You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Dimuthu Leelarathne <mu...@apache.org> on 2008/02/22 11:47:17 UTC
Re: SCT
Hi,
You can find a SCT sample inside the rampart 1.3 distribution.
samples/policy/sample04
Thank you,
Dimuthu
On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
>
>
> I know that rahas has been integrated into rampart but I was
> interested at looking at this example :
> http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java
>
> which talks about using an acquired SCT token to secure the web
> service requests/responses.
>
> Can anybody help in locating this or something similar.
>
> Thanks,
>
> Hardev
>
> ______________________________________________________________________
> Get the name you always wanted with the new y7mail email address.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: SCT
Posted by Hardev Sian <ha...@yahoo.com.au>.
Hi Ruchith,
Thanks for the prompt reply, I feel the use case you suggest at the beginning is what I am looking for, I will be trying that out over the next day and let you know how I get on.
Again thanks for your help.
By the way I have only just using axis2 security modules and I think apache has done a wonderful job, I intend to learn axis2 in a lot more detail and hopefully it comes our standard infrastructure for web services.
Regards,
Hardev
Ruchith Fernando <ru...@gmail.com> wrote:
Hi Hardev,
Your messages exchanges sounds fine up to the point where the callback
handler accesses the STS to obtain the symm key. IMHO WS-Trust doesn't
provide a specific way to obtain a key at this point of a standard
WS-Trust exchange.
We have you use case implemented in a slightly different approach:
- Client contacts the STS and obtains a SAML token to talk to a service
- The STS includes a symm key encrypted for the service within the SAML token
- The RSTR (response from the STS to the client) will have that *same*
symm key for the client to extract
- (When using Rampart/Rahas the client uses
org.apache.rahas.client.STSClient which will extract this information
and bundle all of it into a org.apache.rahas.Token instance)
- Now this SAML token (assertion) will be added to the Security header
of the message from client to service and the symm key that is
associated with the SAML token will be used to encrypt/sign the
message as specified by the service policy.
- At the service the SAML assertion in the Security header will be
processed and the symm key will be extracted.
- Processing at the service will use this extracted symm key to
decrypt/verify signature where necessary.
A sample client that does this sort of a message exchange is available
here : [1]
Now ... SCT usage scenario is usually a WS-SecureConversation scenario
where rampart/rahas supports the application service it self to act as
an STS. In this case since the service and the STS both are the same
the symm key created is known at the service, and it is not included
in the SecurityContextToken (SCT) itself. Are you sure you want to use
this SCT scenario in the context of WS-SecureConversation or are you
looking for a pure WS-Trust scenario as I explained above.
Thanks,
Ruchith
1. https://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
On Sat, Feb 23, 2008 at 3:06 AM, Hardev Sian wrote:
> Hi Dimuthu,
>
> I have had a look at that sample but it doesn't provide what I am looking
> for. My use case is that I have acquired a SCT from an STS service. I want
> to now embed that token in the outgoing request which can then be accessed
> by a callback handler. The callback handler can access the STS to get the
> symmetric key for that token and encrypt the outbound data with that.
> Similarly the callback at the handler can access the same to decrypt, the
> response can be handled in the same manner. I am just not familiar enough
> how to set the policies to achieve this.
>
> Any help in doing this is greatly appreciated.
>
> Thank you,
>
> Hardev
>
>
> Dimuthu Leelarathne wrote:
>
>
> Hi,
>
> You can find a SCT sample inside the rampart 1.3 distribution.
>
> samples/policy/sample04
>
> Thank you,
> Dimuthu
>
> On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
> >
> >
> > I know that rahas has been integrated into rampart but I was
> > interested at looking at this example :
> >
> http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java
> >
> > which talks about using an acquired SCT token to secure the web
> > service requests/responses.
> >
> > Can anybody help in locating this or something similar.
