You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Harshit Bapna <ha...@arcot.com> on 2010/09/13 09:18:32 UTC
Can UserName & WssX509V3Token10 Token be used simultaneously ?
Hi All,
I am thinking of using RAMPART module for ws security.
Requirement:
To perform endpoint authentication as well as user authentication.
Client endpoint authentication :- To allow only a configured client to invoke the web service.
User authentication :- To allow only a specific user/actor to invoke the service. The reason for this requirement is that the same endpoint can be used by different type of users(Admin, CSR, normal user)
I have gone through various sample 1-8 supplied wih rampart 1.5 install.
Question:
1. Can I combine userName & WssX509V3Token10 token for user and endpoint auth ?
UserName token - for user authentication)
WssX509V3Token10 - for endpoint PKI credential authentication
2. Also can secure conversation benefits be available when the above two type of tokens are used.
If you have any better suggestion to handle this requirement please let me know.
Harshit Bapna
Team Lead
Arcot Systems
Re: Can UserName & WssX509V3Token10 Token be used simultaneously ?
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Harshit,
In that case, the best solution for you is to set the rampart
configuration dynamically at the runtime [1].
Best Regards,
Nandana
[1] - http://blog.thilinamb.com/2009/12/how-to-build-rampart-config.html
On Thu, Sep 16, 2010 at 2:00 PM, Harshit Bapna <hr...@gmail.com> wrote:
> Hello Nandan,
>
> I would like to first state what I am trying to achieve through Rampart
> module.
>
> Rampart is superb for endpoint authentication i.e only authentic client can
> invoke the service. We can use various credentials such as WssX509V3Token10
> token or UserName token to authenticate a client.
>
> Now there can be many users who might be invoking the service from that
> trusted client.(say trusted using PKI credential).
> So I want to also authenticate the actors/users who is invoking the
> service.
>
> We need to provide the clientKey alias(required for endpoint auth) in the
> rampart-user tag in rampart config.
> Now If I want to use the userName token for the user(described above) than
> how can I pass the userName value.
>
> Let me know If its still not clear.
>
>
> On Thu, Sep 16, 2010 at 5:06 PM, Nandana Mihindukulasooriya <
> nandana.cse@gmail.com> wrote:
>
> > Hi Harshit,
> > I don't understand the relationship between the fact that
> different
> > users have to invoke the service and the rampart-user parameter in the
> > server side. It's the identity of the service. Most of the time the
> > configuration of both user, and userCertAlias is necessary only in the
> > client side because for the service doesn't need to create a username
> token
> > for itself.
> > Note that verification of a user-name token is done by password
> > callback handler [1] and you don't need to have those userid's in your
> > server side config to validate them. Check the section "Different usages
> of
> > the password callback handler" for more details.
> >
> > Best Regards,
> > Nandana
> >
> > [1] - http://wso2.org/library/3733
> >
> >
> > On Thu, Sep 16, 2010 at 1:12 PM, Harshit Bapna <hr...@gmail.com>
> wrote:
> >
> > > Hello Amila & Nandana,
> > >
> > > I want to authenticate the endpoint as well as various different users
> > > invoking service.
> > >
> > > Example: Users for example devUser, adminUser and csr can use the same
> > > endpoint say EP1 to send the request.
> > > So the username will keep changing as the service is invoked by
> different
> > > actors/users.
> > >
> > > But the endpoint is same the endpoints key won't change. PKI signature
> is
> > > used for its authentication.
> > >
> > > Hence rampart-user will have to be modified based on the user's
> username
> > so
> > > the questions in my earlier remain is unanswered.
> > > Please let me know if I can some other approach or a workaround to do
> > both
> > > authentication is possible
> > >
> > >
> > > On Thu, Sep 16, 2010 at 4:20 PM, Nandana Mihindukulasooriya <
> > > nandana.cse@gmail.com> wrote:
> > >
> > > > Hi Harshit,
> > > > If you have a user-name token and a key, you can the two
> > > parameters
> > > > user, userCertAlias [1] to provide both of them to Rampart Engine.
> > > >
> > > > Best Regards,
> > > > Nandana
> > > >
> > > > [1] - http://ws.apache.org/rampart/rampartconfig-guide.html
> > > >
> > > > On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <hr...@gmail.com>
> > > wrote:
> > > >
> > > > > Thanks Amila for the elaborate response.
> > > > > I have taken sample 04 (SecureConversation) shipped with rampart
> 1.5
> > > > > release
> > > > > as a base.
> > > > > I have added another supporting token UserName token to the policy.
> > > (see
> > > > > the
> > > > > bold data in the xml below.)
> > > > > *Note: I plan to use rampart for endpoint authentication as well as
> > > > > user(actor) authentication.*
> > > > >
> > > > > But I think I can configure only one rampart user i.e *
> > > > > <ramp:user>clientKeyName</ramp:user>*.
> > > > > Since I need to pass the userName token i.e userName as well I have
> > > > > configured rampart config in supportingTokens (username) tag I am
> > > > observing
> > > > > that only global rampart config is honored.
> > > > > i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is
> > > > invoked.*
> > > > > *i.e. UserName tokens username value is not passes in the callback.
> > > > > Callback
> > > > > is invoked 2 times with the identifier "client" *
> > > > >
> > > > > Questions:*
> > > > > 1. How can I set userName value & keyAliasName both in the rampart.
> > is
> > > > > there
> > > > > any workaround ?
> > > > > 2. Can there be only one rampart config & not supporting token
> > specific
> > > > > config ?
