Rampart policy samples for runing Axis2 with WS-SecurityPolicy

When I first tried out WS-Security WSS4J was quite new and used in axis1 by adding handlers, and it work quite nicely. I was at that time doing interop with WSE2.0, which already at that time had support for WS-SecurityPolicy (can't remember what version) which I liked because it was more explicit and craftet for that whereas the generic parameter controlled handlers were all generic. Since then a lot has happend and now there are specific parameters for WSS4J as I looked at in the post Rampart basic examples - how you add WS-Security to Axis2. But there's much more cause now there's also support for WS-SecurityPolicy and I'll take a first look at the policy samples in this post and hopefully soon find time to look deeper into one of them and try it out.

At the front page for the rampart module project the supported standards are listed:

• WS-Security 1.0
• WS-Secure Conversation - February 2005
• WS-Security Policy 1.1 - July 2005
• WS-Trust - February 2005
• WS-Trust - WS-SX spec - EXPERIMENTAL

I'm not sure how updated this information is and I haven't followed the ws-* track lately, but I think that those specs have matured into standards and I guess that rampart is almost up todate if not there already.

I had expected these samples to be analogies to the basic samples but they're not and they are quite more complex. There are a total of six samples where the last one demands custom setup of tomcat so I'll skip that one and take the first five ones. Since it's been some time since I last looked at these kind of policies I'm not into them yet and I'll just list the policy files here and then later analyse one of them more closely.

01. UsernameToken Authentication

The policy uses a TransportBinding and requires a SignedSupportingToken which is a UsernameToken and the inclusion of a TimeStamp.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!--
    3   !
    4   ! Copyright 2006 The Apache Software Foundation.
    5   !
    6   ! Licensed under the Apache License, Version 2.0 (the "License");
    7   ! you may not use this file except in compliance with the License.
    8   ! You may obtain a copy of the License at
    9   !
   10   !      http://www.apache.org/licenses/LICENSE-2.0
   11   !
   12   ! Unless required by applicable law or agreed to in writing, software
   13   ! distributed under the License is distributed on an "AS IS" BASIS,
   14   ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   15   ! See the License for the specific language governing permissions and
   16   ! limitations under the License.
   17   !-->
   18 <!-- services.xml of sample-1 : UsernameToken-->
   19 <service>
   20 
   21   <operation name="echo">
   22     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
   23   </operation>
   24 
   25   <parameter
   26     name="ServiceClass"
   27     locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter>
   28 
   29   <module ref="rampart" />
   30   <module ref="addressing" />
   31 
   32   <wsp:Policy
   33     wsu:Id="UTOverTransport"
   34     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   35     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   36     <wsp:ExactlyOne>
   37       <wsp:All>
   38 
   39         <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   40           <wsp:Policy>
   41             <sp:TransportToken>
   42               <wsp:Policy>
   43                 <sp:HttpsToken RequireClientCertificate="false" />
   44               </wsp:Policy>
   45             </sp:TransportToken>
   46             <sp:AlgorithmSuite>
   47               <wsp:Policy>
   48                 <sp:Basic256 />
   49               </wsp:Policy>
   50             </sp:AlgorithmSuite>
   51             <sp:Layout>
   52               <wsp:Policy>
   53                 <sp:Lax />
   54               </wsp:Policy>
   55             </sp:Layout>
   56             <sp:IncludeTimestamp />
   57           </wsp:Policy>
   58         </sp:TransportBinding>
   59 
   60         <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   61           <wsp:Policy>
   62             <sp:UsernameToken
   63               sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
   64           </wsp:Policy>
   65         </sp:SignedSupportingTokens>
   66 
   67         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   68           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample01.PWCBHandler</ramp:passwordCallbackClass>
   69         </ramp:RampartConfig>
   70 
   71       </wsp:All>
   72     </wsp:ExactlyOne>
   73   </wsp:Policy>
   74 
   75 </service>

02. Sign only

An AsymmetricBinding is used. Entire headers and body to be signed. Algorithm suite is TripleDesRsa15

