You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Narayan Dhillon <Na...@vocalink.com> on 2008/01/03 10:33:01 UTC
RE: Rampart and operation-level security configuration
Thanks Hans.
Are you securing the messages both-way using x509 token?
I am struggling to come up with the policy which will just secure the
in-coming messages. Any help on this will be greatly appreciated.
Regards, Narayan
-----Original Message-----
From: Hans Guldager Knudsen [mailto:hgax@lenio.dk]
Sent: 28 December 2007 09:41
To: rampart-dev@ws.apache.org
Subject: Re: Rampart and operation-level security configuration
Hi Narayan!
I have tried this using policy configuration of the service/operations
(with Axis2/Rampart version 1.2).
The service definition looked something like this :
<service name="Service">
<operation name="Notification"
mep="http://www.w3.org/2006/01/wsdl/in-out">
<messageReceiver class="NotificationReceiver" />
<actionMapping>Request</actionMapping>
<outputActionMapping>Response</outputActionMapping>
<message label="In">
<wsp:Policy wsu:Id="MessageLevel_In_Out_WSS_Policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" >
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header
Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
<sp:Header
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
</message>
<message label="Out">
... OUT Policy...
</message>
</operation>
:: common policy for all operations
<wsp:Policy wsu:Id="CommonPolicyForService"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" >
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
...
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>server</ramp:user>
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
...
</service>
/hans
> Hi,
>
> In Rampart, could security be configured on operation level?
> The idea is to have different assertions for different operations
inside
> a service.
>
> I had tried following in services.xml, which seems to ignore this
> configuration:-
>
> <operation name="initiatePayment"
> mep="http://www.w3.org/ns/wsdl/in-out">
> <actionMapping>\"\"</actionMapping>
> <outputActionMapping>urn:com.test.Response</outputActionMapping>
> <parameter name="InflowSecurity">
> <action>
> <items>Signature</items>
>
> <signaturePropFile>security.properties</signaturePropFile>
> <user>test</user>
> <passwordCallbackClass>PWCallback</passwordCallbackClass>
> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> </action>
> </parameter>
> </operation>
>
> Any help or pointers on this will be greatly appreciated.
>
> Thanks, Narayan
>
>
> *****************************************************
> This email is issued by a VocaLink group company. It is confidential
and intended for the exclusive use of the addressee only. You should not
disclose its contents to any other person. If you are not the addressee
(or responsible for delivery of the message to the addressee), please
notify the originator immediately by return message and destroy the
original message. The contents of this email will have no contractual
effect unless it is otherwise agreed between a specific VocaLink group
company and the recipient.
>
> The VocaLink group companies include, among others: VocaLink Limited
(Company No 06119048, VAT No. 907 9619 87) which is registered in
England and Wales at registered office Drake House, Homestead Road,
Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no
1023742, VAT No. 907 9619 87) which is registered in England and Wales
at registered office Drake House, Three Rivers Court, Homestead Road,
Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange
Network Limited (Company No 3565766, VAT No. 907 9619 87) which is
registered in England and Wales at registered office Arundel House, 1
Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings
Limited (Company No 06119036, VAT No. 907 9619 87) which is registered
in England and Wales at registered office Drake House, Homestead Road,
Rickmansworth, WD3 1FX. United Kingdom.
>
> The views and opinions expressed in this email may not reflect those
of any member of the VocaLink group. This message and any attachments
have been scanned for viruses prior to leaving the VocaLink group
network; however, VocaLink does not guarantee the security of this
message and will not be responsible for any damages arising as a result
of any virus being passed on or arising from any alteration of this
message by a third party. The VocaLink group may monitor emails sent to
and from the VocaLink group network.
>
> This message has been checked for all email viruses by MessageLabs.
> *************************************************************
*****************************************************
This email is issued by a VocaLink group company. It is confidential and intended for the exclusive use of the addressee only. You should not disclose its contents to any other person. If you are not the addressee (or responsible for delivery of the message to the addressee), please notify the originator immediately by return message and destroy the original message. The contents of this email will have no contractual effect unless it is otherwise agreed between a specific VocaLink group company and the recipient.