> > > > >
> > > > >
> > > > >
> > > > > <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
> > > > >
> > > > >
> > > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > > > "
> > > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > > > <wsp:ExactlyOne>
> > > > > <wsp:All>
> > > > > <sp:SymmetricBinding xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > > <wsp:Policy>
> > > > > <sp:ProtectionToken>
> > > > > <wsp:Policy>
> > > > > <sp:SecureConversationToken
> > > sp:IncludeToken="
> > > > >
> > > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > > ">
> > > > > <wsp:Policy>
> > > > > <sp:RequireDerivedKeys/>
> > > > > <sp:BootstrapPolicy>
> > > > > <wsp:Policy>
> > > > > <sp:EncryptedParts>
> > > > > <sp:Body/>
> > > > > </sp:EncryptedParts>
> > > > > <sp:SymmetricBinding>
> > > > > <wsp:Policy>
> > > > >
> > <sp:ProtectionToken>
> > > > > <wsp:Policy>
> > > > >
> > > <sp:X509Token
> > > > > sp:IncludeToken="
> > > > >
> > >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> > > > ">
> > > > >
> > > > <wsp:Policy>
> > > > >
> > > > > <sp:RequireDerivedKeys/>
> > > > >
> > > > > <sp:RequireThumbprintReference/>
> > > > >
> > > > > <sp:WssX509V3Token10/>
> > > > >
> > > > > </wsp:Policy>
> > > > >
> > > > </sp:X509Token>
> > > > >
> </wsp:Policy>
> > > > >
> > > </sp:ProtectionToken>
> > > > >
> > <sp:AlgorithmSuite>
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:Basic128Rsa15/>
> > > > >
> </wsp:Policy>
> > > > >
> > </sp:AlgorithmSuite>
> > > > > <sp:Layout>
> > > > > <wsp:Policy>
> > > > >
> > <sp:Strict/>
> > > > >
> </wsp:Policy>
> > > > > </sp:Layout>
> > > > >
> > > <sp:IncludeTimestamp/>
> > > > >
> > > <sp:EncryptSignature/>
> > > > >
> > > > > <sp:OnlySignEntireHeadersAndBody/>
> > > > > </wsp:Policy>
> > > > > </sp:SymmetricBinding>
> > > > >
> > > <sp:EndorsingSupportingTokens>
> > > > > <wsp:Policy>
> > > > > <sp:X509Token
> > > > > sp:IncludeToken="
> > > > >
> > > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > > ">
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:RequireThumbprintReference/>
> > > > >
> > > > > <sp:WssX509V3Token10/>
> > > > >
> </wsp:Policy>
> > > > > </sp:X509Token>
> > > > > </wsp:Policy>
> > > > >
> > > > </sp:EndorsingSupportingTokens>
> > > > > * <sp:SupportingTokens>
> > > > > <wsp:Policy>
> > > > >
> <sp:UsernameToken
> > > > > sp:IncludeToken="
> > > > >
> > > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > > "
> > > > > />
> > > > >
> > <ramp:RampartConfig
> > > > > xmlns:ramp="http://ws.apache.org/rampart/policy">
> > > > >
> > > > > <ramp:user>token2</ramp:user>
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
> > > > >
> > > </ramp:RampartConfig>
> > > > > </wsp:Policy>
> > > > > </sp:SupportingTokens>*
> > > > > <sp:Wss11>
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:MustSupportRefKeyIdentifier/>
> > > > >
> > > > > <sp:MustSupportRefIssuerSerial/>
> > > > >
> > > > > <sp:MustSupportRefThumbprint/>
> > > > >
> > > > > <sp:MustSupportRefEncryptedKey/>
> > > > >
> > > > > <sp:RequireSignatureConfirmation/>
> > > > > </wsp:Policy>
> > > > > </sp:Wss11>
> > > > > <sp:Trust10>
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:MustSupportIssuedTokens/>
> > > > >
> > > > > <sp:RequireClientEntropy/>
> > > > >
> > > > > <sp:RequireServerEntropy/>
> > > > > </wsp:Policy>
> > > > > </sp:Trust10>
> > > > > </wsp:Policy>
> > > > > </sp:BootstrapPolicy>
> > > > > </wsp:Policy>
> > > > > </sp:SecureConversationToken>
> > > > > </wsp:Policy>
> > > > > </sp:ProtectionToken>
> > > > > <sp:AlgorithmSuite>
> > > > > <wsp:Policy>
> > > > > <sp:Basic128Rsa15/>
> > > > > </wsp:Policy>
> > > > > </sp:AlgorithmSuite>
> > > > > <sp:Layout>
> > > > > <wsp:Policy>
> > > > > <sp:Strict/>
> > > > > </wsp:Policy>
> > > > > </sp:Layout>
> > > > > <sp:IncludeTimestamp/>
> > > > > <sp:EncryptSignature/>
> > > > > <sp:OnlySignEntireHeadersAndBody/>
> > > > > </wsp:Policy>
> > > > > </sp:SymmetricBinding>
> > > > > <sp:Wss11 xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > > <wsp:Policy>
> > > > > <sp:MustSupportRefKeyIdentifier/>
> > > > > <sp:MustSupportRefIssuerSerial/>
> > > > > <sp:MustSupportRefThumbprint/>
> > > > > <sp:MustSupportRefEncryptedKey/>
> > > > > </wsp:Policy>
> > > > > </sp:Wss11>
> > > > > <sp:Trust10 xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > > <wsp:Policy>
> > > > > <sp:MustSupportIssuedTokens/>
> > > > > <sp:RequireClientEntropy/>
> > > > > <sp:RequireServerEntropy/>
> > > > > </wsp:Policy>
> > > > > </sp:Trust10>
> > > > > <sp:EncryptedParts xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > > <sp:Body/>
> > > > > </sp:EncryptedParts>
> > > > > <ramp:RampartConfig xmlns:ramp="
> > > > > http://ws.apache.org/rampart/policy">
> > > > > <ramp:user>client</ramp:user>
> > > > > <ramp:encryptionUser>service</ramp:encryptionUser>
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
> > > > >
> > > > > <ramp:signatureCrypto>
> > > > > <ramp:crypto
> > > > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > > > <ramp:property
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > > > </ramp:crypto>
> > > > > </ramp:signatureCrypto>
> > > > > <ramp:encryptionCypto>
> > > > > <ramp:crypto
> > > > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > > > <ramp:property
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > > > </ramp:crypto>
> > > > > </ramp:encryptionCypto>
> > > > >
> > > > > </ramp:RampartConfig>
> > > > > </wsp:All>
> > > > > </wsp:ExactlyOne>
> > > > > </wsp:Policy>
> > > > >
> > > > > On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <
> amilaj@wso2.com>
> > > > > wrote:
> > > > >
> > > > > > Hi Harshit,
> > > > > > Some answers are inline.
> > > > > > Thanks
> > > > > > AmilaJ
> > > > > >
> > > > > > Harshit Bapna wrote:
> > > > > >
> > > > > >> Hi All,
> > > > > >>
> > > > > >> I am thinking of using RAMPART module for ws security.
> > > > > >>
> > > > > >> Requirement:
> > > > > >> To perform endpoint authentication as well as user
> authentication.
> > > > > >>
> > > > > >> Client endpoint authentication :- To allow only a configured
> > client
> > > to
> > > > > >> invoke the web service.
> > > > > >> User authentication :- To allow only a specific user/actor to
> > invoke
> > > > the
> > > > > >> service. The reason for this requirement is that the same
> endpoint
> > > can
> > > > > be
> > > > > >> used by different type of users(Admin, CSR, normal user)
> > > > > >>
> > > > > >> I have gone through various sample 1-8 supplied wih rampart 1.5
> > > > install.
> > > > > >>
> > > > > >> Question:
> > > > > >> 1. Can I combine userName & WssX509V3Token10 token for user and
> > > > endpoint
> > > > > >> auth ?
> > > > > >> UserName token - for user authentication)
> > > > > >> WssX509V3Token10 - for endpoint PKI credential authentication
> > > > > >>
> > > > > >>
> > > > > > Yes, you can. Inorder to get WssX509V3Token10 support you
> can
> > > > either
> > > > > > use SymmetricBinding or AsymmetricBinding mechanisms. With one of
> > > above
> > > > > > bindings you can use UserName token as a supporting token.
> > > > > >
> > > > > >> 2. Also can secure conversation benefits be available when the
> > above
> > > > two
> > > > > >> type of tokens are used.
> > > > > >>
> > > > > >>
> > > > > > As far as i know you should be able to use secure conversation
> > with
> > > > > above
> > > > > > mentioned tokens. Again you can use symmetric binding or
> asymmetric
> > > > > binding
> > > > > > and you should use SecureConversationToken. Thus the user name
> > token
> > > > > should
> > > > > > be added as a supporting token.