> >
> > Thanks,
> >
> > Hardev
> >
> > ______________________________________________________________________
> > Get the name you always wanted with the new y7mail email address.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
>
> ________________________________
> Get the name you always wanted with the new y7mail email address.
--
http://blog.ruchith.org
http://wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
---------------------------------
Get the name you always wanted with the new y7mail email address.
Re: SCT
Posted by Hardev Sian <ha...@yahoo.com.au>.
Hi Ruchith,
Please ignore my last email, I was just doing something really silly. I have managed to send a request to the STS service but I get a "Unsupported WS-SecureConversation version" response back, I think I shoul be able to work that out.
Regards,
Hardev
Hardev Sian <ha...@yahoo.com.au> wrote:
Hi Ruchith,
I used the config files from
http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/conf/
and copied the sts.policy.xml to services.xml and try and run the STS service but I get an "invalid services.xml".
[java] org.apache.axis2.deployment.DeploymentException: Invalid services.xm
l found
[java] at org.apache.axis2.deployment.repository.util.ArchiveReader.pro
cessServiceGroup(ArchiveReader.java:144)
[java] at org.apache.axis2.deployment.ServiceDeployer.deploy(ServiceDep
loyer.java:78)
[java] at org.apache.axis2.deployment.repository.util.DeploymentFileDat
a.deploy(DeploymentFileData.java:137)
[java] at org.apache.axis2.deployment.DeploymentEngine.doDeploy(Deploym
entEngine.java:571)
[java] at org.apache.axis2.deployment.repository.util.WSInfoList.update
(WSInfoList.java:141)
[java] at org.apache.axis2.deployment.RepositoryListener.update(Reposit
oryListener.java:318)
[java] at org.apache.axis2.deployment.RepositoryListener.checkServices(
RepositoryListener.java:220)
[java] at org.apache.axis2.deployment.DeploymentEngine.loadServices(Dep
loymentEngine.java:118)
[java] at org.apache.axis2.deployment.FileSystemConfigurator.loadServic
es(FileSystemConfigurator.java:146)
[java] at org.apache.axis2.context.ConfigurationContextFactory.createCo
nfigurationContext(ConfigurationContextFactory.java:78)
[java] at org.apache.axis2.context.ConfigurationContextFactory.createCo
nfigurationContextFromFileSystem(ConfigurationContextFactory.java:180)
[java] at org.apache.axis2.transport.http.SimpleHTTPServer.main(SimpleH
TTPServer.java:166)
[java] Caused by: org.apache.axis2.AxisFault: Invalid services.xml found
[java] at org.apache.axis2.deployment.repository.util.ArchiveReader.bui
ldServiceGroup(ArchiveReader.java:105)
[java] at org.apache.axis2.deployment.repository.util.ArchiveReader.pro
cessServiceGroup(ArchiveReader.java:137)
[java] ... 11 more
[java] [SimpleHTTPServer] Started
I have an STS service running from sample05 and so I tried to run the Client against that but I run into encryption problems, the reason I think is that I am not setting up the client keystore with the correct keys ( I am using the keystore from sample 05) as I don't have access to the files needed to build the client keystore as defined in build.xml from
http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/conf/
Hope you can help with this.
Thanks,
Hardev
Ruchith Fernando <ru...@gmail.com> wrote:
Hi Hardev,
Your messages exchanges sounds fine up to the point where the callback
handler accesses the STS to obtain the symm key. IMHO WS-Trust doesn't
provide a specific way to obtain a key at this point of a standard
WS-Trust exchange.
We have you use case implemented in a slightly different approach:
- Client contacts the STS and obtains a SAML token to talk to a service
- The STS includes a symm key encrypted for the service within the SAML token
- The RSTR (response from the STS to the client) will have that *same*
symm key for the client to extract
- (When using Rampart/Rahas the client uses
org.apache.rahas.client.STSClient which will extract this information
and bundle all of it into a org.apache.rahas.Token instance)
- Now this SAML token (assertion) will be added to the Security header
of the message from client to service and the symm key that is
associated with the SAML token will be used to encrypt/sign the
message as specified by the service policy.
