You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by ka...@apache.org on 2007/05/09 07:38:07 UTC
svn commit: r536424 - in /webservices/rampart/trunk/c: Makefile.am
project.xml samples/secpolicy/scenario1/client-outgoing-secpolicy.xml
xdocs/docs/installationguide.html xdocs/docs/rampartc_manual.html
xdocs/index.html xdocs/lists_issues.html
Author: kaushalye
Date: Tue May 8 22:38:05 2007
New Revision: 536424
URL: http://svn.apache.org/viewvc?view=rev&rev=536424
Log:
Adding contents for Rampart/C web
Modified:
webservices/rampart/trunk/c/Makefile.am
webservices/rampart/trunk/c/project.xml
webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-outgoing-secpolicy.xml
webservices/rampart/trunk/c/xdocs/docs/installationguide.html
webservices/rampart/trunk/c/xdocs/docs/rampartc_manual.html
webservices/rampart/trunk/c/xdocs/index.html
webservices/rampart/trunk/c/xdocs/lists_issues.html
Modified: webservices/rampart/trunk/c/Makefile.am
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/Makefile.am?view=diff&rev=536424&r1=536423&r2=536424
==============================================================================
--- webservices/rampart/trunk/c/Makefile.am (original)
+++ webservices/rampart/trunk/c/Makefile.am Tue May 8 22:38:05 2007
@@ -1,5 +1,5 @@
SUBDIRS = src test
include_HEADERS=$(top_builddir)/include/*.h
-EXTRA_DIST = LICENSE build.sh autogen.sh samples build
+EXTRA_DIST = LICENSE NOTICE build.sh autogen.sh samples build
Modified: webservices/rampart/trunk/c/project.xml
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/project.xml?view=diff&rev=536424&r1=536423&r2=536424
==============================================================================
--- webservices/rampart/trunk/c/project.xml (original)
+++ webservices/rampart/trunk/c/project.xml Tue May 8 22:38:05 2007
@@ -90,7 +90,15 @@
<organization>WSO2</organization>
</developer>
</developers>
-
+ <contributors>
+ <contributor>
+ <name>James Clark</name>
+ <email>jjc AT public.jclark.com</email>
+ <roles>
+ <role>Technical Adviser on Building a Portable/Re-usable C library</role>
+ </roles>
+ </contributor>
+ </contributors>
<!-- ################################################################ -->
<!-- Project dependency section -->
<!-- ################################################################ -->
Modified: webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-outgoing-secpolicy.xml
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-outgoing-secpolicy.xml?view=diff&rev=536424&r1=536423&r2=536424
==============================================================================
--- webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-outgoing-secpolicy.xml (original)
+++ webservices/rampart/trunk/c/samples/secpolicy/scenario1/client-outgoing-secpolicy.xml Tue May 8 22:38:05 2007
@@ -25,7 +25,7 @@
</wsp:Policy>
</sp:AsymmetricBinding>
<rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
- <rampc:TimeToLive>360</rampc:TimeToLive>
+ <rampc:TimeToLive>1201</rampc:TimeToLive>
</rampc:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
Modified: webservices/rampart/trunk/c/xdocs/docs/installationguide.html
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/xdocs/docs/installationguide.html?view=diff&rev=536424&r1=536423&r2=536424
==============================================================================
--- webservices/rampart/trunk/c/xdocs/docs/installationguide.html (original)
+++ webservices/rampart/trunk/c/xdocs/docs/installationguide.html Tue May 8 22:38:05 2007
@@ -19,7 +19,7 @@
<p>Please send your feedback to the developer mailing list: <a
href="mailto:rampart-c-dev@ws.apache.org">rampart-c-dev@ws.apache.org</a>
(Subscription details are available on the <a
-href="http://ws.apache.org/rampart/c/mail-lists.html">Rampart site</a>.</p>
+href="http://ws.apache.org/rampart/c/mail-lists.html">Rampart/C site</a>.</p>
<h2>Contents</h2>
<ul>
@@ -181,14 +181,14 @@
<p>You can engage Rampart/C in global level or in service level.</p>
<p>Just add following entry either to axis2.xml(gloabl level) or in services.xml(service level).</p>
<pre>
- <module ref="rampart"/>
+ <module ref="rampart"/>
</pre>
<p>Apart from that you must define security policies for outgoing messages and incoming messages.