> > > > > >
> > > > > >
> > > > > >> If you have any better suggestion to handle this requirement
> > please
> > > > let
> > > > > me
> > > > > >> know.
> > > > > >>
> > > > > >>
> > > > > > I guess the way you are heading is ok. In-case if you need more
> > > > security
> > > > > > you should use SymmetricBinding or AsymmetricBinding. When you
> use
> > > > > > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign
> > each
> > > > > > message differ from another. But if you are more concern about
> > > > > performance
> > > > > > you can use Secure conversation. In secure conversation Rampart
> > uses
> > > > the
> > > > > > same key to encrypt/sign messages for a given period of time.
> > > > > >
> > > > > >> Harshit Bapna
> > > > > >> Team Lead
> > > > > >> Arcot Systems
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > -- Harshit Bapna
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > -- Harshit Bapna
> > >
> >
>
>
>
> --
> -- Harshit Bapna
>
Re: Can UserName & WssX509V3Token10 Token be used simultaneously ?
Posted by Harshit Bapna <hr...@gmail.com>.
Hello Nandan,
I would like to first state what I am trying to achieve through Rampart
module.
Rampart is superb for endpoint authentication i.e only authentic client can
invoke the service. We can use various credentials such as WssX509V3Token10
token or UserName token to authenticate a client.
Now there can be many users who might be invoking the service from that
trusted client.(say trusted using PKI credential).
So I want to also authenticate the actors/users who is invoking the service.
We need to provide the clientKey alias(required for endpoint auth) in the
rampart-user tag in rampart config.
Now If I want to use the userName token for the user(described above) than
how can I pass the userName value.
Let me know If its still not clear.
On Thu, Sep 16, 2010 at 5:06 PM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Harshit,
> I don't understand the relationship between the fact that different
> users have to invoke the service and the rampart-user parameter in the
> server side. It's the identity of the service. Most of the time the
> configuration of both user, and userCertAlias is necessary only in the
> client side because for the service doesn't need to create a username token
> for itself.
> Note that verification of a user-name token is done by password
> callback handler [1] and you don't need to have those userid's in your
> server side config to validate them. Check the section "Different usages of
> the password callback handler" for more details.
>
> Best Regards,
> Nandana
>
> [1] - http://wso2.org/library/3733
>
>
> On Thu, Sep 16, 2010 at 1:12 PM, Harshit Bapna <hr...@gmail.com> wrote:
>
> > Hello Amila & Nandana,
> >
> > I want to authenticate the endpoint as well as various different users
> > invoking service.
> >
> > Example: Users for example devUser, adminUser and csr can use the same
> > endpoint say EP1 to send the request.
> > So the username will keep changing as the service is invoked by different
> > actors/users.
> >
> > But the endpoint is same the endpoints key won't change. PKI signature is
> > used for its authentication.
> >
> > Hence rampart-user will have to be modified based on the user's username
> so
> > the questions in my earlier remain is unanswered.
> > Please let me know if I can some other approach or a workaround to do
> both
> > authentication is possible
> >
> >
> > On Thu, Sep 16, 2010 at 4:20 PM, Nandana Mihindukulasooriya <
> > nandana.cse@gmail.com> wrote:
> >
> > > Hi Harshit,
> > > If you have a user-name token and a key, you can the two
> > parameters
> > > user, userCertAlias [1] to provide both of them to Rampart Engine.
> > >
> > > Best Regards,
> > > Nandana
> > >
> > > [1] - http://ws.apache.org/rampart/rampartconfig-guide.html
> > >
> > > On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <hr...@gmail.com>
> > wrote:
> > >
> > > > Thanks Amila for the elaborate response.
> > > > I have taken sample 04 (SecureConversation) shipped with rampart 1.5
> > > > release
> > > > as a base.
> > > > I have added another supporting token UserName token to the policy.
> > (see
> > > > the
> > > > bold data in the xml below.)
> > > > *Note: I plan to use rampart for endpoint authentication as well as
> > > > user(actor) authentication.*
> > > >
> > > > But I think I can configure only one rampart user i.e *
> > > > <ramp:user>clientKeyName</ramp:user>*.
> > > > Since I need to pass the userName token i.e userName as well I have
> > > > configured rampart config in supportingTokens (username) tag I am
> > > observing
> > > > that only global rampart config is honored.
> > > > i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is
> > > invoked.*
> > > > *i.e. UserName tokens username value is not passes in the callback.
> > > > Callback
> > > > is invoked 2 times with the identifier "client" *
> > > >
> > > > Questions:*
> > > > 1. How can I set userName value & keyAliasName both in the rampart.
> is
> > > > there
> > > > any workaround ?
> > > > 2. Can there be only one rampart config & not supporting token
> specific
> > > > config ?
> > > >
> > > >
> > > >
> > > > <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
> > > >
> > > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > > "
> > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > > <wsp:ExactlyOne>
> > > > <wsp:All>
> > > > <sp:SymmetricBinding xmlns:sp="
> > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > <wsp:Policy>
> > > > <sp:ProtectionToken>
> > > > <wsp:Policy>
> > > > <sp:SecureConversationToken
> > sp:IncludeToken="
> > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > ">
> > > > <wsp:Policy>
> > > > <sp:RequireDerivedKeys/>
> > > > <sp:BootstrapPolicy>
> > > > <wsp:Policy>
> > > > <sp:EncryptedParts>
> > > > <sp:Body/>
> > > > </sp:EncryptedParts>
> > > > <sp:SymmetricBinding>
> > > > <wsp:Policy>
> > > >
> <sp:ProtectionToken>
> > > > <wsp:Policy>
> > > >
> > <sp:X509Token
> > > > sp:IncludeToken="
> > > >
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> > > ">
> > > >
> > > <wsp:Policy>
> > > >
> > > > <sp:RequireDerivedKeys/>
> > > >
> > > > <sp:RequireThumbprintReference/>
> > > >
> > > > <sp:WssX509V3Token10/>
> > > >
> > > > </wsp:Policy>
> > > >
> > > </sp:X509Token>
> > > > </wsp:Policy>
> > > >
> > </sp:ProtectionToken>
> > > >
> <sp:AlgorithmSuite>
> > > > <wsp:Policy>
> > > >
> > > > <sp:Basic128Rsa15/>
> > > > </wsp:Policy>
> > > >
> </sp:AlgorithmSuite>
> > > > <sp:Layout>
> > > > <wsp:Policy>
> > > >
> <sp:Strict/>
> > > > </wsp:Policy>
> > > > </sp:Layout>
> > > >
> > <sp:IncludeTimestamp/>
> > > >
> > <sp:EncryptSignature/>
> > > >
> > > > <sp:OnlySignEntireHeadersAndBody/>
> > > > </wsp:Policy>
> > > > </sp:SymmetricBinding>