The VocaLink group companies include, among others: VocaLink Limited (Company No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87) which is registered in England and Wales at registered office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom.
The views and opinions expressed in this email may not reflect those of any member of the VocaLink group. This message and any attachments have been scanned for viruses prior to leaving the VocaLink group network; however, VocaLink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. The VocaLink group may monitor emails sent to and from the VocaLink group network.
This message has been checked for all email viruses by MessageLabs.
*************************************************************
Re: Rampart and operation-level security configuration
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Narayan,
As you can see in Han's policy, he is using two message level
policies for "In"
message and "Out" message.
<service name="Service">
<operation name="Notification">
<message label="In"> * message level policy assertions
</message>
<message label="Out"> * message level policy assertions
</message>
*operational level policy assertions*
</operation>
* service level policy assertions*
</service>
According to the WS - Security Policy Language specification, following is
the
suggested way that the assertions can be applied in the following scopes.
Message level policy assertions
1.) Supporting token assertions
2.) Protection assertions ( Signed Parts / Encrypted Parts / etc.. )
Operational level policy assertions
1.) Supporting token assertions
Endpoint level policy assertions
1.) Security binding assertions ( Symmetric / Asymmetric / Transport)
2.) Supporting token assertions
3.) WSS 1.0 assertions
4.) WSS 1.1 assertions
5.) Trust assertions
But using these assertions in any of the scopes is not restricted in
Rampart. So if you want to
enforce security in the in flow and doesn't want any security at all in the
out flow., you can even
define complete security binding policy under <message label="In"> policy
</message>. I
have not tried it, but it should simply work. But it is against the WS -
Security Policy Language
spec, as it says under all the security binding assertions that
"This assertion MUST apply to [Endpoint Policy Subject]"
The other option you have is to have a security binding policy which doesn't
enforce any security
as the security binding ( Symmetric / Asymmetric binding ) and enforce
security via message level
security assertions. But here also things like time stamp inclusion can only
be specified in the security
binding assertion.
Thanks,
Nandana
On Jan 3, 2008 3:03 PM, Narayan Dhillon < Narayan.Dhillon@vocalink.com>
wrote:
> Thanks Hans.
>
> Are you securing the messages both-way using x509 token?
> I am struggling to come up with the policy which will just secure the
> in-coming messages. Any help on this will be greatly appreciated.
>
> Regards, Narayan
>
> -----Original Message-----
> From: Hans Guldager Knudsen [mailto:hgax@lenio.dk]
> Sent: 28 December 2007 09:41
> To: rampart-dev@ws.apache.org
> Subject: Re: Rampart and operation-level security configuration
>
> Hi Narayan!
>
> I have tried this using policy configuration of the service/operations
> (with Axis2/Rampart version 1.2).
>
> The service definition looked something like this :
>
> <service name="Service">
>
> <operation name="Notification"
> mep=" http://www.w3.org/2006/01/wsdl/in-out">
> <messageReceiver class="NotificationReceiver" />
> <actionMapping>Request</actionMapping>
> <outputActionMapping>Response</outputActionMapping>
>
> <message label="In">
> <wsp:Policy wsu:Id="MessageLevel_In_Out_WSS_Policy"
>
> xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> urity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy " >
>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> <sp:Header
> Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
> <sp:Header
> Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
>
> <sp:EncryptedParts
> xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> </message>
>
> <message label="Out">
>
> ... OUT Policy...
>
> </message>
>
> </operation>
>
>
> :: common policy for all operations
>
> <wsp:Policy wsu:Id="CommonPolicyForService"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> urity-utility-1.0.xsd<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>
> "
> xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsp=" http://schemas.xmlsoap.org/ws/2004/09/policy" >
>
> <wsp:ExactlyOne>
> <wsp:All>
>
> <sp:AsymmetricBinding
> xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> ...
>
> <ramp:RampartConfig
> xmlns:ramp=" http://ws.apache.org/rampart/policy">
>
> <ramp:user>server</ramp:user>
> <ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
>
> ...
