rahas

[George Stanchev <Gs...@serena.com>]

Hi,
 
Is there a reason rahas is a module at all? In previous builds rahas
was a service (aar), which i thought makes more sense - after all, it
has a service functionality in it, and if someone wants to extend
it, why do they have to define a dummy service (as in the test cases)
just to serve a RST. 
 
Speaking of the test cases in integration,
they only run under the simple HTTP server that comes with axis2.
In order to run them under tomcat for example, several changes
need to be applied-the TestClient.java needs to be modified to put
proper addressing namespace in the RST mssage - it uses
AddressingConstants.Submission.WSA_NAMESPACE when
it should use AddressingConstants.Final.WSA_NAMESPACE.
Unless there is a way to configure axis2 servlet which namespace
to recognize. In addition, opensaml1.1b has a dependency on
log4j which is missing from both axis2 1.1 distro and rahas. Adding
it to the repo lib dir solves the problem.
 
Is there any plan to finish the trust2 model in wss4j sandbox?
It would be nice to have some real api for wst ;-)
 
Thanks


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

RE: rahas

[George Stanchev <Gs...@serena.com>]

Hi Ruchith,

I see. My comments below. 

George

-----Original Message-----
From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com] 
Sent: Thursday, December 07, 2006 1:22 AM
To: axis-user@ws.apache.org
Subject: Re: rahas

>>On 12/7/06, George Stanchev <Gs...@serena.com> wrote:
>>
>> Is there a reason rahas is a module at all? In previous builds rahas 
>> was a service (aar), which i thought makes more sense - after all, it

>> has a service functionality in it, and if someone wants to extend it,

>> why do they have to define a dummy service (as in the test cases)
just 
>> to serve a RST.

> The main purpose of the rahas.mar is to enable STS functionality on a
service
> to support WS-SecureConversation scenarios. In these scenario's the
service 
> is expected to issue and cancel SecurityContextTokens.

I see. But is there any reason the aar was removed from the build?
And speaking of the aar, I could not make it run under tomcat. It
kept bombing out when trying to load its configuration settings.
I might try to play with it again later on, but meanwhile, have you
been successfully able to drop the aar in tomcat and get a RSTR?

>> Speaking of the test cases in integration, they only run under the 
>> simple HTTP server that comes with axis2.
>> In order to run them under tomcat for example, several changes need
to 
>> be applied-the TestClient.java needs to be modified to put proper 
>> addressing namespace in the RST mssage - it uses 
>> AddressingConstants.Submission.WSA_NAMESPACE when it should use 
>> AddressingConstants.Final.WSA_NAMESPACE.
>> Unless there is a way to configure axis2 servlet which namespace to 
>> recognize.

> hmm ... I thought axis2 addressing module can handle any addressing 
> version in incoming messages.

May be there is some option I am missing. In the RahasData constructor
the addressing namespace is pulled from the message context:

       this.addressingNs = (String) this.inMessageContext
                .getProperty(AddressingConstants.WS_ADDRESSING_VERSION);

and that is later used in RahasData.processAppliesTo() to extract the 
address element from the epr element. If the message context doesn't 
have addressing headers in it, then it uses the epr to determine
addressing version (as a comment in RahasData, line 174-175 suggests).
In the tests, addressing is not used and therefore addressing is only
present in epr element and things work. But with addressing enabled,
it uses headers with different version and due to the namespace mismatch
rahas cannot extract the epr element.

The epr addressing namespace doesn't have to match the message namespace
does it? 

>> Is there any plan to finish the trust2 model in wss4j sandbox?
>> It would be nice to have some real api for wst ;-)

> I'm not sure about the trust2 stuff in wss4j ... but you are welcome 
> to suggest any improvements/patches to rahas ... I'll be glad to try 
> to implement/apply them.

Googling around, I found an old thread, where you say that the sandbox 
folder in wss4j contains DOM-based trust implementation and trust2
is a rework but hasn't been finished yet. It looks like it was a good
start.

For example:

http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/s
andbox/security/trust/message/token/

In the long run I like having separate (reworked) trust client API and
STS provider. Speaking of which, how about splitting the issuers in
2 parts - issuer and identity provider. The issuer knows how to issue
different tokens as it is now - SAML issuer, UsernameToken issuer, etc.
The IdP provides the subjects identity information which the issuer then
packages into a token. This way, if users want to extend the STS (to
extract subject attributes from LDAP for example) all they have to do
is hook their own IdP.

George 


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org

Re: rahas

[Ruchith Fernando <ru...@gmail.com>]

Hi,


On 12/7/06, George Stanchev <Gs...@serena.com> wrote:
>
>
>
> Hi,
>
> Is there a reason rahas is a module at all? In previous builds rahas
> was a service (aar), which i thought makes more sense - after all, it
> has a service functionality in it, and if someone wants to extend
> it, why do they have to define a dummy service (as in the test cases)
> just to serve a RST.

The main purpose of the rahas.mar is to enable STS functionality on a
service to support WS-SecureConversation scenarios. In these
scenario's the service is expected to issue and cancel
SecurityContextTokens.

>
> Speaking of the test cases in integration,
> they only run under the simple HTTP server that comes with axis2.
> In order to run them under tomcat for example, several changes
> need to be applied-the TestClient.java needs to be modified to put
> proper addressing namespace in the RST mssage - it uses
> AddressingConstants.Submission.WSA_NAMESPACE when
> it should use AddressingConstants.Final.WSA_NAMESPACE.
> Unless there is a way to configure axis2 servlet which namespace
> to recognize.

hmm ... I thought axis2 addressing module can handle any addressing
version in incoming messages.

> In addition, opensaml1.1b has a dependency on
> log4j which is missing from both axis2 1.1 distro and rahas. Adding
> it to the repo lib dir solves the problem.

will add the log4j dependency to rahas.

>
> Is there any plan to finish the trust2 model in wss4j sandbox?
> It would be nice to have some real api for wst ;-)

I'm not sure about the trust2 stuff in wss4j ... but you are welcome
to suggest any improvements/patches to rahas ... I'll be glad to try
to implement/apply them.

Thanks,
Ruchith

>
> Thanks
>
> **********************************************************************
>  This email and any files transmitted with it are confidential and
>  intended solely for the use of the individual or entity to whom they
>  are addressed. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the sender
> by reply e-mail and destroy all copies of the original message.
>


-- 
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org