   33   <wsp:Policy
   34     wsu:Id="SigOnly"
   35     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   36     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   37     <wsp:ExactlyOne>
   38       <wsp:All>
   39 
   40         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   41           <wsp:Policy>
   42 
   43             <sp:InitiatorToken>
   44               <wsp:Policy>
   45                 <sp:X509Token
   46                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   47                   <wsp:Policy>
   48                     <sp:WssX509V3Token10 />
   49                   </wsp:Policy>
   50                 </sp:X509Token>
   51               </wsp:Policy>
   52             </sp:InitiatorToken>
   53 
   54             <sp:RecipientToken>
   55               <wsp:Policy>
   56                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   57                   <wsp:Policy>
   58                     <sp:WssX509V3Token10 />
   59                   </wsp:Policy>
   60                 </sp:X509Token>
   61               </wsp:Policy>
   62             </sp:RecipientToken>
   63 
   64             <sp:AlgorithmSuite>
   65               <wsp:Policy>
   66                 <sp:TripleDesRsa15 />
   67               </wsp:Policy>
   68             </sp:AlgorithmSuite>
   69 
   70             <sp:Layout>
   71               <wsp:Policy>
   72                 <sp:Strict />
   73               </wsp:Policy>
   74             </sp:Layout>
   75 
   76             <sp:IncludeTimestamp />
   77 
   78             <sp:OnlySignEntireHeadersAndBody />
   79 
   80           </wsp:Policy>
   81         </sp:AsymmetricBinding>
   82 
   83         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   84           <wsp:Policy>
   85             <sp:MustSupportRefKeyIdentifier />
   86             <sp:MustSupportRefIssuerSerial />
   87           </wsp:Policy>
   88         </sp:Wss10>
   89 
   90         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   91           <sp:Body />
   92         </sp:SignedParts>
   93 
   94         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   95           <ramp:user>service</ramp:user>
   96           <ramp:encryptionUser>client</ramp:encryptionUser>
   97           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample02.PWCBHandler</ramp:passwordCallbackClass>
   98           <ramp:signatureCrypto>
   99             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  100               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  101               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  102               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  103             </ramp:crypto>
  104           </ramp:signatureCrypto>
  105         </ramp:RampartConfig>
  106 
  107       </wsp:All>
  108     </wsp:ExactlyOne>
  109   </wsp:Policy>

03. Sign and Encrypt messages

An AsymmetricBinding is used. Entire headers and body to be signed. EncryptionParts specifies the Body to be encrypted. Algorithm suite is TripleDesRsa15

   33   <wsp:Policy
   34     wsu:Id="SigEncr"
   35     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   36     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   37     <wsp:ExactlyOne>
   38       <wsp:All>
   39 
   40         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   41           <wsp:Policy>
   42 
   43             <sp:InitiatorToken>
   44               <wsp:Policy>
   45                 <sp:X509Token
   46                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   47                   <wsp:Policy>
   48                     <sp:WssX509V3Token10 />
   49                   </wsp:Policy>
   50                 </sp:X509Token>
   51               </wsp:Policy>
   52             </sp:InitiatorToken>
   53 
   54             <sp:RecipientToken>
   55               <wsp:Policy>
   56                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   57                   <wsp:Policy>
   58                     <sp:WssX509V3Token10 />
   59                   </wsp:Policy>
   60                 </sp:X509Token>
   61               </wsp:Policy>
   62             </sp:RecipientToken>
   63 
   64             <sp:AlgorithmSuite>
   65               <wsp:Policy>
   66                 <sp:TripleDesRsa15 />
   67               </wsp:Policy>
   68             </sp:AlgorithmSuite>
   69 
   70             <sp:Layout>
   71               <wsp:Policy>
   72                 <sp:Strict />
   73               </wsp:Policy>
   74             </sp:Layout>
   75 
   76             <sp:IncludeTimestamp />
   77 
   78             <sp:OnlySignEntireHeadersAndBody />
   79 
   80           </wsp:Policy>
   81         </sp:AsymmetricBinding>
   82 
   83         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   84           <wsp:Policy>
   85             <sp:MustSupportRefKeyIdentifier />
   86             <sp:MustSupportRefIssuerSerial />
   87           </wsp:Policy>
   88         </sp:Wss10>
   89 
   90         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   91           <sp:Body />
   92         </sp:SignedParts>
   93 
   94         <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   95           <sp:Body />
   96         </sp:EncryptedParts>
   97 
   98         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
   99           <ramp:user>service</ramp:user>
  100           <ramp:encryptionUser>client</ramp:encryptionUser>
  101           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample03.PWCBHandler</ramp:passwordCallbackClass>
  102 
  103           <ramp:signatureCrypto>
  104             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  105               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  106               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  107               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  108             </ramp:crypto>
  109           </ramp:signatureCrypto>
  110 
  111           <ramp:encryptionCypto>
  112             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  113               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  114               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  115               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  116             </ramp:crypto>
  117           </ramp:encryptionCypto>
  118 
  119         </ramp:RampartConfig>
  120 
  121       </wsp:All>
  122     </wsp:ExactlyOne>
  123   </wsp:Policy>

