You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Petter Olsson <pe...@student.liu.se> on 2008/06/16 15:54:42 UTC
Rampart policy
Hi all!
I want to use Rampart to build a simple SSO system for Web services using
SAML tickets. I want the STS to be able to handle a few users and issue SAML
tokens with some attributes connected to those users. The tokens shall be
used to authenticate users at some different Web services.
I ran into some problems though. I'm looking at sample05 (policy) and feel
kind of confused. I can't get the whole concept of the policy files. There
are one file for each service as I understand it(?). One for the echo
service (policy.xml) and one for the STS (sts_policy.xml). My interpetation
is that every service that I want to communicate with provides me with its
policy (in some way) so I know what information, tokens etc I need to
provide. But in the files there are client specific information like the
client's keystore how can the service know that? Or have i got it all wrong?
Another question. Why is it that specific code needs to be included in the
client source code in order to request a SAML token? Shouldn't that be
handled by Rampart using the policy documents?
/Petter
Re: Rampart policy
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Petter
On Mon, Jun 16, 2008 at 7:24 PM, Petter Olsson <pe...@student.liu.se>
wrote:
> Hi all!
>
> I want to use Rampart to build a simple SSO system for Web services using
> SAML tickets. I want the STS to be able to handle a few users and issue
> SAML
> tokens with some attributes connected to those users. The tokens shall be
> used to authenticate users at some different Web services.
>
> I ran into some problems though. I'm looking at sample05 (policy) and feel
> kind of confused. I can't get the whole concept of the policy files. There
> are one file for each service as I understand it(?). One for the echo
> service (policy.xml) and one for the STS (sts_policy.xml). My interpetation
> is that every service that I want to communicate with provides me with its
> policy (in some way) so I know what information, tokens etc I need to
> provide. But in the files there are client specific information like the
> client's keystore how can the service know that? Or have i got it all
> wrong?
>
> Another question. Why is it that specific code needs to be included in the
> client source code in order to request a SAML token? Shouldn't that be
> handled by Rampart using the policy documents?
>
> /Petter
>
--
Nandana Mihindukulasooriya
Software Engineer
WSO2 inc.
http://nandana83.blogspot.com/
http://nandanasm.wordpress.com/
Re: Rampart policy
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Petter,
I want to use Rampart to build a simple SSO system for Web services using
> SAML tickets.
Great.
I want the STS to be able to handle a few users and issue SAML
> tokens with some attributes connected to those users. The tokens shall be
> used to authenticate users at some different Web services.
At the moment, default SAML issuer [1] comes with Rampart is not much
configurable w.r.t attributes , so we may need to improve it a little.
Please feel free to create JIRAs whenever you feel necessary and please do
submit patches too. I will be happy to help you with this.
I ran into some problems though. I'm looking at sample05 (policy) and feel
> kind of confused. I can't get the whole concept of the policy files. There
> are one file for each service as I understand it(?). One for the echo
> service (policy.xml) and one for the STS (sts_policy.xml).
Yes, each service has a policy which describes the security requirements
which needs to satisfied when a client is consuming the service.
> My interpetation
> is that every service that I want to communicate with provides me with its
> policy (in some way) so I know what information, tokens etc I need to
> provide.
Exactly. The most common way is to attach the policy in the correct place in
WSDL of the service. If you look at once of the WSDLs of a sample service
you will see that the WSDL is annotated with the relevant policy. So the
client looking at the WSDL can extract the policy.
But in the files there are client specific information like the
> client's keystore how can the service know that? Or have i got it all
> wrong?
>
Hmmm, there has a been a big argument whether the configuration information
should go to the policy or not. At the moment, we provide all the
information needed for Rampart as a policy assertion. So the policy files
you see, have two things. The policy extracted from the service WSDL and
configuration details added by the client. Please look at the tutorial [2] ,
so you will be able to get an clear idea on this.
Another question. Why is it that specific code needs to be included in the
> client source code in order to request a SAML token? Shouldn't that be
> handled by Rampart using the policy documents?
>
Please look at the sample 06. This is kind of do the above scenario.
thanks,
nandana
[1] -
https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenIssuer.java
[2] - http://wso2.org/library/3415