Sweetxml: WS-Security

Showing posts with label WS-Security. Show all posts

Thursday, January 31, 2008

Rampart policy samples for runing Axis2 with WS-SecurityPolicy

pencil icon, that"s clickable to start editing the post

When I first tried out WS-Security WSS4J was quite new and used in axis1 by adding handlers, and it work quite nicely. I was at that time doing interop with WSE2.0, which already at that time had support for WS-SecurityPolicy (can't remember what version) which I liked because it was more explicit and craftet for that whereas the generic parameter controlled handlers were all generic. Since then a lot has happend and now there are specific parameters for WSS4J as I looked at in the post Rampart basic examples - how you add WS-Security to Axis2. But there's much more cause now there's also support for WS-SecurityPolicy and I'll take a first look at the policy samples in this post and hopefully soon find time to look deeper into one of them and try it out.

At the front page for the rampart module project the supported standards are listed:

WS-Security 1.0
WS-Secure Conversation - February 2005
WS-Security Policy 1.1 - July 2005
WS-Trust - February 2005
WS-Trust - WS-SX spec - EXPERIMENTAL

I'm not sure how updated this information is and I haven't followed the ws-* track lately, but I think that those specs have matured into standards and I guess that rampart is almost up todate if not there already.

I had expected these samples to be analogies to the basic samples but they're not and they are quite more complex. There are a total of six samples where the last one demands custom setup of tomcat so I'll skip that one and take the first five ones. Since it's been some time since I last looked at these kind of policies I'm not into them yet and I'll just list the policy files here and then later analyse one of them more closely.

01. UsernameToken Authentication

The policy uses a TransportBinding and requires a SignedSupportingToken which is a UsernameToken and the inclusion of a TimeStamp.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!--
    3   !
    4   ! Copyright 2006 The Apache Software Foundation.
    5   !
    6   ! Licensed under the Apache License, Version 2.0 (the "License");
    7   ! you may not use this file except in compliance with the License.
    8   ! You may obtain a copy of the License at
    9   !
   10   !      http://www.apache.org/licenses/LICENSE-2.0
   11   !
   12   ! Unless required by applicable law or agreed to in writing, software
   13   ! distributed under the License is distributed on an "AS IS" BASIS,
   14   ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   15   ! See the License for the specific language governing permissions and
   16   ! limitations under the License.
   17   !-->
   18 <!-- services.xml of sample-1 : UsernameToken-->
   19 <service>
   20 
   21   <operation name="echo">
   22     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
   23   </operation>
   24 
   25   <parameter
   26     name="ServiceClass"
   27     locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter>
   28 
   29   <module ref="rampart" />
   30   <module ref="addressing" />
   31 
   32   <wsp:Policy
   33     wsu:Id="UTOverTransport"
   34     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   35     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   36     <wsp:ExactlyOne>
   37       <wsp:All>
   38 
   39         <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   40           <wsp:Policy>
   41             <sp:TransportToken>
   42               <wsp:Policy>
   43                 <sp:HttpsToken RequireClientCertificate="false" />
   44               </wsp:Policy>
   45             </sp:TransportToken>
   46             <sp:AlgorithmSuite>
   47               <wsp:Policy>
   48                 <sp:Basic256 />
   49               </wsp:Policy>
   50             </sp:AlgorithmSuite>
   51             <sp:Layout>
   52               <wsp:Policy>
   53                 <sp:Lax />
   54               </wsp:Policy>
   55             </sp:Layout>
   56             <sp:IncludeTimestamp />
   57           </wsp:Policy>
   58         </sp:TransportBinding>
   59 
   60         <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   61           <wsp:Policy>
   62             <sp:UsernameToken
   63               sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
   64           </wsp:Policy>
   65         </sp:SignedSupportingTokens>
   66 
   67         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   68           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample01.PWCBHandler</ramp:passwordCallbackClass>
   69         </ramp:RampartConfig>
   70 
   71       </wsp:All>
   72     </wsp:ExactlyOne>
   73   </wsp:Policy>
   74 
   75 </service>

