You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Håkon Sagehaug <Ha...@bccs.uib.no> on 2009/04/06 17:06:59 UTC
Extracting attribute values from SAML token in rampart sample 05
Hi all,
I was wondering if it's possible to extract the values inside a SAML token.
I looked at sample 05 and wanted to list out the values of the attribute
statement, I tried this in the password call back handler
Element el = pwcb.getCustomToken();
But just got null. What I'm trying to achieve is not just validate that the
attributes signed by the sts but also see what attributes the client can
give the possessing.
How can this be done??
cheers, håkon
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
Re: Extracting attribute values from SAML token in rampart sample 05
Posted by Håkon Sagehaug <Ha...@bccs.uib.no>.
Hi
Thanks for the replay, but still a little lost ;). My main question I guess
is where should I extract these attributes? I feel that this should be taken
care of before the service invocation, correct? Tried getting the message
context in my callback handler, but it was null.
Should I create a new module for this? Is it possible to write my own
Attributecallback and say to rampart use this?
2009/4/6 Martin Gainty <mg...@hotmail.com>
>
> //Construct RahasData from MessageContext
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/RahasData.html
>
>
> //get a default handle
> SAMLCallbackHandler handler = config.getCallbackHander();
Where is config coming from?
>
> //then construct SAML AttributeCallback to retrieve the RahasData contents
>
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/impl/util/SAMLAttributeCallback.html
>
> SAMLAttributeCallback cb = new SAMLAttributeCallback(data);
> SAMLCallbackHandler handler = config.getCallbackHander();
> handler.handle(cb);
> attrs = cb.getAttributes();
>
> en annen svare ?
fra norden?
cheers, håkon
>
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
>
>
> Date: Mon, 6 Apr 2009 17:06:59 +0200
> Subject: Extracting attribute values from SAML token in rampart sample 05
> From: Hakon.Sagehaug@bccs.uib.no
> To: axis-user@ws.apache.org; rampart-dev@ws.apache.org
>
> Hi all,
>
> I was wondering if it's possible to extract the values inside a SAML token.
> I looked at sample 05 and wanted to list out the values of the attribute
> statement, I tried this in the password call back handler
>
>
> Element el = pwcb.getCustomToken();
>
> But just got null. What I'm trying to achieve is not just validate that
> the attributes signed by the sts but also see what attributes the client can
> give the possessing.
>
>
> How can this be done??
>
> cheers, håkon
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
> _________________________________________________________________
> Rediscover Hotmail®: Now available on your iPhone or BlackBerry
>
> http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile1_042009
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
Re: Extracting attribute values from SAML token in rampart sample 05
Posted by Håkon Sagehaug <Ha...@bccs.uib.no>.
Hi
Thanks for the replay, but still a little lost ;). My main question I guess
is where should I extract these attributes? I feel that this should be taken
care of before the service invocation, correct? Tried getting the message
context in my callback handler, but it was null.
Should I create a new module for this? Is it possible to write my own
Attributecallback and say to rampart use this?
2009/4/6 Martin Gainty <mg...@hotmail.com>
>
> //Construct RahasData from MessageContext
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/RahasData.html
>
>
> //get a default handle
> SAMLCallbackHandler handler = config.getCallbackHander();
Where is config coming from?
>
> //then construct SAML AttributeCallback to retrieve the RahasData contents
>
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/impl/util/SAMLAttributeCallback.html
>
> SAMLAttributeCallback cb = new SAMLAttributeCallback(data);
> SAMLCallbackHandler handler = config.getCallbackHander();
> handler.handle(cb);
> attrs = cb.getAttributes();
>
> en annen svare ?
fra norden?
cheers, håkon
>
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
>
>
> Date: Mon, 6 Apr 2009 17:06:59 +0200
> Subject: Extracting attribute values from SAML token in rampart sample 05
> From: Hakon.Sagehaug@bccs.uib.no
> To: axis-user@ws.apache.org; rampart-dev@ws.apache.org
>
> Hi all,
>
> I was wondering if it's possible to extract the values inside a SAML token.