This can be done adding parameters as follows in the same descriptor file that you engaged rampart.</p>
<pre>
- <parameter name="OutflowSecurityPolicy">/your/path/to/outgoing-secpolicy.xml</parameter>
- <parameter name="InflowSecurityPolicy">/your/path/to/incoming-secpolicy.xml</parameter>
+ <parameter name="OutflowSecurityPolicy">/your/path/to/outgoing-secpolicy.xml</parameter>
+ <parameter name="InflowSecurityPolicy">/your/path/to/incoming-secpolicy.xml</parameter>
</pre>
<p>
<strong>NOTE:</strong> There are several samples security policy xml files for different scenarios under samples/secpolicy/
@@ -197,22 +197,31 @@
<p>
The final configuration setup should be as follows
</p>
-<h3>CLIENT SIDE:</h3>
+<strong>CLIENT SIDE:</strong>
<p>axis2.xml</p>
<pre>
- <module ref="rampart"/>
- <parameter name="OutflowSecurityPolicy">/../../outgoing-secpolicy.xml</parameter>
- <parameter name="InflowSecurityPolicy">/../../incoming-secpolicy.xml</parameter>
+ <module ref="rampart"/>
+ <parameter name="OutflowSecurityPolicy">/../../outgoing-secpolicy.xml</parameter>
+ <parameter name="InflowSecurityPolicy">/../../incoming-secpolicy.xml</parameter>
</pre>
-<h3>SERVER SIDE:</h3>
+<strong>SERVER SIDE:</strong>
<p>services.xml(or axis2.xml)</p>
<pre>
- <module ref="rampart"/>
- <parameter name="OutflowSecurityPolicy">/../../outgoing-secpolicy.xml</parameter>
- <parameter name="InflowSecurityPolicy">/../../incoming-secpolicy.xml>/parameter>
+ <module ref="rampart"/>
+ <parameter name="OutflowSecurityPolicy">/../../outgoing-secpolicy.xml</parameter>
+ <parameter name="InflowSecurityPolicy">/../../incoming-secpolicy.xml>/parameter>
</pre>
<p><strong>NOTE:</strong> Please find sample security policy files that are located under <a href="http://svn.apache.org/repos/asf/webservices/rampart/trunk/c/samples/secpolicy/">samples/secpolicy</a></p>
+<p>Go to each and every scenario and see how Rampart/C is configured using the policy assertions available in respective policy files.
+<br>For each scenario there are four policy files</p>
+<ol>
+ <li>client-outgoing-secpolicy.xml : Defines how the security configurations for client's out going messages</li>
+ <li>service-incoming-secpolicy.xml : Defines how the security configurations for server's in coming messages</li>
+ <li>service-outgoing-secpolicy.xml : Defines how the security configurations for server's out going messages</li>
+ <li>client-incoming-secpolicy.xml : Defines how the security configurations for client's in coming messages</li>
+</ol>
+<p><strong>NOTE:</strong> If you have changed an outgoing policy file, make sure that you change the corresponding incoming policy file as well, and vise versa </p>
</body>
</html>
Modified: webservices/rampart/trunk/c/xdocs/docs/rampartc_manual.html
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/xdocs/docs/rampartc_manual.html?view=diff&rev=536424&r1=536423&r2=536424
==============================================================================
--- webservices/rampart/trunk/c/xdocs/docs/rampartc_manual.html (original)
+++ webservices/rampart/trunk/c/xdocs/docs/rampartc_manual.html Tue May 8 22:38:05 2007
@@ -9,16 +9,143 @@
<p style="margin-bottom: 0in">This document is intended to be a reference
manual for <a href="http://ws.apache.org/rampart/c">Apache Rampart/C</a>.</p>
-<br>
---MORE--
-<br>
-<p>For further details please refer the <a href="http://ws.apache.org/axis2/c/docs/axis2c_manual.html">Apache Axis2/C manual</a></p>
+<p>For further details on Axis2/C please refer the <a href="http://ws.apache.org/axis2/c/docs/axis2c_manual.html">Apache Axis2/C manual</a></p>
+
+<h2>Simplified Architecture</h2>
+
