You are viewing a plain text version of this content. The canonical link for it is here.
Posted to axis-cvs@ws.apache.org by ru...@apache.org on 2005/12/02 13:16:55 UTC
svn commit: r351694 - in /webservices/axis2/trunk/java/xdocs:
sec-conf/in-sample.xml sec-conf/in.action.xsd sec-conf/out-action.xsd
sec-conf/out-sample.xml sec-conf/out-sample2.xml security-module.html
Author: ruchithf
Date: Fri Dec 2 04:16:42 2005
New Revision: 351694
URL: http://svn.apache.org/viewcvs?rev=351694&view=rev
Log:
Updated the security-module.html
Added:
webservices/axis2/trunk/java/xdocs/sec-conf/in-sample.xml
webservices/axis2/trunk/java/xdocs/sec-conf/out-sample.xml
webservices/axis2/trunk/java/xdocs/sec-conf/out-sample2.xml
Modified:
webservices/axis2/trunk/java/xdocs/sec-conf/in.action.xsd
webservices/axis2/trunk/java/xdocs/sec-conf/out-action.xsd
webservices/axis2/trunk/java/xdocs/security-module.html
Added: webservices/axis2/trunk/java/xdocs/sec-conf/in-sample.xml
URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/sec-conf/in-sample.xml?rev=351694&view=auto
==============================================================================
--- webservices/axis2/trunk/java/xdocs/sec-conf/in-sample.xml (added)
+++ webservices/axis2/trunk/java/xdocs/sec-conf/in-sample.xml Fri Dec 2 04:16:42 2005
@@ -0,0 +1,7 @@
+ <parameter name="InflowSecurity">
+ <action>
+ <items>Timestamp Signature Encrypt</items>
+ <passwordCallbackClass>org.apache.axis2.security.PWCallback</passwordCallbackClass>
+ <signaturePropFile>interop.properties</signaturePropFile>
+ </action>
+ </parameter>
\ No newline at end of file
Modified: webservices/axis2/trunk/java/xdocs/sec-conf/in.action.xsd
URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/sec-conf/in.action.xsd?rev=351694&r1=351693&r2=351694&view=diff
==============================================================================
--- webservices/axis2/trunk/java/xdocs/sec-conf/in.action.xsd (original)
+++ webservices/axis2/trunk/java/xdocs/sec-conf/in.action.xsd Fri Dec 2 04:16:42 2005
@@ -2,7 +2,7 @@
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:element name="action">
<xs:annotation>
- <xs:documentation>Comment describing your root element</xs:documentation>
+ <xs:documentation>Inflow security 'action' configuration</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
Modified: webservices/axis2/trunk/java/xdocs/sec-conf/out-action.xsd
URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/sec-conf/out-action.xsd?rev=351694&r1=351693&r2=351694&view=diff
==============================================================================
--- webservices/axis2/trunk/java/xdocs/sec-conf/out-action.xsd (original)
+++ webservices/axis2/trunk/java/xdocs/sec-conf/out-action.xsd Fri Dec 2 04:16:42 2005
@@ -2,7 +2,7 @@
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:element name="action">
<xs:annotation>
- <xs:documentation>Comment describing your root element</xs:documentation>
+ <xs:documentation>Outflow security 'action' configuration</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
Added: webservices/axis2/trunk/java/xdocs/sec-conf/out-sample.xml
URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/sec-conf/out-sample.xml?rev=351694&view=auto
==============================================================================
--- webservices/axis2/trunk/java/xdocs/sec-conf/out-sample.xml (added)
+++ webservices/axis2/trunk/java/xdocs/sec-conf/out-sample.xml Fri Dec 2 04:16:42 2005
@@ -0,0 +1,14 @@
+ <parameter name="OutflowSecurity">
+ <action>
+ <items>Timestamp Signature Encrypt</items>
+ <user>alice</user>
+ <passwordCallbackClass>org.apache.axis2.security.PWCallback</passwordCallbackClass>
+ <signaturePropFile>interop.properties</signaturePropFile>
+ <signatureKeyIdentifier>SKIKeyIdentifier</signatureKeyIdentifier>
+ <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
+ <encryptionUser>bob</encryptionUser>
+ <signatureParts>{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}To</signatureParts>
+
+ <optimizeParts>//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue</optimizeParts>
+ </action>
+ </parameter>
Added: webservices/axis2/trunk/java/xdocs/sec-conf/out-sample2.xml
URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/sec-conf/out-sample2.xml?rev=351694&view=auto
==============================================================================
--- webservices/axis2/trunk/java/xdocs/sec-conf/out-sample2.xml (added)
+++ webservices/axis2/trunk/java/xdocs/sec-conf/out-sample2.xml Fri Dec 2 04:16:42 2005
@@ -0,0 +1,19 @@
+ <parameter name="OutflowSecurity">
+sddsgldkhg;
+ <action>
+ <items>Signature NoSerialization</items>
+ <user>alice</user>
+ <passwordCallbackClass>org.apache.axis2.security.PWCallback</passwordCallbackClass>
+ <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
+ <signatureParts>{}{http://xmlsoap.org/Ping}ticket</signatureParts>