> I looked at sample 05 and wanted to list out the values of the attribute
> statement, I tried this in the password call back handler
>
>
> Element el = pwcb.getCustomToken();
>
> But just got null. What I'm trying to achieve is not just validate that
> the attributes signed by the sts but also see what attributes the client can
> give the possessing.
>
>
> How can this be done??
>
> cheers, håkon
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
> _________________________________________________________________
> Rediscover Hotmail®: Now available on your iPhone or BlackBerry
>
> http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile1_042009
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
Fwd: Extracting attribute values from SAML token in rampart sample 05
Posted by Håkon Sagehaug <Ha...@bccs.uib.no>.
---------- Forwarded message ----------
From: Håkon Sagehaug <Ha...@bccs.uib.no>
Date: 2009/4/7
Subject: Re: Extracting attribute values from SAML token in rampart sample
05
To: rampart-dev@ws.apache.org
Hi
Did some more testing, see inline for comments
2009/4/6 Martin Gainty <mg...@hotmail.com>
>
> //Construct RahasData from MessageContext
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/RahasData.html
>
creating this looks to me like there has to be a request security token
element in the soap body, if not there is an TrustException thrown. I want
to look at these saml attributes at the end service, then the saml assertion
would be in the header. My thoughts are as follows:
1. Rampart at the end service sees if the saml assertion in the header is
signed by the sts service.
2.If it is signed -- the service or a own module for this purpose, not sure
what would be the best option-- will look at these attributes and see if the
users can perform the wanted action. Then I of course need to extract the
SAML attributes from the assertion, but maybe it's easier to just parse the
header and look for the attribute element.
cheers, håkon
>
>
> //get a default handle
> SAMLCallbackHandler handler = config.getCallbackHander();
> //then construct SAML AttributeCallback to retrieve the RahasData contents
>
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/impl/util/SAMLAttributeCallback.html
>
> SAMLAttributeCallback cb = new SAMLAttributeCallback(data);
> SAMLCallbackHandler handler = config.getCallbackHander();
> handler.handle(cb);
> attrs = cb.getAttributes();
>
> en annen svare ?
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
>
>
> Date: Mon, 6 Apr 2009 17:06:59 +0200
> Subject: Extracting attribute values from SAML token in rampart sample 05
> From: Hakon.Sagehaug@bccs.uib.no
> To: axis-user@ws.apache.org; rampart-dev@ws.apache.org
>
> Hi all,
>
> I was wondering if it's possible to extract the values inside a SAML token.
> I looked at sample 05 and wanted to list out the values of the attribute
> statement, I tried this in the password call back handler
>
>
> Element el = pwcb.getCustomToken();
>
> But just got null. What I'm trying to achieve is not just validate that
> the attributes signed by the sts but also see what attributes the client can
> give the possessing.
>
>
> How can this be done??
>
> cheers, håkon
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
> _________________________________________________________________
> Rediscover Hotmail®: Now available on your iPhone or BlackBerry
>
> http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile1_042009
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
Re: Extracting attribute values from SAML token in rampart sample 05
Posted by Håkon Sagehaug <Ha...@bccs.uib.no>.
Hi
Did some more testing, see inline for comments
2009/4/6 Martin Gainty <mg...@hotmail.com>
>
> //Construct RahasData from MessageContext
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/RahasData.html
creating this looks to me like there has to be a request security token
element in the soap body, if not there is an TrustException thrown. I want
to look at these saml attributes at the end service, then the saml assertion
would be in the header. My thoughts are as follows:
1. Rampart at the end service sees if the saml assertion in the header is
signed by the sts service.
2.If it is signed -- the service or a own module for this purpose, not sure
what would be the best option-- will look at these attributes and see if the
users can perform the wanted action. Then I of course need to extract the
SAML attributes from the assertion, but maybe it's easier to just parse the
header and look for the attribute element.
cheers, håkon
>
>
> //get a default handle
> SAMLCallbackHandler handler = config.getCallbackHander();
> //then construct SAML AttributeCallback to retrieve the RahasData contents
>
> http://ws.apache.org/rampart/apidocs/org/apache/rahas/impl/util/SAMLAttributeCallback.html
>
> SAMLAttributeCallback cb = new SAMLAttributeCallback(data);
> SAMLCallbackHandler handler = config.getCallbackHander();
> handler.handle(cb);
> attrs = cb.getAttributes();
>
> en annen svare ?