+<p>In a very simple view, Rampart/C consists of a core module and packages
+related to WS-Security and WS-Security Policy. For XML-Encryption and
+Signature Rampart/C uses OMXMLSecurity. Both Rampart/C and OMXMLSecurity uses <a
+href="http://ws.apache.org/axis2/c/docs/om_tutorial.html">Apache AXIOM</a> and
+Axis2-Util libraries. OpenSSL is used as the crypto library in
+OMXMLSecurity.</p>
+<img src="files/rampart_simple_archi.png">
+
+<h2>Interface with Axis2/C</h2>
+
+<p>The interface between Rampart/C and Apache Axis2/C engine is the Rampart
+module called mod_rampart. The module has two handlers, one for the inflow
+and another for the outflow of the Axis2/C engine. Rampart/C directs messages
+to it's other components for further security related processing using these
+handlers. </p>
+
+<p>Handlers are a way of extending capabilities of the core engine. Once the
+Axis2/C engine calls the invoke() method of the handler, the module can do
+the necessary processing over the SOAP message. Rampart/C use this mechanism
+to build/process security related SOAP headers.</p>
+
+<h2>Inside Rampart/C</h2>
+Following is a detailed architecture diagram of Rampart/C
+<p><img src="files/rampart_archi.png"></p>
+
+<h3>Rampart Engine</h3>
+
+<p>Rampart engine is the heart of Rampart/C. It sets security policies that
+defines the behavior of Rampart/C message processing. These policies are
+usually read from a selected policy.xml file depending on the message flow,
+which contains a set of policy assertions.</p>
+
+<h3>Processors and Builders</h3>
+
+<p>Rampart/C processes incoming SOAP message using it's processors. There are
+two processors in Rampart/C.</p>
+<ol>
+ <li><strong>Security Header Processor</strong> : Processes security header
+ of the incoming message and make decisions upon security claims and the
+ security policies.</li>
+ <li><strong>Token Processor</strong> : Processes token claims such as
+ binary security token.</li>
+</ol>
+Similar to processes, Rampart/C uses two builders that builds outgoing
+messages.
+<ol>
+ <li>Security header builder : Builds Security headers of an outgoing
+ message depending on security policies.</li>
+ <li>Token Builder : Builds token claims such as binary security token.</li>
+</ol>
+These builders and processes assemble other components such as encryption,
+signature, UsernameToken together. Decisions are taken in these processes
+would result in further processing of the message or throwing of a SOAP
+fault.
+
+<h3>Policy</h3>
+
+<p>The policy module of Rampart/C acts as the configuration module in
+Rampart/C. The policy module has a set of models that represents assertions.
+Also there are set of builders that builds these models. <br>
+</p>
+
+<p>Rampart/C is configured using policy assertions defined in WS-Security
+Policy specification 1.1. These policies are defined in policy.xml files.
+There are two policy files for a single Rampart configuration.</p>
+<ol>
+ <li>incoming-secpolicy.xml</li>
+ <li>outgoing-secpolicy.xml</li>
+</ol>
+The former defines how an outgoing message is secured, whilst the latter
+defines how the incoming message should be secured. Apart from the assertions
+mentioned in the specification, Rampart/C uses it's own assertions. (e.g. To
+specify keys and certificates). There are number of such sample policy files
+under rampart/samples/secpolicy.
+
+
+<h3>Rampart utilities</h3>
+
+<p>Rampart utilities groups different entities that cater for different
+purposes. Following is a brief description of major components inside
+utilities</p>
+<ul>
+ <li><strong>Rampart context:</strong> Keeps configurations for Rampart/C.