- At the service the SAML assertion in the Security header will be
processed and the symm key will be extracted.
- Processing at the service will use this extracted symm key to
decrypt/verify signature where necessary.
A sample client that does this sort of a message exchange is available
here : [1]
Now ... SCT usage scenario is usually a WS-SecureConversation scenario
where rampart/rahas supports the application service it self to act as
an STS. In this case since the service and the STS both are the same
the symm key created is known at the service, and it is not included
in the SecurityContextToken (SCT) itself. Are you sure you want to use
this SCT scenario in the context of WS-SecureConversation or are you
looking for a pure WS-Trust scenario as I explained above.
Thanks,
Ruchith
1. https://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
On Sat, Feb 23, 2008 at 3:06 AM, Hardev Sian wrote:
> Hi Dimuthu,
>
> I have had a look at that sample but it doesn't provide what I am looking
> for. My use case is that I have acquired a SCT from an STS service. I want
> to now embed that token in the outgoing request which can then be accessed
> by a callback handler. The callback handler can access the STS to get the
> symmetric key for that token and encrypt the outbound data with that.
> Similarly the callback at the handler can access the same to decrypt, the
> response can be handled in the same manner. I am just not familiar enough
> how to set the policies to achieve this.
>
> Any help in doing this is greatly appreciated.
>
> Thank you,
>
> Hardev
>
>
> Dimuthu Leelarathne wrote:
>
>
> Hi,
>
> You can find a SCT sample inside the rampart 1.3 distribution.
>
> samples/policy/sample04
>
> Thank you,
> Dimuthu
>
> On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
> >
> >
> > I know that rahas has been integrated into rampart but I was
> > interested at looking at this example :
> >
> http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java
> >
> > which talks about using an acquired SCT token to secure the web
> > service requests/responses.
> >
> > Can anybody help in locating this or something similar.
> >
> > Thanks,
> >
> > Hardev
> >
> > ______________________________________________________________________
> > Get the name you always wanted with the new y7mail email address.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
>
> ________________________________
> Get the name you always wanted with the new y7mail email address.
--
http://blog.ruchith.org
http://wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
---------------------------------
Get the name you always wanted with the new y7mail email address.
---------------------------------
Get the name you always wanted with the new y7mail email address..
Re: SCT
Posted by Hardev Sian <ha...@yahoo.com.au>.
Hi Ruchith,
I used the config files from
http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/conf/
and copied the sts.policy.xml to services.xml and try and run the STS service but I get an "invalid services.xml".
[java] org.apache.axis2.deployment.DeploymentException: Invalid services.xm
l found
[java] at org.apache.axis2.deployment.repository.util.ArchiveReader.pro
cessServiceGroup(ArchiveReader.java:144)
[java] at org.apache.axis2.deployment.ServiceDeployer.deploy(ServiceDep
loyer.java:78)
[java] at org.apache.axis2.deployment.repository.util.DeploymentFileDat
a.deploy(DeploymentFileData.java:137)
[java] at org.apache.axis2.deployment.DeploymentEngine.doDeploy(Deploym
entEngine.java:571)
[java] at org.apache.axis2.deployment.repository.util.WSInfoList.update
(WSInfoList.java:141)
[java] at org.apache.axis2.deployment.RepositoryListener.update(Reposit
oryListener.java:318)
[java] at org.apache.axis2.deployment.RepositoryListener.checkServices(
RepositoryListener.java:220)
[java] at org.apache.axis2.deployment.DeploymentEngine.loadServices(Dep
loymentEngine.java:118)
[java] at org.apache.axis2.deployment.FileSystemConfigurator.loadServic
es(FileSystemConfigurator.java:146)
[java] at org.apache.axis2.context.ConfigurationContextFactory.createCo
nfigurationContext(ConfigurationContextFactory.java:78)
[java] at org.apache.axis2.context.ConfigurationContextFactory.createCo
nfigurationContextFromFileSystem(ConfigurationContextFactory.java:180)
[java] at org.apache.axis2.transport.http.SimpleHTTPServer.main(SimpleH
TTPServer.java:166)
[java] Caused by: org.apache.axis2.AxisFault: Invalid services.xml found
[java] at org.apache.axis2.deployment.repository.util.ArchiveReader.bui
ldServiceGroup(ArchiveReader.java:105)
[java] at org.apache.axis2.deployment.repository.util.ArchiveReader.pro
cessServiceGroup(ArchiveReader.java:137)
[java] ... 11 more
[java] [SimpleHTTPServer] Started
I have an STS service running from sample05 and so I tried to run the Client against that but I run into encryption problems, the reason I think is that I am not setting up the client keystore with the correct keys ( I am using the keystore from sample 05) as I don't have access to the files needed to build the client keystore as defined in build.xml from
http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/conf/
Hope you can help with this.