> > > >
> > <sp:EndorsingSupportingTokens>
> > > > <wsp:Policy>
> > > > <sp:X509Token
> > > > sp:IncludeToken="
> > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > ">
> > > > <wsp:Policy>
> > > >
> > > > <sp:RequireThumbprintReference/>
> > > >
> > > > <sp:WssX509V3Token10/>
> > > > </wsp:Policy>
> > > > </sp:X509Token>
> > > > </wsp:Policy>
> > > >
> > > </sp:EndorsingSupportingTokens>
> > > > * <sp:SupportingTokens>
> > > > <wsp:Policy>
> > > > <sp:UsernameToken
> > > > sp:IncludeToken="
> > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > "
> > > > />
> > > >
> <ramp:RampartConfig
> > > > xmlns:ramp="http://ws.apache.org/rampart/policy">
> > > >
> > > > <ramp:user>token2</ramp:user>
> > > >
> > > >
> > > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
> > > >
> > </ramp:RampartConfig>
> > > > </wsp:Policy>
> > > > </sp:SupportingTokens>*
> > > > <sp:Wss11>
> > > > <wsp:Policy>
> > > >
> > > > <sp:MustSupportRefKeyIdentifier/>
> > > >
> > > > <sp:MustSupportRefIssuerSerial/>
> > > >
> > > > <sp:MustSupportRefThumbprint/>
> > > >
> > > > <sp:MustSupportRefEncryptedKey/>
> > > >
> > > > <sp:RequireSignatureConfirmation/>
> > > > </wsp:Policy>
> > > > </sp:Wss11>
> > > > <sp:Trust10>
> > > > <wsp:Policy>
> > > >
> > > > <sp:MustSupportIssuedTokens/>
> > > >
> > > > <sp:RequireClientEntropy/>
> > > >
> > > > <sp:RequireServerEntropy/>
> > > > </wsp:Policy>
> > > > </sp:Trust10>
> > > > </wsp:Policy>
> > > > </sp:BootstrapPolicy>
> > > > </wsp:Policy>
> > > > </sp:SecureConversationToken>
> > > > </wsp:Policy>
> > > > </sp:ProtectionToken>
> > > > <sp:AlgorithmSuite>
> > > > <wsp:Policy>
> > > > <sp:Basic128Rsa15/>
> > > > </wsp:Policy>
> > > > </sp:AlgorithmSuite>
> > > > <sp:Layout>
> > > > <wsp:Policy>
> > > > <sp:Strict/>
> > > > </wsp:Policy>
> > > > </sp:Layout>
> > > > <sp:IncludeTimestamp/>
> > > > <sp:EncryptSignature/>
> > > > <sp:OnlySignEntireHeadersAndBody/>
> > > > </wsp:Policy>
> > > > </sp:SymmetricBinding>
> > > > <sp:Wss11 xmlns:sp="
> > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > <wsp:Policy>
> > > > <sp:MustSupportRefKeyIdentifier/>
> > > > <sp:MustSupportRefIssuerSerial/>
> > > > <sp:MustSupportRefThumbprint/>
> > > > <sp:MustSupportRefEncryptedKey/>
> > > > </wsp:Policy>
> > > > </sp:Wss11>
> > > > <sp:Trust10 xmlns:sp="
> > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > <wsp:Policy>
> > > > <sp:MustSupportIssuedTokens/>
> > > > <sp:RequireClientEntropy/>
> > > > <sp:RequireServerEntropy/>
> > > > </wsp:Policy>
> > > > </sp:Trust10>
> > > > <sp:EncryptedParts xmlns:sp="
> > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > > <sp:Body/>
> > > > </sp:EncryptedParts>
> > > > <ramp:RampartConfig xmlns:ramp="
> > > > http://ws.apache.org/rampart/policy">
> > > > <ramp:user>client</ramp:user>
> > > > <ramp:encryptionUser>service</ramp:encryptionUser>
> > > >
> > > >
> > > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
> > > >
> > > > <ramp:signatureCrypto>
> > > > <ramp:crypto
> > > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > > <ramp:property
> > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > > <ramp:property
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > > <ramp:property
> > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > > </ramp:crypto>
> > > > </ramp:signatureCrypto>
> > > > <ramp:encryptionCypto>
> > > > <ramp:crypto
> > > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > > <ramp:property
> > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > > <ramp:property
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > > <ramp:property
> > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > > </ramp:crypto>
> > > > </ramp:encryptionCypto>
> > > >
> > > > </ramp:RampartConfig>
> > > > </wsp:All>
> > > > </wsp:ExactlyOne>
> > > > </wsp:Policy>
> > > >
> > > > On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <am...@wso2.com>
> > > > wrote:
> > > >
> > > > > Hi Harshit,
> > > > > Some answers are inline.
> > > > > Thanks
> > > > > AmilaJ
> > > > >
> > > > > Harshit Bapna wrote:
> > > > >
> > > > >> Hi All,
> > > > >>
> > > > >> I am thinking of using RAMPART module for ws security.
> > > > >>
> > > > >> Requirement:
> > > > >> To perform endpoint authentication as well as user authentication.
> > > > >>
> > > > >> Client endpoint authentication :- To allow only a configured
> client
> > to
> > > > >> invoke the web service.
> > > > >> User authentication :- To allow only a specific user/actor to
> invoke
> > > the
> > > > >> service. The reason for this requirement is that the same endpoint
> > can
> > > > be
> > > > >> used by different type of users(Admin, CSR, normal user)
> > > > >>
> > > > >> I have gone through various sample 1-8 supplied wih rampart 1.5
> > > install.
> > > > >>
> > > > >> Question:
> > > > >> 1. Can I combine userName & WssX509V3Token10 token for user and
> > > endpoint
> > > > >> auth ?
> > > > >> UserName token - for user authentication)
> > > > >> WssX509V3Token10 - for endpoint PKI credential authentication
> > > > >>
> > > > >>
> > > > > Yes, you can. Inorder to get WssX509V3Token10 support you can
> > > either
> > > > > use SymmetricBinding or AsymmetricBinding mechanisms. With one of
> > above
> > > > > bindings you can use UserName token as a supporting token.
> > > > >
> > > > >> 2. Also can secure conversation benefits be available when the
> above
> > > two
> > > > >> type of tokens are used.
> > > > >>
> > > > >>
> > > > > As far as i know you should be able to use secure conversation
> with
> > > > above
> > > > > mentioned tokens. Again you can use symmetric binding or asymmetric
> > > > binding
> > > > > and you should use SecureConversationToken. Thus the user name
> token
> > > > should
> > > > > be added as a supporting token.
> > > > >
> > > > >
> > > > >> If you have any better suggestion to handle this requirement
> please
> > > let
> > > > me
> > > > >> know.
> > > > >>
> > > > >>
> > > > > I guess the way you are heading is ok. In-case if you need more
> > > security
> > > > > you should use SymmetricBinding or AsymmetricBinding. When you use
> > > > > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign
> each
> > > > > message differ from another. But if you are more concern about
> > > > performance
> > > > > you can use Secure conversation. In secure conversation Rampart
> uses
> > > the
> > > > > same key to encrypt/sign messages for a given period of time.
> > > > >
> > > > >> Harshit Bapna
> > > > >> Team Lead
> > > > >> Arcot Systems
> > > > >>
> > > > >>
> > > > >>
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > -- Harshit Bapna
> > > >
> > >
> >
> >
> >
> > --
> > -- Harshit Bapna
> >
>
--
-- Harshit Bapna
Re: Can UserName & WssX509V3Token10 Token be used simultaneously ?
