11> 100 <wsp:Policy> 101 <sp:MustSupportRefKeyIdentifier /> 102 <sp:MustSupportRefIssuerSerial /> 103 <sp:MustSupportRefThumbprint /> 104 <sp:MustSupportRefEncryptedKey /> 105 <sp:RequireSignatureConfirmation /> 106 </wsp:Policy> 107 </sp:Wss11> 108 109 <sp:Trust10> 110 <wsp:Policy> 111 <sp:MustSupportIssuedTokens /> 112 <sp:RequireClientEntropy /> 113 <sp:RequireServerEntropy /> 114 </wsp:Policy> 115 </sp:Trust10> 116 117 </wsp:Policy> 118 </sp:BootstrapPolicy> 119 </wsp:Policy> 120 </sp:SecureConversationToken> 121 </wsp:Policy> 122 </sp:ProtectionToken> 123 124 <sp:AlgorithmSuite> 125 <wsp:Policy> 126 <sp:Basic128Rsa15 /> 127 </wsp:Policy> 128 </sp:AlgorithmSuite> 129 130 <sp:Layout> 131 <wsp:Policy> 132 <sp:Strict /> 133 </wsp:Policy> 134 </sp:Layout> 135 136 <sp:IncludeTimestamp /> 137 <sp:EncryptSignature /> 138 <sp:OnlySignEntireHeadersAndBody /> 139 140 </wsp:Policy> 141 </sp:SymmetricBinding> 142 143 <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 144 <wsp:Policy> 145 <sp:MustSupportRefKeyIdentifier /> 146 <sp:MustSupportRefIssuerSerial /> 147 <sp:MustSupportRefThumbprint /> 148 <sp:MustSupportRefEncryptedKey /> 149 </wsp:Policy> 150 </sp:Wss11> 151 152 <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 153 <wsp:Policy> 154 <sp:MustSupportIssuedTokens /> 155 <sp:RequireClientEntropy /> 156 <sp:RequireServerEntropy /> 157 </wsp:Policy> 158 </sp:Trust10> 159 160 <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 161 <sp:Body /> 162 </sp:EncryptedParts> 163 164 <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 165 <ramp:user>service</ramp:user> 166 <ramp:encryptionUser>client</ramp:encryptionUser> 167 <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04.PWCBHandler</ramp:passwordCallbackClass> 168 169 <ramp:signatureCrypto> 170 <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 171 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 172 <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> 173 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> 174 </ramp:crypto> 175 </ramp:signatureCrypto> 176 177 <ramp:encryptionCypto> 178 <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 179 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 180 <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> 181 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> 182 </ramp:crypto> 183 </ramp:encryptionCypto> 184 185 </ramp:RampartConfig> 186 187 </wsp:All> 188 </wsp:ExactlyOne> 189 </wsp:Policy> 190 191 <parameter name="sct-issuer-config"> 192 <sct-issuer-config> 193 <cryptoProperties> 194 <crypto provider="org.apache.ws.security.components.crypto.Merlin"> 195 <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property> 196 <property name="org.apache.ws.security.crypto.merlin.file">sts.jks</property> 197 <property name="org.apache.ws.security.crypto.merlin.keystore.password">password</property> 198 </crypto> 199 </cryptoProperties> 200 <addRequestedAttachedRef /> 201 <addRequestedUnattachedRef /> 202 203 <!-- 204 Key computation mechanism 205 1 - Use Request Entropy 206 2 - Provide Entropy 207 3 - Use Own Key 208 --> 209 <keyComputation>3</keyComputation> 210 211 <!-- 212 proofKeyType element is valid only if the keyComputation is set to 3 213 i.e. Use Own Key 214 215 Valid values are: EncryptedKey & BinarySecret 216 --> 217 <proofKeyType>BinarySecret</proofKeyType> 218 </sct-issuer-config> 219 </parameter> 220 221 <parameter name="token-canceler-config"> 222 <token-canceler-config> 223 224 </token-canceler-config> 225 </parameter>
WS-Trust
RST - Resquest Security Token Service - Issuing a SAML token - issuing a token
19 <service> 20 <!--operation name="echo"> 21 <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> 22 </operation> 23 <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter--> 24 25 <module ref="rampart" /> 26 <module ref="addressing" /> 27 <module ref="rahas" /> 28 29 <parameter name="saml-issuer-config"> 30 <saml-issuer-config> 31 <issuerName>SAMPLE_STS</issuerName> 32 <issuerKeyAlias>service</issuerKeyAlias> 33 <issuerKeyPassword>apache</issuerKeyPassword> 34 <cryptoProperties> 35 <crypto provider="org.apache.ws.security.components.crypto.Merlin"> 36 <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property> 37 <property name="org.apache.ws.security.crypto.merlin.file">service.jks</property> 38 <property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property> 39 </crypto> 40 </cryptoProperties> 41 <timeToLive>300000</timeToLive> 42 <keySize>256</keySize> 43 <addRequestedAttachedRef /> 44 <addRequestedUnattachedRef /> 45 46 <!-- 47 Key computation mechanism 48 1 - Use Request Entropy 49 2 - Provide Entropy 50 3 - Use Own Key 51 --> 52 <keyComputation>2</keyComputation> 53 54 <!