+ This includes certificates, keys, passwords, policies etc.</li>
+ <li><strong>UsernameToken: </strong>Provides functionalities to
+ build/process a UsernameToken.</li>
+ <li><strong>TimestampToken: </strong>Provides functionalities to
+ build/process a TimestampToken.</li>
+ <li><strong>Authentication provider: </strong>The interface for
+ authentication modules that can be plugged into Rampart/C. This allows
+ users to define their own rules for processing user name / passwords.</li>
+ <li><strong>Credentials provider: </strong>An interface for a credentials
+ module to be plugged in. Users can provide custom user name/password
+ pairs to build user name tokens.</li>
+ <li><strong>Password callbacks: </strong>An interface for users to provide
+ password for a given user name.</li>
+</ul>
+
+<h2>OMXMLSecurity</h2>
+
+<p>For XML cryptographic purposes Rampart/C uses OMXMLSecurity, which is a
+library written on top of Apache AXIOM. If a particular SOAP message needs to
+be encrypted or signed, Rampart/C get the work done through the
+OMXMLSecurity. Following are the functionalities of OMXMLSecurity.</p>
+<ol>
+ <li><strong>XML-Encryption / Decryption:</strong> This includes symmetric
+ and asymmetric encryptions. Usually data is encrypted using a symmetric
+ key (or a session key) which is again encrypted using an asymmetric
+ algorithm using a public key.</li>
+ <li><strong>XML-Signature / Verification:</strong> Allows one or more part
+ of an XML document to be signed using a private key. Also allows these
+ signed parts to be verified.</li>
+ <li><strong>Key management:</strong> To load X509 certificates, Private
+ keys etc, the Key management interface provide a series of functions.
+ Keys might be stored in PEM files, PKCS12 key stores or can be in string
+ buffers.</li>
+ <li><strong>Canonicalization:</strong> Provide Canonicalization (C14N)
+ transform support.</li>
+ <li><strong>Creating/Processing tokens:</strong> There are number of XML
+ elements that are introduced by security specifications. The token base
+ in OMXMLSecurity provides functionalities to create/process such
+ elements.</li>
+</ol>
+<p>Following diagram shows the architecture of OMXMLSecurity</p>
+<img src="files/oxs_archi.png">
+
+
<p style="margin-bottom: 0in">Please send your feedback to the Apache Axis2/C
developer mailing list (<a
-href="mailto:axis-c-dev@apache.org">axis-c-dev@apache.org</a>). Subscription
+href="mailto:rampart-c-dev@apache.org">rampart-c-dev@apache.org</a>). Subscription
details are available on the <a
-href="http://ws.apache.org/axis2/c/mail-lists.html">Axis2 site</a>.</p>
+href="http://ws.apache.org/rampart/c/mail-lists.html">Rampart site</a>.</p>
</body>
Modified: webservices/rampart/trunk/c/xdocs/index.html
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/xdocs/index.html?view=diff&rev=536424&r1=536423&r2=536424
==============================================================================
--- webservices/rampart/trunk/c/xdocs/index.html (original)
+++ webservices/rampart/trunk/c/xdocs/index.html Tue May 8 22:38:05 2007
@@ -10,11 +10,10 @@
<body xml:lang="en">
<h1>Welcome to Apache Rampart/C</h1>
-<p>Apache Rampart/C is the security module for Apache Axis2/C. It features in many ways to protect SOAP messages exchanged. This includes SOAP message encryption and signature as specified in <a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf">WS-Security Specification</a>
---More--</p>
+<p>Apache Rampart/C is the security module for Apache Axis2/C. It features in many ways to protect SOAP messages exchanged. This includes SOAP message encryption and signature as specified in <a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf">WS-Security Specification</a></p>
<h2>Background and Motivation</h2>
-
-<p>The motivation behind implementig Rampart/C is to allow Apache Axis2/C users a way to secure their SOAP messages. --MORE--</p>
+<p>In distributed computing web services play a crucial role. But as many distributed systems web services are also vulnerable for security threats. Developers are always struggling to ensure the integrity, confidentiality of messages. Implementing the right security solution can be an expensive and time consuming task. Rampart/C makes the life easier for those who uses Axis2/C, by providing a configurable security module, which protect SOAP messages from such threats.