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Harshit,
I don't understand the relationship between the fact that different
users have to invoke the service and the rampart-user parameter in the
server side. It's the identity of the service. Most of the time the
configuration of both user, and userCertAlias is necessary only in the
client side because for the service doesn't need to create a username token
for itself.
Note that verification of a user-name token is done by password
callback handler [1] and you don't need to have those userid's in your
server side config to validate them. Check the section "Different usages of
the password callback handler" for more details.
Best Regards,
Nandana
[1] - http://wso2.org/library/3733
On Thu, Sep 16, 2010 at 1:12 PM, Harshit Bapna <hr...@gmail.com> wrote:
> Hello Amila & Nandana,
>
> I want to authenticate the endpoint as well as various different users
> invoking service.
>
> Example: Users for example devUser, adminUser and csr can use the same
> endpoint say EP1 to send the request.
> So the username will keep changing as the service is invoked by different
> actors/users.
>
> But the endpoint is same the endpoints key won't change. PKI signature is
> used for its authentication.
>
> Hence rampart-user will have to be modified based on the user's username so
> the questions in my earlier remain is unanswered.
> Please let me know if I can some other approach or a workaround to do both
> authentication is possible
>
>
> On Thu, Sep 16, 2010 at 4:20 PM, Nandana Mihindukulasooriya <
> nandana.cse@gmail.com> wrote:
>
> > Hi Harshit,
> > If you have a user-name token and a key, you can the two
> parameters
> > user, userCertAlias [1] to provide both of them to Rampart Engine.
> >
> > Best Regards,
> > Nandana
> >
> > [1] - http://ws.apache.org/rampart/rampartconfig-guide.html
> >
> > On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <hr...@gmail.com>
> wrote:
> >
> > > Thanks Amila for the elaborate response.
> > > I have taken sample 04 (SecureConversation) shipped with rampart 1.5
> > > release
> > > as a base.
> > > I have added another supporting token UserName token to the policy.
> (see
> > > the
> > > bold data in the xml below.)
> > > *Note: I plan to use rampart for endpoint authentication as well as
> > > user(actor) authentication.*
> > >
> > > But I think I can configure only one rampart user i.e *
> > > <ramp:user>clientKeyName</ramp:user>*.
> > > Since I need to pass the userName token i.e userName as well I have
> > > configured rampart config in supportingTokens (username) tag I am
> > observing
> > > that only global rampart config is honored.
> > > i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is
> > invoked.*
> > > *i.e. UserName tokens username value is not passes in the callback.
> > > Callback
> > > is invoked 2 times with the identifier "client" *
> > >
> > > Questions:*
> > > 1. How can I set userName value & keyAliasName both in the rampart. is
> > > there
> > > any workaround ?
> > > 2. Can there be only one rampart config & not supporting token specific
> > > config ?
> > >
> > >
> > >
> > > <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > "
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SymmetricBinding xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:ProtectionToken>
> > > <wsp:Policy>
> > > <sp:SecureConversationToken
> sp:IncludeToken="
> > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > ">
> > > <wsp:Policy>
> > > <sp:RequireDerivedKeys/>
> > > <sp:BootstrapPolicy>
> > > <wsp:Policy>
> > > <sp:EncryptedParts>
> > > <sp:Body/>
> > > </sp:EncryptedParts>
> > > <sp:SymmetricBinding>
> > > <wsp:Policy>
> > > <sp:ProtectionToken>
> > > <wsp:Policy>
> > >
> <sp:X509Token
> > > sp:IncludeToken="
> > >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> > ">
> > >
> > <wsp:Policy>
> > >
> > > <sp:RequireDerivedKeys/>
> > >
> > > <sp:RequireThumbprintReference/>
> > >
> > > <sp:WssX509V3Token10/>
> > >
> > > </wsp:Policy>
> > >
> > </sp:X509Token>
> > > </wsp:Policy>
> > >
> </sp:ProtectionToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > >
> > > <sp:Basic128Rsa15/>
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Strict/>
> > > </wsp:Policy>
> > > </sp:Layout>
> > >
> <sp:IncludeTimestamp/>
> > >
> <sp:EncryptSignature/>
> > >
> > > <sp:OnlySignEntireHeadersAndBody/>
> > > </wsp:Policy>
> > > </sp:SymmetricBinding>
> > >
> <sp:EndorsingSupportingTokens>
> > > <wsp:Policy>
> > > <sp:X509Token
> > > sp:IncludeToken="
> > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > ">
> > > <wsp:Policy>
> > >
> > > <sp:RequireThumbprintReference/>
> > >
> > > <sp:WssX509V3Token10/>
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > >
> > </sp:EndorsingSupportingTokens>
> > > * <sp:SupportingTokens>
> > > <wsp:Policy>
> > > <sp:UsernameToken
> > > sp:IncludeToken="
> > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > "
> > > />
> > > <ramp:RampartConfig
> > > xmlns:ramp="http://ws.apache.org/rampart/policy">
> > >
> > > <ramp:user>token2</ramp:user>
> > >
> > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
> > >
> </ramp:RampartConfig>
> > > </wsp:Policy>
> > > </sp:SupportingTokens>*
> > > <sp:Wss11>
> > > <wsp:Policy>
> > >
> > > <sp:MustSupportRefKeyIdentifier/>
> > >
> > > <sp:MustSupportRefIssuerSerial/>
> > >
> > > <sp:MustSupportRefThumbprint/>
> > >
> > > <sp:MustSupportRefEncryptedKey/>
> > >
> > > <sp:RequireSignatureConfirmation/>
> > > </wsp:Policy>
> > > </sp:Wss11>
> > > <sp:Trust10>
> > > <wsp:Policy>
> > >
> > > <sp:MustSupportIssuedTokens/>
> > >
> > > <sp:RequireClientEntropy/>
> > >
> > > <sp:RequireServerEntropy/>
> > > </wsp:Policy>
> > > </sp:Trust10>
> > > </wsp:Policy>
> > > </sp:BootstrapPolicy>
> > > </wsp:Policy>
> > > </sp:SecureConversationToken>
> > > </wsp:Policy>
> > > </sp:ProtectionToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > > <sp:Basic128Rsa15/>
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Strict/>
> > > </wsp:Policy>
> > > </sp:Layout>
> > > <sp:IncludeTimestamp/>
> > > <sp:EncryptSignature/>
> > > <sp:OnlySignEntireHeadersAndBody/>
> > > </wsp:Policy>
> > > </sp:SymmetricBinding>
> > > <sp:Wss11 xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:MustSupportRefKeyIdentifier/>
> > > <sp:MustSupportRefIssuerSerial/>
> > > <sp:MustSupportRefThumbprint/>
> > > <sp:MustSupportRefEncryptedKey/>
> > > </wsp:Policy>
> > > </sp:Wss11>
> > > <sp:Trust10 xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:MustSupportIssuedTokens/>
> > > <sp:RequireClientEntropy/>
> > > <sp:RequireServerEntropy/>
> > > </wsp:Policy>
> > > </sp:Trust10>
> > > <sp:EncryptedParts xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <sp:Body/>
> > > </sp:EncryptedParts>
> > > <ramp:RampartConfig xmlns:ramp="
> > > http://ws.apache.org/rampart/policy">
> > > <ramp:user>client</ramp:user>
> > > <ramp:encryptionUser>service</ramp:encryptionUser>
> > >
> > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
> > >
> > > <ramp:signatureCrypto>
> > > <ramp:crypto
> > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > <ramp:property
> > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > <ramp:property
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > <ramp:property
> > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > </ramp:crypto>
> > > </ramp:signatureCrypto>
> > > <ramp:encryptionCypto>
> > > <ramp:crypto
> > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > <ramp:property
> > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > <ramp:property
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > <ramp:property
> > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > </ramp:crypto>
> > > </ramp:encryptionCypto>
> > >
> > > </ramp:RampartConfig>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <am...@wso2.com>
> > > wrote:
> > >
> > > > Hi Harshit,
> > > > Some answers are inline.