04. SecureConversation

The secure session is bootstrapped using a SymetricBinding which uses derived keys based on an ephemeral key. Messages in the secure conversation:

• Includes a timestamp
• All headers are signed along with the timestamp
• Signature encrypted
• Body encrypted

Algorithm suite is Basic128Rsa15

   30   <module ref="rampart" />
   31   <module ref="rahas" />
   32   <module ref="addressing" />
   33 
   34   <wsp:Policy
   35     wsu:Id="SecConvPolicy"
   36     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   37     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   38     <wsp:ExactlyOne>
   39       <wsp:All>
   40 
   41         <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   42           <wsp:Policy>
   43 
   44             <sp:ProtectionToken>
   45               <wsp:Policy>
   46                 <sp:SecureConversationToken
   47                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   48                   <wsp:Policy>
   49                     <sp:RequireDerivedKeys />
   50                     <sp:BootstrapPolicy>
   51                       <wsp:Policy>
   52 
   53                         <sp:EncryptedParts>
   54                           <sp:Body />
   55                         </sp:EncryptedParts>
   56 
   57                         <sp:SymmetricBinding>
   58                           <wsp:Policy>
   59                             <sp:ProtectionToken>
   60                               <wsp:Policy>
   61                                 <sp:X509Token
   62                                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   63                                   <wsp:Policy>
   64                                     <sp:RequireDerivedKeys />
   65                                     <sp:RequireThumbprintReference />
   66                                     <sp:WssX509V3Token10 />
   67                                   </wsp:Policy>
   68                                 </sp:X509Token>
   69                               </wsp:Policy>
   70                             </sp:ProtectionToken>
   71                             <sp:AlgorithmSuite>
   72                               <wsp:Policy>
   73                                 <sp:Basic128Rsa15 />
   74                               </wsp:Policy>
   75                             </sp:AlgorithmSuite>
   76                             <sp:Layout>
   77                               <wsp:Policy>
   78                                 <sp:Strict />
   79                               </wsp:Policy>
   80                             </sp:Layout>
   81                             <sp:IncludeTimestamp />
   82                             <sp:EncryptSignature />
   83                             <sp:OnlySignEntireHeadersAndBody />
   84                           </wsp:Policy>
   85                         </sp:SymmetricBinding>
   86 
   87                         <sp:EndorsingSupportingTokens>
   88                           <wsp:Policy>
   89                             <sp:X509Token
   90                               sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   91                               <wsp:Policy>
   92                                 <sp:RequireThumbprintReference />
   93                                 <sp:WssX509V3Token10 />
   94                               </wsp:Policy>
   95                             </sp:X509Token>
   96                           </wsp:Policy>
   97                         </sp:EndorsingSupportingTokens>
   98 
   99                         <sp:Wss11>
  100                           <wsp:Policy>
  101                             <sp:MustSupportRefKeyIdentifier />
  102                             <sp:MustSupportRefIssuerSerial />
  103                             <sp:MustSupportRefThumbprint />
  104                             <sp:MustSupportRefEncryptedKey />
  105                             <sp:RequireSignatureConfirmation />
  106                           </wsp:Policy>
  107                         </sp:Wss11>
  108 
  109                         <sp:Trust10>
  110                           <wsp:Policy>
  111                             <sp:MustSupportIssuedTokens />
  112                             <sp:RequireClientEntropy />
  113                             <sp:RequireServerEntropy />