02. Sign only

An AsymmetricBinding is used. Entire headers and body to be signed. Algorithm suite is TripleDesRsa15

   33   <wsp:Policy
   34     wsu:Id="SigOnly"
   35     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   36     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   37     <wsp:ExactlyOne>
   38       <wsp:All>
   39 
   40         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   41           <wsp:Policy>
   42 
   43             <sp:InitiatorToken>
   44               <wsp:Policy>
   45                 <sp:X509Token
   46                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   47                   <wsp:Policy>
   48                     <sp:WssX509V3Token10 />
   49                   </wsp:Policy>
   50                 </sp:X509Token>
   51               </wsp:Policy>
   52             </sp:InitiatorToken>
   53 
   54             <sp:RecipientToken>
   55               <wsp:Policy>
   56                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   57                   <wsp:Policy>
   58                     <sp:WssX509V3Token10 />
   59                   </wsp:Policy>
   60                 </sp:X509Token>
   61               </wsp:Policy>
   62             </sp:RecipientToken>
   63 
   64             <sp:AlgorithmSuite>
   65               <wsp:Policy>
   66                 <sp:TripleDesRsa15 />
   67               </wsp:Policy>
   68             </sp:AlgorithmSuite>
   69 
   70             <sp:Layout>
   71               <wsp:Policy>
   72                 <sp:Strict />
   73               </wsp:Policy>
   74             </sp:Layout>
   75 
   76             <sp:IncludeTimestamp />
   77 
   78             <sp:OnlySignEntireHeadersAndBody />
   79 
   80           </wsp:Policy>
   81         </sp:AsymmetricBinding>
   82 
   83         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   84           <wsp:Policy>
   85             <sp:MustSupportRefKeyIdentifier />
   86             <sp:MustSupportRefIssuerSerial />
   87           </wsp:Policy>
   88         </sp:Wss10>
   89 
   90         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   91           <sp:Body />
   92         </sp:SignedParts>
   93 
   94         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   95           <ramp:user>service</ramp:user>
   96           <ramp:encryptionUser>client</ramp:encryptionUser>
   97           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample02.PWCBHandler</ramp:passwordCallbackClass>
   98           <ramp:signatureCrypto>
   99             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  100               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  101               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  102               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  103             </ramp:crypto>
  104           </ramp:signatureCrypto>
  105         </ramp:RampartConfig>
  106 
  107       </wsp:All>
  108     </wsp:ExactlyOne>
  109   </wsp:Policy>

03. Sign and Encrypt messages

An AsymmetricBinding is used. Entire headers and body to be signed. EncryptionParts specifies the Body to be encrypted. Algorithm suite is TripleDesRsa15

   33   <wsp:Policy
   34     wsu:Id="SigEncr"
   35     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   36     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   37     <wsp:ExactlyOne>
   38       <wsp:All>
   39 
   40         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   41           <wsp:Policy>
   42 
   43             <sp:InitiatorToken>
   44               <wsp:Policy>
   45                 <sp:X509Token
   46                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   47                   <wsp:Policy>
   48                     <sp:WssX509V3Token10 />
   49                   </wsp:Policy>
   50                 </sp:X509Token>
   51               </wsp:Policy>
   52             </sp:InitiatorToken>
   53 
   54             <sp:RecipientToken>
   55               <wsp:Policy>
   56                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   57                   <wsp:Policy>
   58                     <sp:WssX509V3Token10 />
   59                   </wsp:Policy>
   60                 </sp:X509Token>
   61               </wsp:Policy>
   62             </sp:RecipientToken>
   63 
   64             <sp:AlgorithmSuite>
   65               <wsp:Policy>
   66                 <sp:TripleDesRsa15 />
   67               </wsp:Policy>
   68             </sp:AlgorithmSuite>
   69 
   70             <sp:Layout>
   71               <wsp:Policy>
   72                 <sp:Strict />
   73               </wsp:Policy>
   74             </sp:Layout>
   75 
   76             <sp:IncludeTimestamp />
   77 
   78             <sp:OnlySignEntireHeadersAndBody />
   79 
   80           </wsp:Policy>
   81         </sp:AsymmetricBinding>
   82 
   83         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   84           <wsp:Policy>
   85             <sp:MustSupportRefKeyIdentifier />
   86             <sp:MustSupportRefIssuerSerial />
   87           </wsp:Policy>
   88         </sp:Wss10>
   89 
   90         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   91           <sp:Body />
   92         </sp:SignedParts>
   93 
   94         <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   95           <sp:Body />
   96         </sp:EncryptedParts>
   97 
   98         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   99           <ramp:user>service</ramp:user>
  100           <ramp:encryptionUser>client</ramp:encryptionUser>
  101           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample03.PWCBHandler</ramp:passwordCallbackClass>
  102 
  103           <ramp:signatureCrypto>
  104             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  105               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  106               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  107               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  108             </ramp:crypto>
  109           </ramp:signatureCrypto>
  110 
  111           <ramp:encryptionCypto>
  112             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  113               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  114               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  115               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  116             </ramp:crypto>
  117           </ramp:encryptionCypto>
  118 
  119         </ramp:RampartConfig>
  120 
  121       </wsp:All>
  122     </wsp:ExactlyOne>
  123   </wsp:Policy>