Thanks,
Hardev
Ruchith Fernando <ru...@gmail.com> wrote:
Hi Hardev,
Your messages exchanges sounds fine up to the point where the callback
handler accesses the STS to obtain the symm key. IMHO WS-Trust doesn't
provide a specific way to obtain a key at this point of a standard
WS-Trust exchange.
We have you use case implemented in a slightly different approach:
- Client contacts the STS and obtains a SAML token to talk to a service
- The STS includes a symm key encrypted for the service within the SAML token
- The RSTR (response from the STS to the client) will have that *same*
symm key for the client to extract
- (When using Rampart/Rahas the client uses
org.apache.rahas.client.STSClient which will extract this information
and bundle all of it into a org.apache.rahas.Token instance)
- Now this SAML token (assertion) will be added to the Security header
of the message from client to service and the symm key that is
associated with the SAML token will be used to encrypt/sign the
message as specified by the service policy.
- At the service the SAML assertion in the Security header will be
processed and the symm key will be extracted.
- Processing at the service will use this extracted symm key to
decrypt/verify signature where necessary.
A sample client that does this sort of a message exchange is available
here : [1]
Now ... SCT usage scenario is usually a WS-SecureConversation scenario
where rampart/rahas supports the application service it self to act as
an STS. In this case since the service and the STS both are the same
the symm key created is known at the service, and it is not included
in the SecurityContextToken (SCT) itself. Are you sure you want to use
this SCT scenario in the context of WS-SecureConversation or are you
looking for a pure WS-Trust scenario as I explained above.
Thanks,
Ruchith
1. https://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
On Sat, Feb 23, 2008 at 3:06 AM, Hardev Sian wrote:
> Hi Dimuthu,
>
> I have had a look at that sample but it doesn't provide what I am looking
> for. My use case is that I have acquired a SCT from an STS service. I want
> to now embed that token in the outgoing request which can then be accessed
> by a callback handler. The callback handler can access the STS to get the
> symmetric key for that token and encrypt the outbound data with that.
> Similarly the callback at the handler can access the same to decrypt, the
> response can be handled in the same manner. I am just not familiar enough
> how to set the policies to achieve this.
>
> Any help in doing this is greatly appreciated.
>
> Thank you,
>
> Hardev
>
>
> Dimuthu Leelarathne wrote:
>
>
> Hi,
>
> You can find a SCT sample inside the rampart 1.3 distribution.
>
> samples/policy/sample04
>
> Thank you,
> Dimuthu
>
> On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
> >
> >
> > I know that rahas has been integrated into rampart but I was
> > interested at looking at this example :
> >
> http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java
> >
> > which talks about using an acquired SCT token to secure the web
> > service requests/responses.
> >
> > Can anybody help in locating this or something similar.
> >
> > Thanks,
> >
> > Hardev
> >
> > ______________________________________________________________________
> > Get the name you always wanted with the new y7mail email address.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
>
> ________________________________
> Get the name you always wanted with the new y7mail email address.