> > > > Thanks
> > > > AmilaJ
> > > >
> > > > Harshit Bapna wrote:
> > > >
> > > >> Hi All,
> > > >>
> > > >> I am thinking of using RAMPART module for ws security.
> > > >>
> > > >> Requirement:
> > > >> To perform endpoint authentication as well as user authentication.
> > > >>
> > > >> Client endpoint authentication :- To allow only a configured client
> to
> > > >> invoke the web service.
> > > >> User authentication :- To allow only a specific user/actor to invoke
> > the
> > > >> service. The reason for this requirement is that the same endpoint
> can
> > > be
> > > >> used by different type of users(Admin, CSR, normal user)
> > > >>
> > > >> I have gone through various sample 1-8 supplied wih rampart 1.5
> > install.
> > > >>
> > > >> Question:
> > > >> 1. Can I combine userName & WssX509V3Token10 token for user and
> > endpoint
> > > >> auth ?
> > > >> UserName token - for user authentication)
> > > >> WssX509V3Token10 - for endpoint PKI credential authentication
> > > >>
> > > >>
> > > > Yes, you can. Inorder to get WssX509V3Token10 support you can
> > either
> > > > use SymmetricBinding or AsymmetricBinding mechanisms. With one of
> above
> > > > bindings you can use UserName token as a supporting token.
> > > >
> > > >> 2. Also can secure conversation benefits be available when the above
> > two
> > > >> type of tokens are used.
> > > >>
> > > >>
> > > > As far as i know you should be able to use secure conversation with
> > > above
> > > > mentioned tokens. Again you can use symmetric binding or asymmetric
> > > binding
> > > > and you should use SecureConversationToken. Thus the user name token
> > > should
> > > > be added as a supporting token.
> > > >
> > > >
> > > >> If you have any better suggestion to handle this requirement please
> > let
> > > me
> > > >> know.
> > > >>
> > > >>
> > > > I guess the way you are heading is ok. In-case if you need more
> > security
> > > > you should use SymmetricBinding or AsymmetricBinding. When you use
> > > > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each
> > > > message differ from another. But if you are more concern about
> > > performance
> > > > you can use Secure conversation. In secure conversation Rampart uses
> > the
> > > > same key to encrypt/sign messages for a given period of time.
> > > >
> > > >> Harshit Bapna
> > > >> Team Lead
> > > >> Arcot Systems
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > >
> > >
> > > --
> > > -- Harshit Bapna
> > >
> >
>
>
>
> --
> -- Harshit Bapna
>
Re: Can UserName & WssX509V3Token10 Token be used simultaneously ?
Posted by Harshit Bapna <hr...@gmail.com>.
Hello Amila & Nandana,
I want to authenticate the endpoint as well as various different users
invoking service.
Example: Users for example devUser, adminUser and csr can use the same
endpoint say EP1 to send the request.
So the username will keep changing as the service is invoked by different
actors/users.
But the endpoint is same the endpoints key won't change. PKI signature is
used for its authentication.
Hence rampart-user will have to be modified based on the user's username so
the questions in my earlier remain is unanswered.
Please let me know if I can some other approach or a workaround to do both
authentication is possible
On Thu, Sep 16, 2010 at 4:20 PM, Nandana Mihindukulasooriya <
nandana.cse@gmail.com> wrote:
> Hi Harshit,
> If you have a user-name token and a key, you can the two parameters
> user, userCertAlias [1] to provide both of them to Rampart Engine.
>
> Best Regards,
> Nandana
>
> [1] - http://ws.apache.org/rampart/rampartconfig-guide.html
>
> On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <hr...@gmail.com> wrote:
>
> > Thanks Amila for the elaborate response.
> > I have taken sample 04 (SecureConversation) shipped with rampart 1.5
> > release
> > as a base.
> > I have added another supporting token UserName token to the policy. (see
> > the
> > bold data in the xml below.)
> > *Note: I plan to use rampart for endpoint authentication as well as
> > user(actor) authentication.*
> >
> > But I think I can configure only one rampart user i.e *
> > <ramp:user>clientKeyName</ramp:user>*.
> > Since I need to pass the userName token i.e userName as well I have
> > configured rampart config in supportingTokens (username) tag I am
> observing
> > that only global rampart config is honored.
> > i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is
> invoked.*
> > *i.e. UserName tokens username value is not passes in the callback.
> > Callback
> > is invoked 2 times with the identifier "client" *
> >
> > Questions:*
> > 1. How can I set userName value & keyAliasName both in the rampart. is
> > there
> > any workaround ?
> > 2. Can there be only one rampart config & not supporting token specific
> > config ?