04. SecureConversation

The secure session is bootstrapped using a SymetricBinding which uses derived keys based on an ephemeral key. Messages in the secure conversation:

Includes a timestamp
All headers are signed along with the timestamp
Signature encrypted
Body encrypted

Algorithm suite is Basic128Rsa15

   30   <module ref="rampart" />
   31   <module ref="rahas" />
   32   <module ref="addressing" />
   33 
   34   <wsp:Policy
   35     wsu:Id="SecConvPolicy"
   36     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   37     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   38     <wsp:ExactlyOne>
   39       <wsp:All>
   40 
   41         <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   42           <wsp:Policy>
   43 
   44             <sp:ProtectionToken>
   45               <wsp:Policy>
   46                 <sp:SecureConversationToken
   47                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   48                   <wsp:Policy>
   49                     <sp:RequireDerivedKeys />
   50                     <sp:BootstrapPolicy>
   51                       <wsp:Policy>
   52 
   53                         <sp:EncryptedParts>
   54                           <sp:Body />
   55                         </sp:EncryptedParts>
   56 
   57                         <sp:SymmetricBinding>
   58                           <wsp:Policy>
   59                             <sp:ProtectionToken>
   60                               <wsp:Policy>
   61                                 <sp:X509Token
   62                                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   63                                   <wsp:Policy>
   64                                     <sp:RequireDerivedKeys />
   65                                     <sp:RequireThumbprintReference />
   66                                     <sp:WssX509V3Token10 />
   67                                   </wsp:Policy>
   68                                 </sp:X509Token>
   69                               </wsp:Policy>
   70                             </sp:ProtectionToken>
   71                             <sp:AlgorithmSuite>
   72                               <wsp:Policy>
   73                                 <sp:Basic128Rsa15 />
   74                               </wsp:Policy>
   75                             </sp:AlgorithmSuite>
   76                             <sp:Layout>
   77                               <wsp:Policy>
   78                                 <sp:Strict />
   79                               </wsp:Policy>
   80                             </sp:Layout>
   81                             <sp:IncludeTimestamp />
   82                             <sp:EncryptSignature />
   83                             <sp:OnlySignEntireHeadersAndBody />
   84                           </wsp:Policy>
   85                         </sp:SymmetricBinding>
   86 
   87                         <sp:EndorsingSupportingTokens>
   88                           <wsp:Policy>
   89                             <sp:X509Token
   90                               sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   91                               <wsp:Policy>
   92                                 <sp:RequireThumbprintReference />
   93                                 <sp:WssX509V3Token10 />
   94                               </wsp:Policy>
   95                             </sp:X509Token>
   96                           </wsp:Policy>
   97                         </sp:EndorsingSupportingTokens>
   98 
   99                         <sp:Wss11>
  100                           <wsp:Policy>
  101                             <sp:MustSupportRefKeyIdentifier />
  102                             <sp:MustSupportRefIssuerSerial />
  103                             <sp:MustSupportRefThumbprint />
  104                             <sp:MustSupportRefEncryptedKey />
  105                             <sp:RequireSignatureConfirmation />
  106                           </wsp:Policy>
  107                         </sp:Wss11>
  108 
  109                         <sp:Trust10>
  110                           <wsp:Policy>
  111                             <sp:MustSupportIssuedTokens />
  112                             <sp:RequireClientEntropy />
  113                             <sp:RequireServerEntropy />