> </service>
>
>
> /hans
>
>
>
>
> > Hi,
> >
> > In Rampart, could security be configured on operation level?
> > The idea is to have different assertions for different operations
> inside
> > a service.
> >
> > I had tried following in services.xml, which seems to ignore this
> > configuration:-
> >
> > <operation name="initiatePayment"
> > mep=" http://www.w3.org/ns/wsdl/in-out">
> > <actionMapping>\"\"</actionMapping>
> > <outputActionMapping>urn:com.test.Response</outputActionMapping>
> > <parameter name="InflowSecurity">
> > <action>
> > <items>Signature</items>
> >
> > <signaturePropFile>security.properties</signaturePropFile>
> > <user>test</user>
> > <passwordCallbackClass>PWCallback</passwordCallbackClass>
> > <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > </action>
> > </parameter>
> > </operation>
> >
> > Any help or pointers on this will be greatly appreciated.
> >
> > Thanks, Narayan
> >
> >
> > *****************************************************
> > This email is issued by a VocaLink group company. It is confidential
> and intended for the exclusive use of the addressee only. You should not
> disclose its contents to any other person. If you are not the addressee
> (or responsible for delivery of the message to the addressee), please
> notify the originator immediately by return message and destroy the
> original message. The contents of this email will have no contractual
> effect unless it is otherwise agreed between a specific VocaLink group
> company and the recipient.
> >
> > The VocaLink group companies include, among others: VocaLink Limited
> (Company No 06119048, VAT No. 907 9619 87) which is registered in
> England and Wales at registered office Drake House, Homestead Road,
> Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no
> 1023742, VAT No. 907 9619 87) which is registered in England and Wales
> at registered office Drake House, Three Rivers Court, Homestead Road,
> Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange
> Network Limited (Company No 3565766, VAT No. 907 9619 87) which is
> registered in England and Wales at registered office Arundel House, 1
> Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings
> Limited (Company No 06119036, VAT No. 907 9619 87) which is registered
> in England and Wales at registered office Drake House, Homestead Road,
> Rickmansworth, WD3 1FX. United Kingdom.
> >
> > The views and opinions expressed in this email may not reflect those
> of any member of the VocaLink group. This message and any attachments
> have been scanned for viruses prior to leaving the VocaLink group
> network; however, VocaLink does not guarantee the security of this
> message and will not be responsible for any damages arising as a result
> of any virus being passed on or arising from any alteration of this
> message by a third party. The VocaLink group may monitor emails sent to
> and from the VocaLink group network.
> >
> > This message has been checked for all email viruses by MessageLabs.
> > *************************************************************
>
>
> *****************************************************
> This email is issued by a VocaLink group company. It is confidential and
> intended for the exclusive use of the addressee only. You should not
> disclose its contents to any other person. If you are not the addressee (or
> responsible for delivery of the message to the addressee), please notify the
> originator immediately by return message and destroy the original message.
> The contents of this email will have no contractual effect unless it is
> otherwise agreed between a specific VocaLink group company and the
> recipient.
>
> The VocaLink group companies include, among others: VocaLink Limited
> (Company No 06119048, VAT No. 907 9619 87) which is registered in England
> and Wales at registered office Drake House, Homestead Road, Rickmansworth,
> WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619
> 87) which is registered in England and Wales at registered office Drake
> House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3
> 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766,
> VAT No. 907 9619 87) which is registered in England and Wales at registered
> office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL
> and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87)
> which is registered in England and Wales at registered office Drake House,
> Homestead Road, Rickmansworth, WD3 1FX. United Kingdom.
>
> The views and opinions expressed in this email may not reflect those of
> any member of the VocaLink group. This message and any attachments have been
> scanned for viruses prior to leaving the VocaLink group network; however,
> VocaLink does not guarantee the security of this message and will not be
> responsible for any damages arising as a result of any virus being passed on
> or arising from any alteration of this message by a third party. The
> VocaLink group may monitor emails sent to and from the VocaLink group
> network.
>
> This message has been checked for all email viruses by MessageLabs.
> *************************************************************
>