--
http://blog.ruchith.org
http://wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
---------------------------------
Get the name you always wanted with the new y7mail email address.
Re: SCT
Posted by Hardev Sian <ha...@yahoo.com.au>.
Hi Ruchith,
I have been trying to get the use case as described by
https://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
working but I have run into some difficulties. I get as far as generating the request to the service with the acquired token but then I get the
Exception in thread "main" org.apache.axis2.AxisFault: Missing security token
from the server
I have looked at the message that enters WSDoAllReceiver and it is listed below and noted that this message is correctly decrypted.
<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-24966838">
<wsu:Created>2008-02-27T05:12:10.879Z</wsu:Created>
<wsu:Expires>2008-02-27T05:17:10.879Z</wsu:Expires>
</wsu:Timestamp>
<wsc:SecurityContextToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sctId-22693155">
<wsc:Identifier>urn:uuid:6964B921F880FB605312040891301581</wsc:Identifier>
</wsc:SecurityContextToken>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:DataReference URI="#EncDataId-19488744" />
<xenc:DataReference URI="#EncDataId-7435043" />
</xenc:ReferenceList>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-856873">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<ds:Reference URI="#Id-19488744">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>UrammKBTnxZomvRt2zaOfa/Vj9A=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-19309212">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ZlFiY/GLdtELkvqBpFbuc9dgQE0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-25018827">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>2ZZRqJEL26wQbKVKP2HQmibIeAo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-20846071">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>qnJdkxB6dyKeQ0fT5asqmYgx12A=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-24966838">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>6O7uu5TNzXl6uipEZ1JvLNWETCo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JmbcDgLYXuJkC6mVyU0dR9cq0ck=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-6621330">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-18206828">
<wsse:Reference URI="#sctId-22693155" ValueType="http://docs.oasis-open.org/wss/oasis-wss-sa
ml-token-profile-1.0#SAMLAssertionID" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-19309212">
http://localhost:9080/axis2/services/sample09
</wsa:To>
<wsa:MessageID xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-25018827">
urn:uuid:680796C86A4EA94FA81204089130874
</wsa:MessageID>
<wsa:Action xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-20846071">urn:echo</wsa:Action> </soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
ss-wssecurity-utility-1.0.xsd" wsu:Id="Id-19488744">
<axis2ns2:echo xmlns:axis2ns2="http://sample09.policy.samples.rampart.apache.org">
WSO2 WSAS Rocks!!!
</axis2ns2:echo>
</soapenv:Body>
</soapenv:Envelope>
How is the symmetric key passed in the request made avaliable to the response flow?
Regards,
Hardev
Ruchith Fernando <ru...@gmail.com> wrote:
Hi Hardev,
Your messages exchanges sounds fine up to the point where the callback
handler accesses the STS to obtain the symm key. IMHO WS-Trust doesn't
provide a specific way to obtain a key at this point of a standard
WS-Trust exchange.
We have you use case implemented in a slightly different approach:
- Client contacts the STS and obtains a SAML token to talk to a service
- The STS includes a symm key encrypted for the service within the SAML token
- The RSTR (response from the STS to the client) will have that *same*
symm key for the client to extract
- (When using Rampart/Rahas the client uses
org.apache.rahas.client.STSClient which will extract this information
and bundle all of it into a org.apache.rahas.Token instance)
- Now this SAML token (assertion) will be added to the Security header
of the message from client to service and the symm key that is
associated with the SAML token will be used to encrypt/sign the
message as specified by the service policy.
- At the service the SAML assertion in the Security header will be
processed and the symm key will be extracted.
- Processing at the service will use this extracted symm key to
decrypt/verify signature where necessary.