-- 55 proofKeyType element is valid only if the keyComputation is set to 3 56 i.e. Use Own Key 57 58 Valid values are: EncryptedKey & BinarySecret 59 --> 60 <proofKeyType>BinarySecret</proofKeyType> 61 <trusted-services> 62 <service alias="client">http://localhost:8080/axis2/services/SimpleService</service> 63 </trusted-services> 64 </saml-issuer-config> 65 </parameter> 66 67 <wsp:Policy 68 wsu:Id="SigOnly" 69 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 70 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 71 <wsp:ExactlyOne> 72 <wsp:All> 73 74 <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 75 <wsp:Policy> 76 <sp:InitiatorToken> 77 <wsp:Policy> 78 <sp:X509Token 79 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> 80 <wsp:Policy> 81 <sp:WssX509V3Token10 /> 82 </wsp:Policy> 83 </sp:X509Token> 84 </wsp:Policy> 85 </sp:InitiatorToken> 86 <sp:RecipientToken> 87 <wsp:Policy> 88 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> 89 <wsp:Policy> 90 <sp:WssX509V3Token10 /> 91 </wsp:Policy> 92 </sp:X509Token> 93 </wsp:Policy> 94 </sp:RecipientToken> 95 <sp:AlgorithmSuite> 96 <wsp:Policy> 97 <sp:TripleDesRsa15 /> 98 </wsp:Policy> 99 </sp:AlgorithmSuite> 100 <sp:Layout> 101 <wsp:Policy> 102 <sp:Strict /> 103 </wsp:Policy> 104 </sp:Layout> 105 <sp:IncludeTimestamp /> 106 <sp:OnlySignEntireHeadersAndBody /> 107 </wsp:Policy> 108 </sp:AsymmetricBinding> 109 110 <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 111 <wsp:Policy> 112 <sp:MustSupportRefKeyIdentifier /> 113 <sp:MustSupportRefIssuerSerial /> 114 </wsp:Policy> 115 </sp:Wss10> 116 117 <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> 118 <sp:Body /> 119 </sp:SignedParts> 120 121 <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 122 123 <ramp:user>service</ramp:user> 124 <ramp:encryptionUser>client</ramp:encryptionUser> 125 <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample05.PWCBHandler</ramp:passwordCallbackClass> 126 127 <ramp:signatureCrypto> 128 <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 129 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 130 <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> 131 <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> 132 </ramp:crypto> 133 </ramp:signatureCrypto> 134 135 </ramp:RampartConfig> 136 137 </wsp:All> 138 </wsp:ExactlyOne> 139 </wsp:Policy> 140 141 </service>
There's a lot of detail and information to catch up on, but it'll probably not turn out as bad as looks here at first glance. One thing I do like is that the references to keystores are in the same context and thereby closer coupled, since I do remember fiddling with all those seperate and loosely couples files.
3 comments :
I have been searching google for many days and checked all samples of axis2. I am not able to find any solution to my requirement. Request you to kindly provide a sample/link/pointer how I can achieve this.
We have an axis2 1.3 client talking to WCF service. Our client send RST/SCT request and service sends back RSTR response back to client with SecurityContextToken.
We need to use this token for signing further request to service to call the actual operation for data (earlier request just being for getting SCT).
How to use SecurityContextToken for further signing and including this in Security tag and KeyInfo tag. Here is the sample XML which I need to generate to send to WCF service
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
...
<c:SecurityContextToken u:Id="uuid-f54bacef-5c6f-44e8-b13f-c79c15106520-49" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc""> <c:Identifier>urn:uuid:7607b3fc-1845-4633-8a76-4131001b058a</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
...
<KeyInfo> <o:SecurityTokenReference> <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-f54bacef-5c6f-44e8-b13f-c79c15106520-49"/></o:SecurityTokenReference>
</KeyInfo>
</Signature> </o:Security>
If you notice here Security header has SecurityContextToken tag and Signature having reference to same token in KeyInfo. How can we achieve this in Axis2
Thanks in advance.
regds
Brijesh
Hi Brijesh
I don't have an answer for your question, but I'll strongly recommend you to write the mailing list.
Several years ago a had a similar challenge looking for how to sign with a username token (calling an .NET service) and I got great help from the list, and some of the committers (Werner it think) actually solved it for me. It might even be that support is already there.
Brgds Brian
Hi Brian,
I have a ...simple..." question for you, I hope. My scenario concerns the "02.sign only":
I have a service that contains three operations: addition, subtraction and multiplication and two clients with two different certificates, the first (user.jks alias user) with base privileges, the second (admin.jks alias admin) both contain alias service.
What I want to achieve with the policy is to give a user the ability to use only addition and multiplication and to give the admin addition, subtraction and multiplication.
How can I do it ???
Thanks in advance
Roberto
Ps I help me with google translor, sorry for errors.
Post a Comment