  114                           </wsp:Policy>
  115                         </sp:Trust10>
  116 
  117                       </wsp:Policy>
  118                     </sp:BootstrapPolicy>
  119                   </wsp:Policy>
  120                 </sp:SecureConversationToken>
  121               </wsp:Policy>
  122             </sp:ProtectionToken>
  123 
  124             <sp:AlgorithmSuite>
  125               <wsp:Policy>
  126                 <sp:Basic128Rsa15 />
  127               </wsp:Policy>
  128             </sp:AlgorithmSuite>
  129 
  130             <sp:Layout>
  131               <wsp:Policy>
  132                 <sp:Strict />
  133               </wsp:Policy>
  134             </sp:Layout>
  135 
  136             <sp:IncludeTimestamp />
  137             <sp:EncryptSignature />
  138             <sp:OnlySignEntireHeadersAndBody />
  139 
  140           </wsp:Policy>
  141         </sp:SymmetricBinding>
  142 
  143         <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  144           <wsp:Policy>
  145             <sp:MustSupportRefKeyIdentifier />
  146             <sp:MustSupportRefIssuerSerial />
  147             <sp:MustSupportRefThumbprint />
  148             <sp:MustSupportRefEncryptedKey />
  149           </wsp:Policy>
  150         </sp:Wss11>
  151 
  152         <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  153           <wsp:Policy>
  154             <sp:MustSupportIssuedTokens />
  155             <sp:RequireClientEntropy />
  156             <sp:RequireServerEntropy />
  157           </wsp:Policy>
  158         </sp:Trust10>
  159 
  160         <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  161           <sp:Body />
  162         </sp:EncryptedParts>
  163 
  164         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
  165           <ramp:user>service</ramp:user>
  166           <ramp:encryptionUser>client</ramp:encryptionUser>
  167           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04.PWCBHandler</ramp:passwordCallbackClass>
  168 
  169           <ramp:signatureCrypto>
  170             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  171               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  172               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  173               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  174             </ramp:crypto>
  175           </ramp:signatureCrypto>
  176 
  177           <ramp:encryptionCypto>
  178             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  179               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  180               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  181               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  182             </ramp:crypto>
  183           </ramp:encryptionCypto>
  184 
  185         </ramp:RampartConfig>
  186 
  187       </wsp:All>
  188     </wsp:ExactlyOne>
  189   </wsp:Policy>
  190 
  191   <parameter name="sct-issuer-config">
  192     <sct-issuer-config>
  193       <cryptoProperties>
  194         <crypto provider="org.apache.ws.security.components.crypto.Merlin">
  195           <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
  196           <property name="org.apache.ws.security.crypto.merlin.file">sts.jks</property>
  197           <property name="org.apache.ws.security.crypto.merlin.keystore.password">password</property>
  198         </crypto>
  199       </cryptoProperties>
  200       <addRequestedAttachedRef />
  201       <addRequestedUnattachedRef />
  202 
  203       <!--
  204         Key computation mechanism
  205         1 - Use Request Entropy
  206         2 - Provide Entropy
  207         3 - Use Own Key
  208       -->
  209       <keyComputation>3</keyComputation>
  210 
  211       <!--
  212         proofKeyType element is valid only if the keyComputation is set to 3
  213         i.e. Use Own Key
  214 
  215         Valid values are: EncryptedKey & BinarySecret
  216       -->
  217       <proofKeyType>BinarySecret</proofKeyType>
  218     </sct-issuer-config>
  219   </parameter>
  220 
  221   <parameter name="token-canceler-config">
  222     <token-canceler-config>
  223 
  224     </token-canceler-config>
  225   </parameter>