A sample client that does this sort of a message exchange is available
here : [1]
Now ... SCT usage scenario is usually a WS-SecureConversation scenario
where rampart/rahas supports the application service it self to act as
an STS. In this case since the service and the STS both are the same
the symm key created is known at the service, and it is not included
in the SecurityContextToken (SCT) itself. Are you sure you want to use
this SCT scenario in the context of WS-SecureConversation or are you
looking for a pure WS-Trust scenario as I explained above.
Thanks,
Ruchith
1. https://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
On Sat, Feb 23, 2008 at 3:06 AM, Hardev Sian wrote:
> Hi Dimuthu,
>
> I have had a look at that sample but it doesn't provide what I am looking
> for. My use case is that I have acquired a SCT from an STS service. I want
> to now embed that token in the outgoing request which can then be accessed
> by a callback handler. The callback handler can access the STS to get the
> symmetric key for that token and encrypt the outbound data with that.
> Similarly the callback at the handler can access the same to decrypt, the
> response can be handled in the same manner. I am just not familiar enough
> how to set the policies to achieve this.
>
> Any help in doing this is greatly appreciated.
>
> Thank you,
>
> Hardev
>
>
> Dimuthu Leelarathne wrote:
>
>
> Hi,
>
> You can find a SCT sample inside the rampart 1.3 distribution.
>
> samples/policy/sample04
>
> Thank you,
> Dimuthu
>
> On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
> >
> >
> > I know that rahas has been integrated into rampart but I was
> > interested at looking at this example :
> >
> http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java
> >
> > which talks about using an acquired SCT token to secure the web
> > service requests/responses.
> >
> > Can anybody help in locating this or something similar.
> >
> > Thanks,
> >
> > Hardev
> >
> > ______________________________________________________________________
> > Get the name you always wanted with the new y7mail email address.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
>
> ________________________________
> Get the name you always wanted with the new y7mail email address.
--
http://blog.ruchith.org
http://wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
---------------------------------
Get the name you always wanted with the new y7mail email address.
Re: SCT
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Hardev,
Your messages exchanges sounds fine up to the point where the callback
handler accesses the STS to obtain the symm key. IMHO WS-Trust doesn't
provide a specific way to obtain a key at this point of a standard
WS-Trust exchange.
We have you use case implemented in a slightly different approach:
- Client contacts the STS and obtains a SAML token to talk to a service
- The STS includes a symm key encrypted for the service within the SAML token
- The RSTR (response from the STS to the client) will have that *same*
symm key for the client to extract
- (When using Rampart/Rahas the client uses
org.apache.rahas.client.STSClient which will extract this information
and bundle all of it into a org.apache.rahas.Token instance)
- Now this SAML token (assertion) will be added to the Security header
of the message from client to service and the symm key that is
associated with the SAML token will be used to encrypt/sign the
message as specified by the service policy.
- At the service the SAML assertion in the Security header will be
processed and the symm key will be extracted.
- Processing at the service will use this extracted symm key to
decrypt/verify signature where necessary.
A sample client that does this sort of a message exchange is available
here : [1]
Now ... SCT usage scenario is usually a WS-SecureConversation scenario
where rampart/rahas supports the application service it self to act as
an STS. In this case since the service and the STS both are the same
the symm key created is known at the service, and it is not included
in the SecurityContextToken (SCT) itself. Are you sure you want to use
this SCT scenario in the context of WS-SecureConversation or are you
looking for a pure WS-Trust scenario as I explained above.
Thanks,
Ruchith
1. https://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
On Sat, Feb 23, 2008 at 3:06 AM, Hardev Sian <ha...@yahoo.com.au> wrote:
> Hi Dimuthu,
>
> I have had a look at that sample but it doesn't provide what I am looking
> for. My use case is that I have acquired a SCT from an STS service. I want
> to now embed that token in the outgoing request which can then be accessed
> by a callback handler. The callback handler can access the STS to get the
> symmetric key for that token and encrypt the outbound data with that.
> Similarly the callback at the handler can access the same to decrypt, the
> response can be handled in the same manner. I am just not familiar enough
> how to set the policies to achieve this.