> Martin
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
>
>
> Date: Mon, 6 Apr 2009 17:06:59 +0200
> Subject: Extracting attribute values from SAML token in rampart sample 05
> From: Hakon.Sagehaug@bccs.uib.no
> To: axis-user@ws.apache.org; rampart-dev@ws.apache.org
>
> Hi all,
>
> I was wondering if it's possible to extract the values inside a SAML token.
> I looked at sample 05 and wanted to list out the values of the attribute
> statement, I tried this in the password call back handler
>
>
> Element el = pwcb.getCustomToken();
>
> But just got null. What I'm trying to achieve is not just validate that
> the attributes signed by the sts but also see what attributes the client can
> give the possessing.
>
>
> How can this be done??
>
> cheers, håkon
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
> _________________________________________________________________
> Rediscover Hotmail®: Now available on your iPhone or BlackBerry
>
> http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile1_042009
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
RE: Extracting attribute values from SAML token in rampart sample 05
Posted by Martin Gainty <mg...@hotmail.com>.
//Construct RahasData from MessageContext
http://ws.apache.org/rampart/apidocs/org/apache/rahas/RahasData.html
//get a default handle
SAMLCallbackHandler handler = config.getCallbackHander();
//then construct SAML AttributeCallback to retrieve the RahasData contents
http://ws.apache.org/rampart/apidocs/org/apache/rahas/impl/util/SAMLAttributeCallback.html
SAMLAttributeCallback cb = new SAMLAttributeCallback(data);
SAMLCallbackHandler handler = config.getCallbackHander();
handler.handle(cb);
attrs = cb.getAttributes();
en annen svare ?
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
Date: Mon, 6 Apr 2009 17:06:59 +0200
Subject: Extracting attribute values from SAML token in rampart sample 05
From: Hakon.Sagehaug@bccs.uib.no
To: axis-user@ws.apache.org; rampart-dev@ws.apache.org
Hi all,
I was wondering if it's possible to extract the values inside a SAML token. I looked at sample 05 and wanted to list out the values of the attribute statement, I tried this in the password call back handler
Element el = pwcb.getCustomToken();
But just got null. What I'm trying to achieve is not just validate that the attributes signed by the sts but also see what attributes the client can give the possessing.
How can this be done??
cheers, håkon
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
_________________________________________________________________
Rediscover Hotmail®: Now available on your iPhone or BlackBerry
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile1_042009
RE: Extracting attribute values from SAML token in rampart sample 05
Posted by Martin Gainty <mg...@hotmail.com>.
//Construct RahasData from MessageContext
http://ws.apache.org/rampart/apidocs/org/apache/rahas/RahasData.html
//get a default handle
SAMLCallbackHandler handler = config.getCallbackHander();
//then construct SAML AttributeCallback to retrieve the RahasData contents
http://ws.apache.org/rampart/apidocs/org/apache/rahas/impl/util/SAMLAttributeCallback.html
SAMLAttributeCallback cb = new SAMLAttributeCallback(data);
SAMLCallbackHandler handler = config.getCallbackHander();
handler.handle(cb);
attrs = cb.getAttributes();
en annen svare ?
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
Date: Mon, 6 Apr 2009 17:06:59 +0200
Subject: Extracting attribute values from SAML token in rampart sample 05
From: Hakon.Sagehaug@bccs.uib.no
To: axis-user@ws.apache.org; rampart-dev@ws.apache.org
Hi all,
I was wondering if it's possible to extract the values inside a SAML token. I looked at sample 05 and wanted to list out the values of the attribute statement, I tried this in the password call back handler
Element el = pwcb.getCustomToken();
But just got null. What I'm trying to achieve is not just validate that the attributes signed by the sts but also see what attributes the client can give the possessing.
How can this be done??
cheers, håkon
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
_________________________________________________________________
Rediscover Hotmail®: Now available on your iPhone or BlackBerry
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile1_042009