You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Alan Sunley <al...@gmail.com> on 2007/10/24 18:51:26 UTC
Question Regarding Initiator and Recipient Token
Greetings,
Using a policy configuration is it possible to construct a policy that
signs and encrypts a message from requestor to service, and the
response to be to be encrypted using the same key - by sending the
certificate along with the request message?
I'm looking at AsymmetricBinding and finding the Initiator / Recipient
Token concept somewhat confusing. By defining an RecipientToken the
message will be encrypted from initiator to recipient (what I require)
and the response signed from recipient to initiator(I don't require).
Is it not possible to specify only one of these actions? Indeed, is
it possible to achieve my policy requirements using
AsymmectricBinding?
Just as a quick aside - when including a UsernameToken using a policy
configuration, is it possible to specify a username dynamically, like
it is using basic configuration?
As another aside - are there any editors available for constructing
policy documents?
Many Thanks,
Alan.
Re: Question Regarding Initiator and Recipient Token
Posted by Alan Sunley <al...@ntlworld.com>.
Thanks for your reply Nandana.
> Whether the message need to be signed or encrypted and what parts
should be signed or encrypted has to defined separately in the policy.
I gather we can specify which parts are signed and encrypted but I
don't fully understand how to specify and outflow configuration that
is different from the inflow configuration, and visa-versa, when using a
policy based configuration.
Ideally I want the service to only have the certificate of the issuer
that has issued the client certificates/keys, very similar to the
scenario in this article: http://wso2.org/library/255 I'm just not sure
how to implement a policy based configuration of this scenario.
I've pasted my current policy after this message, I'm still
experimenting though it's basically very similar to the example policy.
To include the key with the request do I need to specify this policy:
<sp:MustSupportRefEmbeddedToken /> ? And in the rampartconfig:
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser> ?
Another quick question if I may: is it possible to specify multiple
services with different polices, within a serviceGroup in the same
services.xml file?
Thanks for your time,
Alan.
services.xml:
<service name="SignEncryptService" scope="request"
targetNamespace="http://webservice.example.com/xsd">
<operation name="echo">
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<parameter name="ServiceClass"
locked="false">com.example.service.SimpleService</parameter>
<module ref="rampart" />
<module ref="addressing" />
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>example-ca</ramp:user>
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.learnpipe.webservice.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">C:/Development/Security/Test/vendor/vendor2.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">testpass</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">C:/Development/Security/Test/vendor/vendor2.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">testpass</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
Nandana Mihindukulasooriya wrote:
> Hi,
>
> Using a policy configuration is it possible to construct a policy that
>
>> signs and encrypts a message from requestor to service, and the
>> response to be to be encrypted using the same key - by sending the
>> certificate along with the request message?
>>
>
>
> In encryption, first a encrypted key is created by encrypting a symmetric
> key with the recipients public key. Then that symmetric key is used to
> encrypt the message. Encrypted key is sent along with the message
> so that the recipient can decrypt the encrypted key and extract the
> symmetric key. Then that symmetric key can be used to decrypt the
> actual soap parts that were encrypted.
> In the current implementation even if you use an asymmetric binding,
> same encrypted key is used to encrypt the request and the response.
> So anyway, same encrypted key is used to encrypt the request and
> the response.
>
> I'm looking at AsymmetricBinding and finding the Initiator / Recipient
>
>> Token concept somewhat confusing. By defining an RecipientToken the
>> message will be encrypted from initiator to recipient (what I require)
>> and the response signed from recipient to initiator(I don't require)
>>
>
>
> IFAIK, defining the Initiator token and Recipient token has nothing
> to do with what parts are signed and encrypted. That only defines what
> tokens to be used for signing and encryption. Whether the message
> need to be signed or encrypted and what parts should be signed or
> encrypted has to defined separately in the policy. Can you post the
> policy you are using ?
>
> Is it not possible to specify only one of these actions?
>
>
> Yes, it is possible.
>
> Just as a quick aside - when including a UsernameToken using a policy
>
>> configuration, is it possible to specify a username dynamically, like
>> it is using basic configuration?
>>
>
>
> Yes, you can provide the username using a RampartConfig Assertion
> in the policy or programmatically setting the username of the
> RampartConfig.
>
> As another aside - are there any editors available for constructing
>
>> policy documents?
>>
>
>
> I am working on a one for Rampart. Hopefully I will be able to finish it
> soon. :)
>
> Regards,
> Nandana
>
>
Re: Question Regarding Initiator and Recipient Token
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi,
Using a policy configuration is it possible to construct a policy that
> signs and encrypts a message from requestor to service, and the
> response to be to be encrypted using the same key - by sending the
> certificate along with the request message?
In encryption, first a encrypted key is created by encrypting a symmetric
key with the recipients public key. Then that symmetric key is used to
encrypt the message. Encrypted key is sent along with the message
so that the recipient can decrypt the encrypted key and extract the
symmetric key. Then that symmetric key can be used to decrypt the
actual soap parts that were encrypted.
In the current implementation even if you use an asymmetric binding,
same encrypted key is used to encrypt the request and the response.
So anyway, same encrypted key is used to encrypt the request and
the response.
I'm looking at AsymmetricBinding and finding the Initiator / Recipient
> Token concept somewhat confusing. By defining an RecipientToken the
> message will be encrypted from initiator to recipient (what I require)
> and the response signed from recipient to initiator(I don't require)
IFAIK, defining the Initiator token and Recipient token has nothing
to do with what parts are signed and encrypted. That only defines what
tokens to be used for signing and encryption. Whether the message
need to be signed or encrypted and what parts should be signed or
encrypted has to defined separately in the policy. Can you post the
policy you are using ?
Is it not possible to specify only one of these actions?
Yes, it is possible.
Just as a quick aside - when including a UsernameToken using a policy
> configuration, is it possible to specify a username dynamically, like
> it is using basic configuration?
Yes, you can provide the username using a RampartConfig Assertion
in the policy or programmatically setting the username of the
RampartConfig.
As another aside - are there any editors available for constructing
> policy documents?
I am working on a one for Rampart. Hopefully I will be able to finish it
soon. :)
Regards,
Nandana