WS-Trust

RST - Resquest Security Token Service - Issuing a SAML token - issuing a token

   19 <service>
   20   <!--operation name="echo">
   21     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
   22     </operation>
   23     <parameter name="ServiceClass" locked="false">org.apache.rampart.samples.policy.sample01.SimpleService</parameter-->
   24 
   25   <module ref="rampart" />
   26   <module ref="addressing" />
   27   <module ref="rahas" />
   28 
   29   <parameter name="saml-issuer-config">
   30     <saml-issuer-config>
   31       <issuerName>SAMPLE_STS</issuerName>
   32       <issuerKeyAlias>service</issuerKeyAlias>
   33       <issuerKeyPassword>apache</issuerKeyPassword>
   34       <cryptoProperties>
   35         <crypto provider="org.apache.ws.security.components.crypto.Merlin">
   36           <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
   37           <property name="org.apache.ws.security.crypto.merlin.file">service.jks</property>
   38           <property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>
   39         </crypto>
   40       </cryptoProperties>
   41       <timeToLive>300000</timeToLive>
   42       <keySize>256</keySize>
   43       <addRequestedAttachedRef />
   44       <addRequestedUnattachedRef />
   45 
   46       <!--
   47         Key computation mechanism
   48         1 - Use Request Entropy
   49         2 - Provide Entropy
   50         3 - Use Own Key
   51       -->
   52       <keyComputation>2</keyComputation>
   53 
   54       <!--
   55         proofKeyType element is valid only if the keyComputation is set to 3
   56         i.e. Use Own Key
   57 
   58         Valid values are: EncryptedKey & BinarySecret
   59       -->
   60       <proofKeyType>BinarySecret</proofKeyType>
   61       <trusted-services>
   62         <service alias="client">http://localhost:8080/axis2/services/SimpleService</service>
   63       </trusted-services>
   64     </saml-issuer-config>
   65   </parameter>
   66 
   67   <wsp:Policy
   68     wsu:Id="SigOnly"
   69     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   70     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   71     <wsp:ExactlyOne>
   72       <wsp:All>
   73 
   74         <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   75           <wsp:Policy>
   76             <sp:InitiatorToken>
   77               <wsp:Policy>
   78                 <sp:X509Token
   79                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   80                   <wsp:Policy>
   81                     <sp:WssX509V3Token10 />
   82                   </wsp:Policy>
   83                 </sp:X509Token>
   84               </wsp:Policy>
   85             </sp:InitiatorToken>
   86             <sp:RecipientToken>
   87               <wsp:Policy>
   88                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   89                   <wsp:Policy>
   90                     <sp:WssX509V3Token10 />
   91                   </wsp:Policy>
   92                 </sp:X509Token>
   93               </wsp:Policy>
   94             </sp:RecipientToken>
   95             <sp:AlgorithmSuite>
   96               <wsp:Policy>
   97                 <sp:TripleDesRsa15 />
   98               </wsp:Policy>
   99             </sp:AlgorithmSuite>
  100             <sp:Layout>
  101               <wsp:Policy>
  102                 <sp:Strict />
  103               </wsp:Policy>
  104             </sp:Layout>
  105             <sp:IncludeTimestamp />
  106             <sp:OnlySignEntireHeadersAndBody />
  107           </wsp:Policy>
  108         </sp:AsymmetricBinding>
  109 
  110         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  111           <wsp:Policy>
  112             <sp:MustSupportRefKeyIdentifier />
  113             <sp:MustSupportRefIssuerSerial />
  114           </wsp:Policy>
  115         </sp:Wss10>
  116 
  117         <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  118           <sp:Body />
  119         </sp:SignedParts>
  120 
  121         <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
  122 
  123           <ramp:user>service</ramp:user>
  124           <ramp:encryptionUser>client</ramp:encryptionUser>
  125           <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample05.PWCBHandler</ramp:passwordCallbackClass>
  126 
  127           <ramp:signatureCrypto>
  128             <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
  129               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
  130               <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
  131               <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
  132             </ramp:crypto>
  133           </ramp:signatureCrypto>
  134 
  135         </ramp:RampartConfig>
  136 
  137       </wsp:All>
  138     </wsp:ExactlyOne>
  139   </wsp:Policy>
  140 
  141 </service>

There's a lot of detail and information to catch up on, but it'll probably not turn out as bad as looks here at first glance. One thing I do like is that the references to keystores are in the same context and thereby closer coupled, since I do remember fiddling with all those seperate and loosely couples files.