> >
> >
> >
> > <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SymmetricBinding xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:ProtectionToken>
> > <wsp:Policy>
> > <sp:SecureConversationToken sp:IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> > <sp:RequireDerivedKeys/>
> > <sp:BootstrapPolicy>
> > <wsp:Policy>
> > <sp:EncryptedParts>
> > <sp:Body/>
> > </sp:EncryptedParts>
> > <sp:SymmetricBinding>
> > <wsp:Policy>
> > <sp:ProtectionToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> ">
> >
> <wsp:Policy>
> >
> > <sp:RequireDerivedKeys/>
> >
> > <sp:RequireThumbprintReference/>
> >
> > <sp:WssX509V3Token10/>
> >
> > </wsp:Policy>
> >
> </sp:X509Token>
> > </wsp:Policy>
> > </sp:ProtectionToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> >
> > <sp:Basic128Rsa15/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Strict/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > <sp:EncryptSignature/>
> >
> > <sp:OnlySignEntireHeadersAndBody/>
> > </wsp:Policy>
> > </sp:SymmetricBinding>
> > <sp:EndorsingSupportingTokens>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> >
> > <sp:RequireThumbprintReference/>
> >
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> >
> </sp:EndorsingSupportingTokens>
> > * <sp:SupportingTokens>
> > <wsp:Policy>
> > <sp:UsernameToken
> > sp:IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > "
> > />
> > <ramp:RampartConfig
> > xmlns:ramp="http://ws.apache.org/rampart/policy">
> >
> > <ramp:user>token2</ramp:user>
> >
> >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
> > </ramp:RampartConfig>
> > </wsp:Policy>
> > </sp:SupportingTokens>*
> > <sp:Wss11>
> > <wsp:Policy>
> >
> > <sp:MustSupportRefKeyIdentifier/>
> >
> > <sp:MustSupportRefIssuerSerial/>
> >
> > <sp:MustSupportRefThumbprint/>
> >
> > <sp:MustSupportRefEncryptedKey/>
> >
> > <sp:RequireSignatureConfirmation/>
> > </wsp:Policy>
> > </sp:Wss11>
> > <sp:Trust10>
> > <wsp:Policy>
> >
> > <sp:MustSupportIssuedTokens/>
> >
> > <sp:RequireClientEntropy/>
> >
> > <sp:RequireServerEntropy/>
> > </wsp:Policy>
> > </sp:Trust10>
> > </wsp:Policy>
> > </sp:BootstrapPolicy>
> > </wsp:Policy>
> > </sp:SecureConversationToken>
> > </wsp:Policy>
> > </sp:ProtectionToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128Rsa15/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Strict/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > <sp:EncryptSignature/>
> > <sp:OnlySignEntireHeadersAndBody/>
> > </wsp:Policy>
> > </sp:SymmetricBinding>
> > <sp:Wss11 xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:MustSupportRefKeyIdentifier/>
> > <sp:MustSupportRefIssuerSerial/>
> > <sp:MustSupportRefThumbprint/>
> > <sp:MustSupportRefEncryptedKey/>
> > </wsp:Policy>
> > </sp:Wss11>
> > <sp:Trust10 xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:MustSupportIssuedTokens/>
> > <sp:RequireClientEntropy/>
> > <sp:RequireServerEntropy/>
> > </wsp:Policy>
> > </sp:Trust10>
> > <sp:EncryptedParts xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <sp:Body/>
> > </sp:EncryptedParts>
> > <ramp:RampartConfig xmlns:ramp="
> > http://ws.apache.org/rampart/policy">
> > <ramp:user>client</ramp:user>
> > <ramp:encryptionUser>service</ramp:encryptionUser>
> >
> >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
> >
> > <ramp:signatureCrypto>
> > <ramp:crypto
> > provider="org.apache.ws.security.components.crypto.Merlin">
> > <ramp:property
> >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > <ramp:property
> >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > </ramp:crypto>
> > </ramp:signatureCrypto>
> > <ramp:encryptionCypto>
> > <ramp:crypto
> > provider="org.apache.ws.security.components.crypto.Merlin">
> > <ramp:property
> >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > <ramp:property
> >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > </ramp:crypto>
> > </ramp:encryptionCypto>
> >
> > </ramp:RampartConfig>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <am...@wso2.com>
> > wrote:
> >
> > > Hi Harshit,
> > > Some answers are inline.
> > > Thanks
> > > AmilaJ
> > >
> > > Harshit Bapna wrote:
> > >
> > >> Hi All,
> > >>
> > >> I am thinking of using RAMPART module for ws security.
> > >>
> > >> Requirement:
> > >> To perform endpoint authentication as well as user authentication.
> > >>
> > >> Client endpoint authentication :- To allow only a configured client to
> > >> invoke the web service.
> > >> User authentication :- To allow only a specific user/actor to invoke
> the
> > >> service. The reason for this requirement is that the same endpoint can
> > be
> > >> used by different type of users(Admin, CSR, normal user)
> > >>
> > >> I have gone through various sample 1-8 supplied wih rampart 1.5
> install.
> > >>
> > >> Question:
> > >> 1. Can I combine userName & WssX509V3Token10 token for user and
> endpoint
> > >> auth ?
> > >> UserName token - for user authentication)
> > >> WssX509V3Token10 - for endpoint PKI credential authentication
> > >>
> > >>
> > > Yes, you can. Inorder to get WssX509V3Token10 support you can
> either
> > > use SymmetricBinding or AsymmetricBinding mechanisms. With one of above
> > > bindings you can use UserName token as a supporting token.
> > >
> > >> 2. Also can secure conversation benefits be available when the above
> two
> > >> type of tokens are used.
> > >>
> > >>
> > > As far as i know you should be able to use secure conversation with
> > above
> > > mentioned tokens. Again you can use symmetric binding or asymmetric
> > binding
> > > and you should use SecureConversationToken. Thus the user name token
> > should
> > > be added as a supporting token.
> > >
> > >
> > >> If you have any better suggestion to handle this requirement please
> let
> > me
> > >> know.
> > >>
> > >>
> > > I guess the way you are heading is ok. In-case if you need more
> security
> > > you should use SymmetricBinding or AsymmetricBinding. When you use
> > > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each
> > > message differ from another. But if you are more concern about
> > performance
> > > you can use Secure conversation. In secure conversation Rampart uses
> the
> > > same key to encrypt/sign messages for a given period of time.
> > >
> > >> Harshit Bapna
> > >> Team Lead
> > >> Arcot Systems
> > >>
> > >>
> > >>
> > >
> > >
> >
> >
> > --
> > -- Harshit Bapna
> >
>
--
-- Harshit Bapna
Re: Can UserName & WssX509V3Token10 Token be used simultaneously ?
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Harshit,
If you have a user-name token and a key, you can the two parameters
user, userCertAlias [1] to provide both of them to Rampart Engine.
Best Regards,
Nandana
[1] - http://ws.apache.org/rampart/rampartconfig-guide.html
On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <hr...@gmail.com> wrote:
> Thanks Amila for the elaborate response.
> I have taken sample 04 (SecureConversation) shipped with rampart 1.5
> release
> as a base.
> I have added another supporting token UserName token to the policy. (see
> the
> bold data in the xml below.)
> *Note: I plan to use rampart for endpoint authentication as well as
> user(actor) authentication.*
>
> But I think I can configure only one rampart user i.e *
> <ramp:user>clientKeyName</ramp:user>*.
> Since I need to pass the userName token i.e userName as well I have
> configured rampart config in supportingTokens (username) tag I am observing
> that only global rampart config is honored.
> i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is invoked.*
> *i.e. UserName tokens username value is not passes in the callback.
> Callback
> is invoked 2 times with the identifier "client" *
>
> Questions:*
> 1. How can I set userName value & keyAliasName both in the rampart. is
> there
> any workaround ?
> 2. Can there be only one rampart config & not supporting token specific
> config ?
>
>
>
> <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:SecureConversationToken sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
>
> <sp:RequireDerivedKeys/>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> * <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> "
> />
> <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy">
>
> <ramp:user>token2</ramp:user>
>
>
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:Policy>
> </sp:SupportingTokens>*
> <sp:Wss11>
> <wsp:Policy>
>
> <sp:MustSupportRefKeyIdentifier/>
>
> <sp:MustSupportRefIssuerSerial/>
>
> <sp:MustSupportRefThumbprint/>
>
> <sp:MustSupportRefEncryptedKey/>
>
> <sp:RequireSignatureConfirmation/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
>
> <sp:MustSupportIssuedTokens/>
>
> <sp:RequireClientEntropy/>
>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> <sp:EncryptedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> <ramp:user>client</ramp:user>
> <ramp:encryptionUser>service</ramp:encryptionUser>
>
>
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
>
> <ramp:signatureCrypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> </ramp:crypto>
> </ramp:encryptionCypto>
>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <am...@wso2.com>
> wrote:
>
> > Hi Harshit,
> > Some answers are inline.