  114                           </wsp:Policy>
  115                         </sp:Trust10>
  116 
  117                       </wsp:Policy>
  118                     </sp:BootstrapPolicy>
  119                   </wsp:Policy>
  120                 </sp:SecureConversationToken>
  121               </wsp:Policy>
  122             </sp:ProtectionToken>
  123 
  124             <sp:AlgorithmSuite>
  125               <wsp:Policy>
  126                 <sp:Basic128Rsa15 />
  127               </wsp:Policy>
  128             </sp:AlgorithmSuite>
  129 
  130             <sp:Layout>
  131               <wsp:Policy>
  132                 <sp:Strict />
  133               </wsp:Policy>
  134             </sp:Layout>
  135 
  136             <sp:IncludeTimestamp />
  137             <sp:EncryptSignature />
  138             <sp:OnlySignEntireHeadersAndBody />
  139 
  140           </wsp:Policy>
  141         </sp:SymmetricBinding>
  142 
  143         <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  144           <wsp:Policy>
  145             <sp:MustSupportRefKeyIdentifier />
  146             <sp:MustSupportRefIssuerSerial />
  147             <sp:MustSupportRefThumbprint />
  148             <sp:MustSupportRefEncryptedKey />
  149           </wsp:Policy>
  150         </sp:Wss11>
  151 
  152         <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  153           <wsp:Policy>
  154             <sp:MustSupportIssuedTokens />
  155             <sp:RequireClientEntropy />
  156             <sp:RequireServerEntropy />
  157           </wsp:Policy>
  158         </sp:Trust10>
  159 
  160         <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  161           <sp:Body />
  162         </sp:EncryptedParts>
  163 
  164         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
  165           <ramp:user>service</ramp:user>
  166           <ramp:encryptionUser>client</ramp:encryptionUser>
  167           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04.PWCBHandler</ramp:passwordCallbackClass>
  168 
  169           <ramp:signatureCrypto>
  170             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  171               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  172               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  173               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  174             </ramp:crypto>
  175           </ramp:signatureCrypto>
  176 
  177           <ramp:encryptionCypto>
  178             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  179               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  180               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  181               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  182             </ramp:crypto>
  183           </ramp:encryptionCypto>
  184 
  185         </ramp:RampartConfig>
  186 
  187       </wsp:All>
  188     </wsp:ExactlyOne>
  189   </wsp:Policy>
  190 
  191   <parameter name="sct-issuer-config">
  192     <sct-issuer-config>
  193       <cryptoProperties>
  194         <crypto provider="org.apache.ws.security.components.crypto.Merlin">
  195           <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
  196           <property name="org.apache.ws.security.crypto.merlin.file">sts.jks</property>
  197           <property name="org.apache.ws.security.crypto.merlin.keystore.password">password</property>
  198         </crypto>
  199       </cryptoProperties>
  200       <addRequestedAttachedRef />
  201       <addRequestedUnattachedRef />
  202 
  203       <!--
  204         Key computation mechanism
  205         1 - Use Request Entropy
  206         2 - Provide Entropy
  207         3 - Use Own Key
  208       -->
  209       <keyComputation>3</keyComputation>
  210 
  211       <!--
  212         proofKeyType element is valid only if the keyComputation is set to 3
  213         i.e. Use Own Key
  214 
  215         Valid values are: EncryptedKey & BinarySecret
  216       -->
  217       <proofKeyType>BinarySecret</proofKeyType>
  218     </sct-issuer-config>
  219   </parameter>
  220 
  221   <parameter name="token-canceler-config">
  222     <token-canceler-config>
  223 
  224     </token-canceler-config>
  225   </parameter>