Runnning the Axis2 Rampart sample "04. Message integrity and non-repudiation with signature"

In a the post Rampart basic examples - how you add WS-Security to Axis2 I listed all the great examples. In this post I'll actually run one of the samples and show the generated messages. I'll take the fourth sample Message integrity and non-repudiation with signature since it's simple and adds great value with both integrity and authentication since only the sender can sign with the X509 certificate (except when the certificate is shared like here :-).

In the binary distribution of Rampart in the samples/basic folder the README.txt explains how to the run the samples:

You can use the ant build script provided here to run these samples.

Exmaple: Running sample - 01
    - Start two shell instnaces and change to the directory where this file is
    - To start the service:
      $ ant service.01
    - To run client:
      $ ant client.01

--------------------------------------------------------------------------------
NOTE: To view the messages exchanged
    - Change the "client.port" property in the "build.xml" to an available port
          E.g. : >property name="client.port" value="9080"/<
        - Setup tcpmon (http://ws.apache.org/commons/tcpmon/) to listen on the above
          port and to point to port 8080 (value of the service.port property)

which is quite easy, though I needed to do a couple of small fixes.

The Service (serverside)

First I wanted to start the service/server. Here's what I did to get it running:

• setup the environment variable AXIS2_HOME. I first downloaded the Axis2 nightly to end up with a problem with running the client so I'll suggest you use Axis2 version 1.3.
• Prepare to show messages with TCPMon by changing the client.port property:

  <property name="client.port" value="9999"/>

• In <macrodef name="create.service.repo"> I changed:

  <copy file="${modules.dir}/${rampart.mar}" tofile="${service.repos.dir}/sample@{sample.number}/modules/${rampart.mar}" overwrite="true"/>
  

  to

  <copy file="../../${rampart.mar}" tofile="${service.repos.dir}/sample@{sample.number}/modules/${rampart.mar}" overwrite="true"/>
  

• Added the following fileset to the classpath on both the javac and java tasks:

  <fileset dir="../../lib">
    <include name="*.jar"/>
  </fileset>
  

Then I was able to start the service (where <RAMPART_DIR> is where I unzipped Rampart-1.3):

$ ant service.04
Buildfile: build.xml

check.dependency:

service.04:
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules
    [javac] Compiling 2 source files to <RAMPART_DIR>/samples/basic/build/temp
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp/META-INF
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp
      [jar] Building jar: <RAMPART_DIR>/samples/basic/build/service_repositories/sample04/services/sample04.aar
   [delete] Deleting directory <RAMPART_DIR>/samples/basic/build/temp
     [java] [SimpleHTTPServer] Starting
     [java] [SimpleHTTPServer] Using the Axis2 Repository <RAMPART_DIR>/samples/basic/build/service_repositories/sample04
     [java] [SimpleHTTPServer] Listening on port 8080
     [java] 2008-01-11 20:21:10,948 INFO  org.apache.axis2.deployment.ModuleDeployer - Deploying module: addressing-SNAPSHOT - file:<RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules/addressing-SNAPSHOT.mar
     [java] 2008-01-11 20:21:11,737 INFO  org.apache.axis2.deployment.ModuleDeployer - Deploying module: rampart-1.3 - file:<RAMPART_DIR>/samples/basic/build/service_repositories/sample04/modules/rampart-1.3.mar
     [java] 2008-01-11 20:21:12,036 INFO  org.apache.axis2.deployment.ServiceDeployer - Deploying Web service: sample04.aar - file:<RAMPART_DIR>/samples/basic/build/service_repositories/sample04/services/sample04.aar
     [java] 2008-01-11 20:21:12,096 INFO  org.apache.axis2.transport.http.server.DefaultConnectionListener - Listening on port 8080
     [java] [SimpleHTTPServer] Started

The client

Running the client is very much like the service, though I first got this error when I used the Axis2 nightly:

     [java] Exception in thread "main" org.apache.axis2.deployment.DeploymentException: javax/jms/BytesMessage
     [java]     at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:596)
     [java]     at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:117)
     [java]     at org.apache.axis2.deployment.DeploymentEngine.populateAxisConfiguration(DeploymentEngine.java:628)
     [java]     at org.apache.axis2.deployment.FileSystemConfigurator.getAxisConfiguration(FileSystemConfigurator.java:115)
     [java]     at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64)
     [java]     at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:180)
     [java]     at org.apache.rampart.samples.sample04.Client.main(Unknown Source)
     [java] Caused by: java.lang.NoClassDefFoundError: javax/jms/BytesMessage
     [java]     at java.lang.Class.getDeclaredConstructors0(Native Method)
     [java]     at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389)
     [java]     at java.lang.Class.getConstructor0(Class.java:2699)
     [java]     at java.lang.Class.newInstance0(Class.java:326)
     [java]     at java.lang.Class.newInstance(Class.java:308)
     [java]     at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:581)
     [java]     ... 6 more
     [java] Java Result: 1

looks like theree's been some changes to the deployment file format though I haven't checked it out. After also doing the last two steps for the serverside for the clientside target I was able to run the client:

     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/client_repositories/sample04/conf
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/client_repositories/sample04/modules
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/client_repositories/sample04/modules
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp_client
     [copy] Copying 1 file to <RAMPART_DIR>/samples/basic/build/temp_client
     [java] <ns:echoResponse xmlns:ns="http://sample04.samples.rampart.apache.org"<>ns:return>Hello world</ns:return></ns:echoResponse>

Nice, but hard to tell whether WS-Security actually was used so let's have a look at the messages that was exchanged.

The messages

Request

The request had the following HTTP headers:

POST /axis2/services/sample04 HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: "urn:echo"
User-Agent: Axis2
Host: localhost:9999
Transfer-Encoding: chunked

and the SOAP request, where the SOAP-header carries the WS-Security elements:

    1 <?xml version='1.0' encoding='UTF-8'?>
    2 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    3   <soapenv:Header>
    4     <wsse:Security
    5       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    6       soapenv:mustUnderstand="1">
    7       <wsse:BinarySecurityToken
    8         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    9         EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
   10         ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
   11         wsu:Id="CertId-148082">
   12         MIICTDC....UiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==
   13       </wsse:BinarySecurityToken>
   14       <ds:Signature
   15         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   16         Id="Signature-21878616">
   17         <ds:SignedInfo>
   18           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   19           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
   20           <ds:Reference URI="#id-24778599">
   21             <ds:Transforms>
   22               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   23             </ds:Transforms>
   24             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
   25             <ds:DigestValue>aIRDYzmMgF/dcP7cUJS6B6T7q8k=</ds:DigestValue>
   26           </ds:Reference>
   27         </ds:SignedInfo>
   28         <ds:SignatureValue>
   29           TVbeyvg....9SH/13k1qpki9...+ZZM+9sIsFs=
   30         </ds:SignatureValue>
   31         <ds:KeyInfo Id="KeyId-6400263">
   32           <wsse:SecurityTokenReference
   33             xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   34             wsu:Id="STRId-3115866">
   35             <wsse:Reference
   36               URI="#CertId-148082"
   37               ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
   38           </wsse:SecurityTokenReference>
   39         </ds:KeyInfo>
   40       </ds:Signature>
   41       <wsu:Timestamp
   42         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   43         wsu:Id="Timestamp-20735553">
   44         <wsu:Created>2008-01-11T19:46:23.656Z</wsu:Created>
   45         <wsu:Expires>2008-01-11T19:51:23.656Z</wsu:Expires>
   46       </wsu:Timestamp>
   47     </wsse:Security>
   48   </soapenv:Header>
   49   <soapenv:Body
   50     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   51     wsu:Id="id-24778599">
   52     <ns1:echo xmlns:ns1="http://sample04.samples.rampart.apache.org">
   53       <param0>Hello world</param0>
   54     </ns1:echo>
   55   </soapenv:Body>
   56 </soapenv:Envelope>