+ <signaturePropFile>interop.properties</signaturePropFile>
+ </action>
+
+ <action>
+ <items>Signature Timestamp</items>
+ <user>alice</user>
+ <passwordCallbackClass>org.apache.axis2.security.PWCallback</passwordCallbackClass>
+ <signaturePropFile>interop.properties</signaturePropFile>
+ </action>
+
+ </parameter>
Modified: webservices/axis2/trunk/java/xdocs/security-module.html
URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/security-module.html?rev=351694&r1=351693&r2=351694&view=diff
==============================================================================
--- webservices/axis2/trunk/java/xdocs/security-module.html (original)
+++ webservices/axis2/trunk/java/xdocs/security-module.html Fri Dec 2 04:16:42 2005
@@ -14,22 +14,29 @@
<p>At the server it is possible to provide security on a per service basis. The configuration parameters should be set in the service.xml file of the service. The client side config parameters should be set in the axis2.xml of the client's Axis2 repository.</p>
-<p>Even though the security module is engaged globally it must be turned on to be applied to the flows where its required. Two main configuration parameters are provided for this purpose:</p>
- <ul>
- <li>InflowSecurity</li>
- <li>OutflowSecurity</li>
- </ul>
+<p>The security module uses two parameters:</p>
+<ul>
+<li>OutflowSecurity</li>
+<li>InflowSecurity</li>
+</ul>
-<p>For example if one need to turn on security in the inflow and turn off security in the outflow the following should be specified in the respective configuration file (axis2.xml or service.xml)</p>
-<source>
-<pre>
- <parameter name="InflowSecurity">on</parameter>
- <parameter name="OutflowSecurity">off</parameter>
-</pre>
-</source>
+The configuration that can go in each of these parameters are described below:
-Then the module should be configured using the parameters available in the following table for the inflow and the outflow.
-<br>
+<h3>OutflowSecurity parameter</h3>
+
+This parameter is used to configure the outflow security handler. The outflow
+ handler can be invoked more than once in the outflow one can provide
+ configuration for each of these invocations. The 'action' element describes
+ one of these configurations. Therefore the 'OutflowSecurity' parameter can
+ contain more than one 'action' elements. The schema of this 'action' element
+ is available <a href="sec-conf/out-action.xsd">here</a>.
+<p>An outflow configuration to add a timestamp, sing and encrypt
+ the message once, is shown in<a href="#ex1"> Example 1</a> and <a href="#ex1">
+ Example 2</a> shows how to sign the message twice by chaining the outflow
+ handler (using two 'action' elements)</p>
+
+<p>Following is a description of the elements that can go in an 'action'
+element of the OutflowSecurity parameter</p>
<br>
<table border="1">
<tr>
@@ -38,81 +45,92 @@
<td><b>Example</b></td>
</tr>
<tr>
-<td colspan="3"><br><i><b>Inflow parameters</b></i></td>
-</tr>
-<tr>
-<td>InAction</td>
+<td>items</td>
<td>Security actions for the inflow</td>
-<td>first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp <br><parameter name="InAction"> Timestamp Signature Encrypt</parameter></td>
-</tr>
-<tr>
-<td>InPasswordCallbackClass</td>
-<td>Callback class used to obtain password for decryption and UsernameToken verification</td>
-<td><br><parameter name="InPasswordCallbackClass"> org.apache.axis2.security.PWCallback</parameter></td>
-</tr>
-<tr>
-<td>InSignaturePropFile</td>
-<td>Property file used for signature verification</td>
-<td><br><parameter name="InSignaturePropFile"> sig.properties</parameter></td>
-</tr>
-<td>decryptionPropFile</td>
-<td>Property file used for decryption</td>
-<td> <br><parameter name="decryptionPropFile"> dec.properties</parameter></td>
-</tr>
-
-<tr>
-<td colspan="3"><br><i><b>Outflow parameters</b></i></td>
-</tr>
-<tr>
-<td>OutAction</td>
-<td>Security actions for the inflow</td>
-<td>Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body <br><parameter name="OutAction"> Timestamp Signature Encrypt</parameter></td>
+<td>Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body <br><items> Timestamp Signature Encrypt</items></td>
</tr>
<tr>
<td>user</td>
<td>The user's name</td>
-<td>Set alias of the key to be used to sign<br><parameter name="user"> bob</parameter></td>
+<td>Set alias of the key to be used to sign<br><user> bob</user></td>
</tr>
<tr>
-<td>OutPasswordCallbackClass</td>
+<td>passwordCallbackClass</td>
<td>Callback class used to provide the password required to create the UsernameToken or to sign the message</td>
-<td><parameter name="OutPasswordCallbackClass"> org.apache.axis2.security.PWCallback</parameter></td>
+<td><passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass></td>
</tr>
<tr>
-<td>OutSignaturePropFile</td>
+<td>signaturePropFile</td>
<td>property file used to get the signature parameters such as crypto provider, keystore and its password</td>