WS-Trust

RST - Resquest Security Token Service - Issuing a SAML token - issuing a token

   19 <service>
   20   <!--operation name="echo">
   21     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
   22     </operation>
   23     <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter-->
   24 
   25   <module ref="rampart" />
   26   <module ref="addressing" />
   27   <module ref="rahas" />
   28 
   29   <parameter name="saml-issuer-config">
   30     <saml-issuer-config>
   31       <issuerName>SAMPLE_STS</issuerName>
   32       <issuerKeyAlias>service</issuerKeyAlias>
   33       <issuerKeyPassword>apache</issuerKeyPassword>
   34       <cryptoProperties>
   35         <crypto provider="org.apache.ws.security.components.crypto.Merlin">
   36           <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
   37           <property name="org.apache.ws.security.crypto.merlin.file">service.jks</property>
   38           <property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>
   39         </crypto>
   40       </cryptoProperties>
   41       <timeToLive>300000</timeToLive>
   42       <keySize>256</keySize>
   43       <addRequestedAttachedRef />
   44       <addRequestedUnattachedRef />
   45 
   46       <!--
   47         Key computation mechanism
   48         1 - Use Request Entropy
   49         2 - Provide Entropy
   50         3 - Use Own Key
   51       -->
   52       <keyComputation>2</keyComputation>
   53 
   54       <!--
   55         proofKeyType element is valid only if the keyComputation is set to 3
   56         i.e. Use Own Key
   57 
   58         Valid values are: EncryptedKey & BinarySecret
   59       -->
   60       <proofKeyType>BinarySecret</proofKeyType>
   61       <trusted-services>
   62         <service alias="client">http://localhost:8080/axis2/services/SimpleService</service>
   63       </trusted-services>
   64     </saml-issuer-config>
   65   </parameter>
   66 
   67   <wsp:Policy
   68     wsu:Id="SigOnly"
   69     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   70     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   71     <wsp:ExactlyOne>
   72       <wsp:All>
   73 
   74         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   75           <wsp:Policy>
   76             <sp:InitiatorToken>
   77               <wsp:Policy>
   78                 <sp:X509Token
   79                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   80                   <wsp:Policy>
   81                     <sp:WssX509V3Token10 />
   82                   </wsp:Policy>
   83                 </sp:X509Token>
   84               </wsp:Policy>
   85             </sp:InitiatorToken>
   86             <sp:RecipientToken>
   87               <wsp:Policy>
   88                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   89                   <wsp:Policy>
   90                     <sp:WssX509V3Token10 />
   91                   </wsp:Policy>
   92                 </sp:X509Token>
   93               </wsp:Policy>
   94             </sp:RecipientToken>
   95             <sp:AlgorithmSuite>
   96               <wsp:Policy>
   97                 <sp:TripleDesRsa15 />
   98               </wsp:Policy>
   99             </sp:AlgorithmSuite>
  100             <sp:Layout>
  101               <wsp:Policy>
  102                 <sp:Strict />
  103               </wsp:Policy>
  104             </sp:Layout>
  105             <sp:IncludeTimestamp />
  106             <sp:OnlySignEntireHeadersAndBody />
  107           </wsp:Policy>
  108         </sp:AsymmetricBinding>
  109 
  110         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  111           <wsp:Policy>
  112             <sp:MustSupportRefKeyIdentifier />
  113             <sp:MustSupportRefIssuerSerial />
  114           </wsp:Policy>
  115         </sp:Wss10>
  116 
  117         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  118           <sp:Body />
  119         </sp:SignedParts>
  120 
  121         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
  122 
  123           <ramp:user>service</ramp:user>
  124           <ramp:encryptionUser>client</ramp:encryptionUser>
  125           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample05.PWCBHandler</ramp:passwordCallbackClass>
  126 
  127           <ramp:signatureCrypto>
  128             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  129               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  130               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  131               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  132             </ramp:crypto>
  133           </ramp:signatureCrypto>
  134 
  135         </ramp:RampartConfig>
  136 
  137       </wsp:All>
  138     </wsp:ExactlyOne>
  139   </wsp:Policy>
  140 
  141 </service>

There's a lot of detail and information to catch up on, but it'll probably not turn out as bad as looks here at first glance. One thing I do like is that the references to keystores are in the same context and thereby closer coupled, since I do remember fiddling with all those seperate and loosely couples files.

