[Tuscany 1.6] Applying security policy that works on all bindings

[Blue Diamond <gv...@gmail.com>]

Hi,

I have a requirement that say I define a new intent called "AuthToken" (will
write its policy, policy handler, interceptor, processor etc.) and use it
for multiple bindings say binding.ws, binding.jms.

Inside the interceptor, say we'll set
*message.getHeaders().add(contents of AuthToken)*
*
*
If this mechanism is binding independent, then the BasicAuthentication
scheme (with username & password) used in samples
(itest-policy-security-basicauth) should work in binding.jms also right? But
it didn't work. Is security policy completely supported on all bindings. Or
are there any limitations to it?

We want to have a solution that works atleast on jms & ws. Is there any
existing solution in Tuscany 1.6 already that can solve this?

Please help.

Thanks & Regards,
Anil

Re: [Tuscany 1.6] Applying security policy that works on all bindings

[Simon Laws <si...@googlemail.com>]

On Thu, May 20, 2010 at 2:54 PM, Blue Diamond <gv...@gmail.com> wrote:
> Hi,
> I have a requirement that say I define a new intent called "AuthToken" (will
> write its policy, policy handler, interceptor, processor etc.) and use it
> for multiple bindings say binding.ws, binding.jms.
> Inside the interceptor, say we'll set
> message.getHeaders().add(contents of AuthToken)
> If this mechanism is binding independent, then the BasicAuthentication
> scheme (with username & password) used in samples
> (itest-policy-security-basicauth) should work in binding.jms also right? But
> it didn't work. Is security policy completely supported on all bindings. Or
> are there any limitations to it?
> We want to have a solution that works atleast on jms & ws. Is there any
> existing solution in Tuscany 1.6 already that can solve this?
> Please help.
> Thanks & Regards,
> Anil

Hi Anil

The short answer is that there isn't a consistent mechanism for
getting header information into binding specific protocols in 1.x

Having said that there were some experiments in 1.x with some
arbitrary token based authentication. There is a test here [1]. The
problem faced was that while the JMS binding implementation exploits
the binding wire infrastructure, which effectively allows you to add
interceptors into the guts of the binding implementation, the web
service binding does not. To get the token into the SOAP header we had
to make changes to the ws binding as well as creating policy
interceptors.

We will fix the ws binding for 2.x to make it more flexible but that
doesn't make your life easier on 1.x. However as you are focused on WS
and JMS you may be able to exploit what was done for the auth token
support. Can you take a look at it and see what's missing from your
point of view

Regards

Simon

[1] http://svn.apache.org/repos/asf/tuscany/sca-java-1.x/trunk/itest/policy-security-token/

-- 
Apache Tuscany committer: tuscany.apache.org
Co-author of a book about Tuscany and SCA: tuscanyinaction.com