Response

The response had these HTTP headers:

HTTP/1.1 200 OK
Date: Fri, 11 Jan 2008 19:46:24 GMT
Server: Simple-Server/1.1
Transfer-Encoding: chunked
Content-Type: text/xml; charset=UTF-8

and the SOAP response which is symmetrical to the request:

    1 <?xml version='1.0' encoding='UTF-8'?>
    2 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    3   <soapenv:Header>
    4     <wsse:Security
    5       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    6       soapenv:mustUnderstand="1">
    7       <wsse:BinarySecurityToken
    8         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    9         EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
   10         ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
   11         wsu:Id="CertId-2150700">
   12         MIICTjCCAbcCBEbJZQEw....AqNbjO7+Jbm6+3pyYagQoBpdHZLnR....A3+5xl4VI.......bGxa4+vIbbV4CaUG5s5x
   13       </wsse:BinarySecurityToken>
   14       <ds:Signature
   15         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   16         Id="Signature-6302571">
   17         <ds:SignedInfo>
   18           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   19           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
   20           <ds:Reference URI="#id-26343425">
   21             <ds:Transforms>
   22               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   23             </ds:Transforms>
   24             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
   25             <ds:DigestValue>f0hkA2SGmWtioGBaLwlfsGbSgMk=</ds:DigestValue>
   26           </ds:Reference>
   27           <ds:Reference URI="#SigConf-18206828">
   28             <ds:Transforms>
   29               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   30             </ds:Transforms>
   31             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
   32             <ds:DigestValue>W1coTKqCERwIlbeiGL83w7pAEi4=</ds:DigestValue>
   33           </ds:Reference>
   34         </ds:SignedInfo>
   35         <ds:SignatureValue>
   36           IgzqToPMv...ZNrYDe/29JFnAkl....BAYOZMtCPs2XG0btNpX2BegULxk=
   37         </ds:SignatureValue>
   38         <ds:KeyInfo Id="KeyId-7435043">
   39           <wsse:SecurityTokenReference
   40             xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   41             wsu:Id="STRId-4070344">
   42             <wsse:Reference
   43               URI="#CertId-2150700"
   44               ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
   45           </wsse:SecurityTokenReference>
   46         </ds:KeyInfo>
   47       </ds:Signature>
   48       <wsu:Timestamp
   49         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   50         wsu:Id="Timestamp-18092261">
   51         <wsu:Created>2008-01-11T19:46:24.558Z</wsu:Created>
   52         <wsu:Expires>2008-01-11T19:51:24.558Z</wsu:Expires>
   53       </wsu:Timestamp>
   54       <wsse11:SignatureConfirmation
   55         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
   56         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   57         Value="TVbeyvgLy...1QgDj8Nau0Fp+ZZM+9sIsFs="
   58         wsu:Id="SigConf-18206828" />
   59     </wsse:Security>
   60   </soapenv:Header>
   61   <soapenv:Body
   62     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   63     wsu:Id="id-26343425">
   64     <ns:echoResponse xmlns:ns="http://sample04.samples.rampart.apache.org">
   65       <ns:return>Hello world</ns:return>
   66     </ns:echoResponse>
   67   </soapenv:Body>
   68 </soapenv:Envelope>

Looking at the configuration for the serverside:

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature</items>
   35       <signaturePropFile>service.properties</signaturePropFile>
   36     </action>
   37   </parameter>
   38 
   39   <parameter name="OutflowSecurity">
   40     <action>
   41       <items>Timestamp Signature</items>
   42       <user>service</user>
   43       <passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass>
   44       <signaturePropFile>service.properties</signaturePropFile>
   45       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   46     </action>
   47   </parameter>

I can be seen that in verifying the request there's a demand for the Timestamp and the certificate used for the signature to be accepted based on the properties in service.properties. In this specific request the public part is embedded in the BinarySecurityToken and only the path or the specific certificate is to be checked. In the response the DirectReference makes the public part of the X509 certificate embedded with BinarySecurityToken and the password callback is needed to access the private key for creating the signature.