+</p>
<h2>Latest Release</h2>
@@ -23,15 +22,16 @@
<h4>Key Features</h4>
<ol>
+ <li>SOAP message encryption : Allows different parts of a SOAP message to be encrypted to keep the confidentiality of the message</li>
+ <li>SOAP message signature : Allows different parts of a SOAP message to be signed to keep the integrity of the message</li>
<li>Ability to send and verify UsernameTokens with</li>
<ol>
<li>PlainText password</li>
<li>Digested password</li>
+ <br>Allows users to send Username tokens for authentication purposes as per Web services security username token profile
</ol>
- <li>Ability to send Timestamp tokens</li>
- <li>Policy based configurations as per WS-Security Policy</li>
- <li>SOAP message encryption</li>
- <li>SOAP message signature</li>
+ <li>Ability to send Timestamp tokens : Allows users to add timestamps to their SOAP messages in order to ensure the freshness</li>
+ <li>Policy based configurations as per WS-Security Policy : Allows users to express their security related requirements and constraints</li>
</ol>
<h4>Major Changes Since Last Release</h4>
<ol>
Modified: webservices/rampart/trunk/c/xdocs/lists_issues.html
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/xdocs/lists_issues.html?view=diff&rev=536424&r1=536423&r2=536424
==============================================================================
--- webservices/rampart/trunk/c/xdocs/lists_issues.html (original)
+++ webservices/rampart/trunk/c/xdocs/lists_issues.html Tue May 8 22:38:05 2007
@@ -12,30 +12,30 @@
<tr class="b"><th>List
Name</th><th>Subscribe</th><th>Unsubscribe</th><th>Archive</th></tr>
</thead><tbody>
- <tr class="a"><td>Axis C Developer List</td><td>
+ <tr class="a"><td>Rampart C Developer List</td><td>
<a
- href="mailto:axis-c-dev-subscribe@ws.apache.org?subject=subscribe">Subscribe</a>
+ href="mailto:rampart-c-dev-subscribe@ws.apache.org?subject=subscribe">Subscribe</a>
</td><td>
<a
- href="mailto:axis-c-dev-unsubscribe@ws.apache.org?subject=unsubscribe">Unsubscribe</a>
+ href="mailto:rampart-c-dev-unsubscribe@ws.apache.org?subject=unsubscribe">Unsubscribe</a>
</td><td>
<a
- href="http://marc.theaimsgroup.com/?l=axis-c-dev&r=1&w=2"
+ href="http://marc.theaimsgroup.com/?l=rampart-c-dev&r=1&w=2"
class="externalLink" title="External Link">Archive</a>
</td></tr>
- <tr class="b"><td>Axis C User List</td><td>
+ <tr class="b"><td>Rampart C User List</td><td>
<a
- href="mailto:axis-c-user-subscribe@ws.apache.org?subject=subscribe">Subscribe</a>
+ href="mailto:rampart-c-user-subscribe@ws.apache.org?subject=subscribe">Subscribe</a>
</td><td>
<a
- href="mailto:axis-c-user-unsubscribe@ws.apache.org?subject=unsubscribe">Unsubscribe</a>
+ href="mailto:rampart-c-user-unsubscribe@ws.apache.org?subject=unsubscribe">Unsubscribe</a>
</td><td>
<a
- href="http://marc.theaimsgroup.com/?l=axis-c-user&r=1&w=2"
+ href="http://marc.theaimsgroup.com/?l=rampart-c-user&r=1&w=2"
class="externalLink" title="External Link">Archive</a>
</td></tr>
</tbody></table>
-<p><strong>Note: </strong> For the moment we are using Axis2/C mailing lists</p>
+<p><strong>Note: </strong> For the moment many discussion related to Rampart/C can be seen in <a href="http://ws.apache.org/axis2/c/lists_issues.html">Axis2/C mailing lists</a></p>
<h2>Issue Tracking</h2><p>
<a href="http://issues.apache.org/jira/browse/RAMPARTC" class="externalLink" title="External Link">http://issues.apache.org/jira/browse/RAMPARTC</a></p>