>
> Any help in doing this is greatly appreciated.
>
> Thank you,
>
> Hardev
>
>
> Dimuthu Leelarathne <mu...@apache.org> wrote:
>
>
> Hi,
>
> You can find a SCT sample inside the rampart 1.3 distribution.
>
> samples/policy/sample04
>
> Thank you,
> Dimuthu
>
> On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
> >
> >
> > I know that rahas has been integrated into rampart but I was
> > interested at looking at this example :
> >
> http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java
> >
> > which talks about using an acquired SCT token to secure the web
> > service requests/responses.
> >
> > Can anybody help in locating this or something similar.
> >
> > Thanks,
> >
> > Hardev
> >
> > ______________________________________________________________________
> > Get the name you always wanted with the new y7mail email address.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
>
> ________________________________
> Get the name you always wanted with the new y7mail email address.
--
http://blog.ruchith.org
http://wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
vtd-xml 2.3
Posted by jimmy Zhang <cr...@comcast.net>.
VTD-XML 2.3 is now released. To download the latest version please visit
http://sourceforge.net/project/showfiles.php?group_id=110612&package_id=120172.
Below is a list of new features and enhancements in this version.
a.. VTDException is now introduced as the root class for all other
VTD-XML's exception classes (per suggestion of Max Rahder).
b.. Transcoding capability is now added for inter-document cut and paste.
You can cut a chuck of bytes in a UTF-8 encoded document and paste it into a
UTF-16 encoded document and the output document is still well-formed.
c.. ISO-8859-10, ISO-8859-11, ISO-8859-12, ISO-8859-13, ISO-8859-14 and
ISO-8859-15 support has now been added
d.. Zero length Text node is now possible.
e.. Ability to dump in-memory copy of text is added.
f.. Various code cleanup, enhancement and bug fixes.
Below are some new articles related to VTD-XML
a.. Index XML documents with VTD-XML
http://xml.sys-con.com/read/453082.htm
b.. Manipulate XML content the Ximple Way
http://www.devx.com/xml/Article/36379
c.. VTD-XML: A new vision of XML
http://www.developer.com/xml/article.php/3714051
d.. VTD-XML: XML Processing for the future
http://www.codeproject.com/KB/cs/vtd-xml_examples.aspx
If you (or someone you know) like the concept of VTD-XML, think that it can
help solve enterprises' XML processing related issues (particularly those
related to SOA), and would like to directly influence and contribute to the
development of the future of Internet, please email me
crackeur@comcast.net). We are looking for open source software developers
and project management people to take VTD-XML to the next level.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: SCT
Posted by Hardev Sian <ha...@yahoo.com.au>.
Hi Dimuthu,
I have had a look at that sample but it doesn't provide what I am looking for. My use case is that I have acquired a SCT from an STS service. I want to now embed that token in the outgoing request which can then be accessed by a callback handler. The callback handler can access the STS to get the symmetric key for that token and encrypt the outbound data with that. Similarly the callback at the handler can access the same to decrypt, the response can be handled in the same manner. I am just not familiar enough how to set the policies to achieve this.
Any help in doing this is greatly appreciated.
Thank you,
Hardev
Dimuthu Leelarathne <mu...@apache.org> wrote:
Hi,
You can find a SCT sample inside the rampart 1.3 distribution.
samples/policy/sample04
Thank you,
Dimuthu
On Fri, 2008-02-22 at 16:52 +1100, Hardev Sian wrote:
>
>
> I know that rahas has been integrated into rampart but I was
> interested at looking at this example :
> http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java
>
> which talks about using an acquired SCT token to secure the web
> service requests/responses.
>
> Can anybody help in locating this or something similar.
>
> Thanks,
>
> Hardev
>
> ______________________________________________________________________
> Get the name you always wanted with the new y7mail email address.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
---------------------------------
Get the name you always wanted with the new y7mail email address.