Rampart basic examples - how you add WS-Security to Axis2

In my personal opinion Web Services Security is the most successful addition to the web service SOAP stack, often called WS-*. It was much needed and avoided to run into conflicts between the big market players, which to the contrary one of the other much needed abilities, that of adding reliability, ran into big time. Some might argue that WS-Addressing is equally successful and it is important, but for one the standardization process took much longer and secondly (again a personal one) I've primarily been using web services in synchronous mode (in-out) and not in complex flows, so I've not had much need for it though I've had to live with it.

It's been some time since I last used WS-Security and it was back in the early days of WSS4J and Axis1. In the meantime Axis2 has evolved with a new architecture and nice features like native XMLBeans support. For WS-Security it's still WSS4J with support for Web Services Security v1.0 (March 2004), and as far as I can tell support for Web Services Security v1.1 (February 2006) is not that far away. With Axis2 the days of adding handlers and adding parameters with generic name/value constructs are over. Now the Axis2 architecture is build on Flows, Phases, Handlers, and Modules (From the OxygenTank) and there's a seperate module, called Rampart, that plugs WS-Security support with WSS4J into Axis2. The Axis2 guide for using rampart: Securing SOAP Messages with Rampart practically covers it all, but for new comers there's a great set of samples covering about just all practical scenarios of using WS-Security. In this post I give an quick overview over these samples.

Note: Rampart does have it's own subsite, but it does not look like it's being maintained since the last release here is still 1.2.

Basic samples

There are 11 examples bundled with the current Rampart. It's all configured with two parameters named InflowSecurity and OutflowSecurity in the files services.xml (server side) and axis2.xml (client side). I'll now go through all of them with the central configurations and a mix of the comments that come with the samples and my own. I'll not show any of the code, for that you'll have to look at the samples yourself.

01. Rampart Engaged and no configuration

The first sample actually does NOT add WS-Security, and shows the basic service that's used and the needed Axis2 configuration. Thereby also showing that Apache Rampart does not work on the messages when simply engaged without any configuration (parameters).

In this post I'll only show the server side configuration since it's almost identical to the client side. For this sample the services.xml file looks like:

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!--
    3   !
    4   ! Copyright 2006 The Apache Software Foundation.
    5   !
    6   ! Licensed under the Apache License, Version 2.0 (the "License");
    7   ! you may not use this file except in compliance with the License.
    8   ! You may obtain a copy of the License at
    9   !
   10   !      http://www.apache.org/licenses/LICENSE-2.0
   11   !
   12   ! Unless required by applicable law or agreed to in writing, software
   13   ! distributed under the License is distributed on an "AS IS" BASIS,
   14   ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   15   ! See the License for the specific language governing permissions and
   16   ! limitations under the License.
   17   !-->
   18 <!-- services.xml of sample-1 : No Security-->
   19 <service>
   20   <operation name="echo">
   21     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
   22   </operation>
   23   <parameter
   24     name="ServiceClass"
   25     locked="false">
   26     org.apache.rampart.samples.sample01.SimpleService
   27   </parameter>
   28 
   29   <module ref="rampart" />
   30 
   31 </service>

So adding the module doesn't do nothing in itself, contrary to the behavior of WS-Addressing.

02. UsernameToken authentication

The client is configured to add a UsernameToken to the outgoing message. The service is configured to process it.

From now I'll just show the WS-Security parameters to keep it short and focused:

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>UsernameToken Timestamp</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample02.PWCBHandler</passwordCallbackClass>
   36     </action>
   37   </parameter>

Note how org.apache.rampart.samples.sample02.PWCBHandler supplies the password to wss4j to compute the digest for comparison.