-<td>Set example.properties file as the signature property file<br><parameter name="OutSignaturePropFile"> example.properties</parameter></td>
+<td>Set example.properties file as the signature property file<br><signaturePropFile> example.properties</signaturePropFile></td>
</tr>
<tr>
-<td>OutSignatureKeyIdentifier</td>
+<td>signatureKeyIdentifier</td>
<td>Key identifier to be used in referring the key in the signature</td>
-<td>Use the serial number of the certificate<br><parameter name="OutSignatureKeyIdentifier"> IssuerSerial</parameter></td>
+<td>Use the serial number of the certificate<br><signatureKeyIdentifier> IssuerSerial</signatureKeyIdentifier></td>
</tr>
<tr>
<td>encryptionKeyIdentifier</td>
<td>Key identifier to be used in referring the key in encryption</td>
-<td>Use the serial number of the certificate <br><parameter name="encryptionKeyIdentifier">IssuerSerial</parameter></td>
+<td>Use the serial number of the certificate <br><encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier></td>
</tr>
<tr>
<td>encryptionUser</td>
<td>The user's name for encryption.</td>
-<td><br><parameter name="encryptionUser">alice</parameter></td>
+<td><br><encryptionUser>alice</encryptionUser></td>
</tr>
<tr>
<td>encryptionSymAlgorithm</td>
<td>Symmetric algorithm to be used for encryption</td>
-<td>Use AES-128<br><parameter name="encryptionSymAlgorithm"> http://www.w3.org/2001/04/xmlenc#aes128-cbc</parameter></td>
+<td>Use AES-128<br><encryptionSymAlgorithm> http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm></td>
</tr>
<tr>
-<td>OutSignatureParts</td>
+<td>encryptionKeyTransportAlgorithm</td>
+<td>Key encryption algorithm</td>
+<td>Use RSA-OAEP<br><parameter name="encryptionSymAlgorithm"> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter></td>
+</tr>
+<tr>
+<td>signatureParts</td>
<td>Sign multiple parts in the SOAP message</td>
-<td>Sign Foo and Bar elements qualified by "http://app.ns/ns"<br><parameter name="OutSignatureParts"> {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </parameter></td>
+<td>Sign Foo and Bar elements qualified by "http://app.ns/ns"<br><signatureParts> {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </signatureParts></td>
</tr>
<tr>
<td>optimizeParts</td>
<td>MTOM Optimize the elements specified by the XPath query</td>
-<td>Optimize the CipherValue<br><parameter name="optimizeParts"> //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </parameter></td>
+<td>Optimize the CipherValue<br><optimizeParts> //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </optimizeParts></td>
+</tr>
+</table>
+<br>
+<h3>InflowSecurity parameter</h3>
+<p>This parameter is used to configure the inflow security handler. The 'action' element is used to
+encapsulate the configuration elements here as well. The schema of the 'action' element is available here.
+<a href="#ex3">Example 3</a> shows the configuration to decrypt, verify signature and validate timestamp.</p>
+<table border="1">
+<tr>
+<td><b>Parameter</b></td>
+<td><b>Description</b></td>
+<td><b>Example</b></td>
+</tr>
+<tr>
+<td>items</td>
+<td>Security actions for the inflow</td>
+<td>first the incoming message should be decrypted and then the signatures should be verified and should be checked for the availability of the Timestamp <br><items> Timestamp Signature Encrypt</items></td>
</tr>
+<tr>
+<td>passwordCallbackClass</td>
+<td>Callback class used to obtain password for decryption and UsernameToken verification</td>
+<td><br><passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass></td>
+</tr>
+<tr>
+<td>signaturePropFile</td>
+<td>Property file used for signature verification</td>
+<td><br><signaturePropFile> sig.properties</signaturePropFile></td>
+</tr>
+<td>decryptionPropFile</td>
+<td>Property file used for decryption</td>
+<td> <br><decryptionPropFile> dec.properties</decryptionPropFile></td>
+</tr>
+
</table>
<br>
<p>Please note that the '.properties' files used in properties such as OutSignaturePropFile are the same property files that are using in the WSS4J project.
@@ -135,4 +153,26 @@
<p><b>References</b></p>
<p>1. <a href="http://ws.apache.org/wss4j">Apache WSS4J</a></p>
+<br>
+<p><b>Examples</b></p>
+<p id="ex1">Example 1: An outflow configuration to add a timestamp, sing and encrypt
+ the message once</p>
+<p><iframe frameborder="0"
+src ="sec-conf/out-sample.xml"
+width="800" height="400">
+</iframe>
+</p>
+
+<p id="ex2">Example 2: An outflow configuration to sign the message twice and add a timestamp</p>
+<p><iframe frameborder="0"
+src ="sec-conf/out-sample2.xml"
+width="800" height="400">
+</iframe>
+</p>
+<p id="ex3">Example 3: An inflow configuration to decrypt, verify signature and validate timestamp</p>
+<p><iframe frameborder="0"
+src ="sec-conf/in-sample.xml"
+width="800" height="400">
+</iframe>
+</p>
</body></html>