> > Thanks
> > AmilaJ
> >
> > Harshit Bapna wrote:
> >
> >> Hi All,
> >>
> >> I am thinking of using RAMPART module for ws security.
> >>
> >> Requirement:
> >> To perform endpoint authentication as well as user authentication.
> >>
> >> Client endpoint authentication :- To allow only a configured client to
> >> invoke the web service.
> >> User authentication :- To allow only a specific user/actor to invoke the
> >> service. The reason for this requirement is that the same endpoint can
> be
> >> used by different type of users(Admin, CSR, normal user)
> >>
> >> I have gone through various sample 1-8 supplied wih rampart 1.5 install.
> >>
> >> Question:
> >> 1. Can I combine userName & WssX509V3Token10 token for user and endpoint
> >> auth ?
> >> UserName token - for user authentication)
> >> WssX509V3Token10 - for endpoint PKI credential authentication
> >>
> >>
> > Yes, you can. Inorder to get WssX509V3Token10 support you can either
> > use SymmetricBinding or AsymmetricBinding mechanisms. With one of above
> > bindings you can use UserName token as a supporting token.
> >
> >> 2. Also can secure conversation benefits be available when the above two
> >> type of tokens are used.
> >>
> >>
> > As far as i know you should be able to use secure conversation with
> above
> > mentioned tokens. Again you can use symmetric binding or asymmetric
> binding
> > and you should use SecureConversationToken. Thus the user name token
> should
> > be added as a supporting token.
> >
> >
> >> If you have any better suggestion to handle this requirement please let
> me
> >> know.
> >>
> >>
> > I guess the way you are heading is ok. In-case if you need more security
> > you should use SymmetricBinding or AsymmetricBinding. When you use
> > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each
> > message differ from another. But if you are more concern about
> performance
> > you can use Secure conversation. In secure conversation Rampart uses the
> > same key to encrypt/sign messages for a given period of time.
> >
> >> Harshit Bapna
> >> Team Lead
> >> Arcot Systems
> >>
> >>
> >>
> >
> >
>
>
> --
> -- Harshit Bapna
>
Re: Can UserName & WssX509V3Token10 Token be used simultaneously ?
Posted by Harshit Bapna <hr...@gmail.com>.
Thanks Amila for the elaborate response.
I have taken sample 04 (SecureConversation) shipped with rampart 1.5 release
as a base.
I have added another supporting token UserName token to the policy. (see the
bold data in the xml below.)
*Note: I plan to use rampart for endpoint authentication as well as
user(actor) authentication.*
But I think I can configure only one rampart user i.e *
<ramp:user>clientKeyName</ramp:user>*.
Since I need to pass the userName token i.e userName as well I have
configured rampart config in supportingTokens (username) tag I am observing
that only global rampart config is honored.
i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is invoked.*
*i.e. UserName tokens username value is not passes in the callback. Callback
is invoked 2 times with the identifier "client" *
Questions:*
1. How can I set userName value & keyAliasName both in the rampart. is there
any workaround ?
2. Can there be only one rampart config & not supporting token specific
config ?
<wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
* <sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
/>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>token2</ramp:user>
<ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:Policy>
</sp:SupportingTokens>*
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:EncryptedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy">
<ramp:user>client</ramp:user>
<ramp:encryptionUser>service</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <am...@wso2.com> wrote:
> Hi Harshit,
> Some answers are inline.
> Thanks
> AmilaJ
>
> Harshit Bapna wrote:
>
>> Hi All,
>>
>> I am thinking of using RAMPART module for ws security.
>>
>> Requirement:
>> To perform endpoint authentication as well as user authentication.
>>
>> Client endpoint authentication :- To allow only a configured client to
>> invoke the web service.
>> User authentication :- To allow only a specific user/actor to invoke the
>> service. The reason for this requirement is that the same endpoint can be
>> used by different type of users(Admin, CSR, normal user)
>>
>> I have gone through various sample 1-8 supplied wih rampart 1.5 install.
>>
>> Question:
>> 1. Can I combine userName & WssX509V3Token10 token for user and endpoint
>> auth ?
>> UserName token - for user authentication)
>> WssX509V3Token10 - for endpoint PKI credential authentication
>>
>>
> Yes, you can. Inorder to get WssX509V3Token10 support you can either
> use SymmetricBinding or AsymmetricBinding mechanisms. With one of above
> bindings you can use UserName token as a supporting token.
>
>> 2. Also can secure conversation benefits be available when the above two
>> type of tokens are used.
>>
>>
> As far as i know you should be able to use secure conversation with above
> mentioned tokens. Again you can use symmetric binding or asymmetric binding
> and you should use SecureConversationToken. Thus the user name token should
> be added as a supporting token.
>
>
>> If you have any better suggestion to handle this requirement please let me
>> know.
>>
>>
> I guess the way you are heading is ok. In-case if you need more security
> you should use SymmetricBinding or AsymmetricBinding. When you use
> SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each
> message differ from another. But if you are more concern about performance
> you can use Secure conversation. In secure conversation Rampart uses the
> same key to encrypt/sign messages for a given period of time.
>
>> Harshit Bapna
>> Team Lead
>> Arcot Systems
>>
>>
>>
>
>
--
-- Harshit Bapna
Re: Can UserName & WssX509V3Token10 Token be used simultaneously
?
Posted by Amila Jayasekara <am...@wso2.com>.
Hi Harshit,
Some answers are inline.
Thanks
AmilaJ
Harshit Bapna wrote:
> Hi All,
>
> I am thinking of using RAMPART module for ws security.
>
> Requirement:
> To perform endpoint authentication as well as user authentication.
>
> Client endpoint authentication :- To allow only a configured client to invoke the web service.
> User authentication :- To allow only a specific user/actor to invoke the service. The reason for this requirement is that the same endpoint can be used by different type of users(Admin, CSR, normal user)
>
> I have gone through various sample 1-8 supplied wih rampart 1.5 install.
>
> Question:
> 1. Can I combine userName & WssX509V3Token10 token for user and endpoint auth ?
> UserName token - for user authentication)
> WssX509V3Token10 - for endpoint PKI credential authentication
>
Yes, you can. Inorder to get WssX509V3Token10 support you can
either use SymmetricBinding or AsymmetricBinding mechanisms. With one of
above bindings you can use UserName token as a supporting token.
> 2. Also can secure conversation benefits be available when the above two type of tokens are used.
>
As far as i know you should be able to use secure conversation with
above mentioned tokens. Again you can use symmetric binding or
asymmetric binding and you should use SecureConversationToken. Thus the
user name token should be added as a supporting token.
>
> If you have any better suggestion to handle this requirement please let me know.
>
I guess the way you are heading is ok. In-case if you need more security
you should use SymmetricBinding or AsymmetricBinding. When you use
SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each
message differ from another. But if you are more concern about
performance you can use Secure conversation. In secure conversation
Rampart uses the same key to encrypt/sign messages for a given period of
time.
> Harshit Bapna
> Team Lead
> Arcot Systems
>
>