You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Aws Ismail <aw...@tatweersoftware.com> on 2005/07/09 18:57:03 UTC
Cascaded security tokens order and the Configuration
I have configured my web service client to Use WSDoAllSender to sign the
soap request (create Signature token) and to also to create a Username token
like this:
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender" />
<globalConfiguration>
<requestFlow>
<handler
type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="user" value="user1" />
<parameter name="passwordCallbackClass"
value="PWCallback" />
<parameter name="action" value="Signature
NoSerialization" />
<parameter name="signaturePropFile"
value="crypto.properties" />
<parameter name="mustUnderstand" value="0" />
</handler>
<handler
type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="action" value="UsernameToken" />
<parameter name="user" value="User1" />
<parameter name="passwordCallbackClass"
value="PWCallback" />
<parameter name="passwordType" value="digested" />
<parameter name="mustUnderstand" value="0" />
</handler>
</requestFlow >
</globalConfiguration >
</deployment>
And in the Server configuration is:
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass" value="PWCallback" />
<parameter name="action" value="Signature UsernameToken" />
<parameter name="signaturePropFile" value="crypto.properties" />
</handler>
Question 1:
Everything works fine if the order of security tokens in the client side was
like above, however it does not work if they were revered?! And I don't have
the control on all the clients to send first the user token then the
signature in the Security header all the times?
Question 2:
The PWCallback class required that I have to set the password for the
identifier (on the server side) so that it can be authenticated; I have the
need to authenticate through the LDAP, what is the best way to accomplish
this?
Question 3:
I could configure the crypto.properties to read the needed keys for signing
and validating the signature from a keystore stored on the file system, how
can I configure Merlin to utilize Digital Certificates stored in LDAP to do
the Signature Validation?
Thanks in advanced.
Aws Ismail
Re: Cascaded security tokens order and the Configuration
Posted by Werner Dittmann <We...@t-online.de>.
Hi,
first a question about your config (wsdd): why do you use
a chained (cascaded) handler. It would also work if you just
say: <parameter name="action" value="Signature UsernameToken" />.
Do you need different user names? In that case you shall use chaining.
If you reverse to actions on the client side then you have to do the
same on the server side except you define "NoSecurity" as action. In
that case no check is done if the security actions are in the right
order.
About using LDAP for password: just enable you password callback class
to use e.g. the username as the key into an LDAP directory. That's
why we introduced the callbak class: you can programm it in any way
necessary to get a password.
Same holds true for the Certificate. Merling supports Java Keystore
and PKCS#12 using the BouncyCastle libraries. Merlin is an
implementation of the Crypto interface. You may just have an own class
an inheriting from Merling and add LDAP support. In that case you may
als need to enhance the certificate validation in WSDoAllReceiver. Do
it similar to Merlin. Have an own class that inherits from
WSDoallReceiver and overwrite the appropriate methods.
Aws Ismail schrieb:
> I have configured my web service client to Use WSDoAllSender to sign the
> soap request (create Signature token) and to also to create a Username
> token like this:
>
>
>
> <deployment xmlns="http://xml.apache.org/axis/wsdd/"
> xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
>
> <transport name="http"
> pivot="java:org.apache.axis.transport.http.HTTPSender" />
>
> <globalConfiguration>
>
> <requestFlow>
>
> <handler
> type="java:org.apache.ws.axis.security.WSDoAllSender">
>
> <parameter name="user" value="user1" />
>
> <parameter name="passwordCallbackClass"
> value="PWCallback" />
>
> <parameter name="action" value="Signature
> NoSerialization" />
>
> <parameter name="signaturePropFile"
> value="crypto.properties" />
>
> <parameter name="mustUnderstand" value="0" />
>
> </handler>
>
> <handler
> type="java:org.apache.ws.axis.security.WSDoAllSender">
>
> <parameter name="action" value="UsernameToken" />
>
> <parameter name="user" value="User1" />
>
> <parameter name="passwordCallbackClass"
> value="PWCallback" />
>
> <parameter name="passwordType" value="digested" />
>
> <parameter name="mustUnderstand" value="0" />
>
> </handler>
>
> </requestFlow >
>
> </globalConfiguration >
>
> </deployment>
>
>
>
> And in the Server configuration is:
>
>
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
>
> <parameter name="passwordCallbackClass" value="PWCallback" />
>
> <parameter name="action" value="Signature UsernameToken" />
>
> <parameter name="signaturePropFile" value="crypto.properties" />
>
> </handler>
>
>
>
> Question 1:
>
> Everything works fine if the order of security tokens in the client side
> was like above, *however it does not work if they were revered*?! And I
> don’t have the control on all the clients to send first the user token
> then the signature in the Security header all the times?
>
>
>
> Question 2:
>
> The PWCallback class required that I have to set the password for the
> identifier (on the server side) so that it can be authenticated; *I have
> the need to authenticate through the LDAP, what is the best way to
> accomplish this?*
>
>
>
> Question 3:
>
> I could configure the crypto.properties to read the needed keys for
> signing and validating the signature from a keystore stored on the file
> system, *how can I configure Merlin to utilize Digital Certificates
> stored in LDAP to do the Signature Validation?*
>
>
>
>
>
> Thanks in advanced.
>
>
>
> Aws Ismail
>
>
>