03. UsernameToken authentication with a plain text password

The client is configured to add a UsernameToken to the outgoing message. Note the <passwordType>PasswordText</passwordType> element. The service is configured to process it.

Note how org.apache.rampart.samples.sample03.PWCBHandler authenticates the password

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>UsernameToken</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>
   36     </action>
   37   </parameter>

04. Message integrity and non-repudiation with signature

Both client and servce are configured to sign the outgoing message and to verify the signature of the incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature</items>
   35       <signaturePropFile>service.properties</signaturePropFile>
   36     </action>
   37   </parameter>
   38 
   39   <parameter name="OutflowSecurity">
   40     <action>
   41       <items>Timestamp Signature</items>
   42       <user>service</user>
   43       <passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass>
   44       <signaturePropFile>service.properties</signaturePropFile>
   45       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   46     </action>
   47   </parameter>

05. Encryption

Both client and servce are configured to encrypt the outgoing message and to decrypt incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass>
   36       <decryptionPropFile>service.properties</decryptionPropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Encrypt</items>
   43       <encryptionUser>client</encryptionUser>
   44       <encryptionPropFile>service.properties</encryptionPropFile>
   45     </action>
   46   </parameter>

06. Sign and encrypt a messages

Both client and servce are configured to first sign and then encrypt the outgoing message and to decrypt and verify the incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Timestamp Signature Encrypt</items>
   43       <user>service</user>
   44       <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>
   45       <signaturePropFile>service.properties</signaturePropFile>
   46       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   47       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
   48       <encryptionUser>useReqSigCert</encryptionUser>
   49     </action>
   50   </parameter>

07. Encrypt and sign messages

Both client and servce are configured to first encrypt and then sign the outgoing message and to verify and decrypt the incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Encrypt Signature</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample07.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Timestamp Encrypt Signature</items>
   43       <user>service</user>
   44       <passwordCallbackClass>org.apache.rampart.samples.sample07.PWCBHandler</passwordCallbackClass>
   45       <signaturePropFile>service.properties</signaturePropFile>
   46       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   47       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
   48       <encryptionUser>useReqSigCert</encryptionUser>
   49     </action>
   50   </parameter>

08. Signing twice

The client is configured to sign the outgoing message twice. Note the aditional <action>> element that defines the second signature (client side) and that we simply use "Signature Signature" as action items (server side - here).

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature Signature</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample08.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>

09. Encryption with a key known to both parties

Encryption with a key known to both parties. Both client and servce are configured to encrypt the outgoing message and to decrypt incoming message using a known named key.

Note the use of <EmbeddedKeyName>SessionKey</EmbeddedKeyName> and that org.apache.rampart.samples.sample09.PWCBHandler sets the key

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample09.PWCBHandler</passwordCallbackClass>
   36       <decryptionPropFile>service.properties</decryptionPropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Encrypt</items>
   43       <user>service</user>
   44       <encryptionKeyIdentifier>EmbeddedKeyName</encryptionKeyIdentifier>
   45       <encryptionPropFile>service.properties</encryptionPropFile>
   46       <EmbeddedKeyCallbackClass>org.apache.rampart.samples.sample09.PWCBHandler</EmbeddedKeyCallbackClass>
   47       <EmbeddedKeyName>SessionKey</EmbeddedKeyName>
   48     </action>
   49   </parameter>

10. MTOM Optimizing base64 content in the secured message

Sign and encrypt messages. Both client and servce are configured to first sign and then encrypt the outgoing message and to decrypt and verify the incoming message using their key pairs.

Note the use of <optimizeParts>[xpath expression]</optimizeParts>

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample10.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Timestamp Signature Encrypt</items>
   43       <user>service</user>
   44       <passwordCallbackClass>org.apache.rampart.samples.sample10.PWCBHandler</passwordCallbackClass>
   45       <signaturePropFile>service.properties</signaturePropFile>
   46       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   47       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
   48       <encryptionUser>useReqSigCert</encryptionUser>
   49     </action>
   50   </parameter>

11. Dynamic configuration : Get rid of the config files ... let's use code!