You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Narayan Dhillon <Na...@vocalink.com> on 2008/01/14 20:19:57 UTC

Rampart: Unability to specify custom implementation of PolicyBasedResultsValidator

Hi,

 

Cert validation is important part in WS-Security and different
organizations have different rules for that, and that could be fulfilled
by ability to have custom implementation of PolicyBasedResultsValidator.

 

All the documentation and intention in the Rampart code seems to suggest
that org.apache.rampart.PolicyBasedResultsValidator.verifyTrust() method
could be overridden in custom implementations. However currently
PolicyBasedResultsValidator is hard-wired into RampartEngine; which
makes it impossible to override unless RampartReceiver & RampartEngine
are overridden as well.

 

I can think of 2 options -

(1) Ability to provide custom policy validation by sub classing
RampartReceiver, and then RampartReceiver passes it to RampartEngine.
This is same way as done in Old config based rampart as verifyTrust()
method could be overridden by extending WSDoAllReceiver.

 

(2) Using Rampart config to specify PolicyBasedResultsValidator class.

 

Option (1) is fairly easy to implement and will also make Rampart
capability backward compatible with old Rampart.

 

I'll highly appreciate if development team could please comment on this?

 

Regards, Narayan

 


*****************************************************
This email is issued by a VocaLink group company. It is confidential and intended for the exclusive use of the addressee only. You should not disclose its contents to any other person. If you are not the addressee (or responsible for delivery of the message to the addressee), please notify the originator immediately by return message and destroy the original message. The contents of this email will have no contractual effect unless it is otherwise agreed between a specific VocaLink group company and the recipient.
 
The VocaLink group companies include, among others: VocaLink Limited (Company No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87) which is registered in England and Wales at registered office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom.
 
The views and opinions expressed in this email may not reflect those of any member of the VocaLink group. This message and any attachments have been scanned for viruses prior to leaving the VocaLink group network; however, VocaLink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. The VocaLink group may monitor emails sent to and from the VocaLink group network.
 
This message has been checked for all email viruses by MessageLabs.
*************************************************************

Re: Rampart: Unability to specify custom implementation of PolicyBasedResultsValidator

Posted by Ruchith Fernando <ru...@apache.org>.
Hi Narayan,

Do you want to be able to validate complete results? Or only cert 
validation? If so I think we can give a solution where you can specify 
the Trust verification separately through the configuration.

We can use a callback approach in this case as well where the callback 
handler interface that you will have to implement will have a method 
that accepts the cert and RampartMessageData instance and can return 
whether validation is successful or not.

Thoughts?

Thanks,
Ruchith

Narayan Dhillon wrote:
> Hi,
> 
>  
> 
> Cert validation is important part in WS-Security and different
> organizations have different rules for that, and that could be fulfilled
> by ability to have custom implementation of PolicyBasedResultsValidator.
> 
>  
> 
> All the documentation and intention in the Rampart code seems to suggest
> that org.apache.rampart.PolicyBasedResultsValidator.verifyTrust() method
> could be overridden in custom implementations. However currently
> PolicyBasedResultsValidator is hard-wired into RampartEngine; which
> makes it impossible to override unless RampartReceiver & RampartEngine
> are overridden as well.
> 
>  
> 
> I can think of 2 options -
> 
> (1) Ability to provide custom policy validation by sub classing
> RampartReceiver, and then RampartReceiver passes it to RampartEngine.
> This is same way as done in Old config based rampart as verifyTrust()
> method could be overridden by extending WSDoAllReceiver.
> 
>  
> 
> (2) Using Rampart config to specify PolicyBasedResultsValidator class.
> 
>  
> 
> Option (1) is fairly easy to implement and will also make Rampart
> capability backward compatible with old Rampart.
> 
>  
> 
> I'll highly appreciate if development team could please comment on this?
> 
>  
> 
> Regards, Narayan
> 
>  
> 
> 
> *****************************************************
> This email is issued by a VocaLink group company. It is confidential and intended for the exclusive use of the addressee only. You should not disclose its contents to any other person. If you are not the addressee (or responsible for delivery of the message to the addressee), please notify the originator immediately by return message and destroy the original message. The contents of this email will have no contractual effect unless it is otherwise agreed between a specific VocaLink group company and the recipient.
>  
> The VocaLink group companies include, among others: VocaLink Limited (Company No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87) which is registered in England and Wales at registered office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom.
>  
> The views and opinions expressed in this email may not reflect those of any member of the VocaLink group. This message and any attachments have been scanned for viruses prior to leaving the VocaLink group network; however, VocaLink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. The VocaLink group may monitor emails sent to and from the VocaLink group network.
>  
> This message has been checked for all email viruses by MessageLabs.
> *************************************************************