You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-c-dev@ws.apache.org by Dave Meier <DM...@SERENA.com> on 2008/02/22 03:15:21 UTC
[RAMPART/C] Question about making the WS-SECURITY optional from call
to call
Hi,
I want to support WS-SECURITY on request coming in to my server, but I
also want clients to be able to send SOAP requests with no WS-SECURITY
and provide the userid/password by inserting them into the request as
regular elements. I also want my REST calls to work without RAMPART
doing anything with them. Is there a way to configure the server this
way?
So I want to support the following all with one services.xml file:
1. SOAP WS-SECURITY requests.
2. SOAP requests with no WS-SECURITY header.
3. REST calls.
Thanks,
-Dave.
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
**********************************************************************
Re: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Posted by Manjula Peiris <ma...@wso2.com>.
On Thu, 2008-02-21 at 21:10 -0800, Supun Kamburugamuva wrote:
> Hi Dave,
>
> Rampart cannot be configured in a request basis. So we cannot use
> Rampart for one set of requests and do not use it for another set of
> requests.
>
> Rampart uses policy to decide what to build and process security
> headers. At the moment policy is specified for the whole service.
Actually we can add policies at operation level or even at message
level. Current Neethi/C implementation and Axis2/C description hierarchy
support it. But I am not sure we can engage Rampart at operation level.
If Rampart is engaged at service level then we can specify different
security requirements for different operations. But for a particular
operation you can't send both secure and non secure messages.
-Manjula.
> If
> we support policy for endpoints we could support your requirement. But
> still we are not supporting that.
>
> Regards,
> Supun.
>
> On Thu, Feb 21, 2008 at 6:15 PM, Dave Meier <DM...@serena.com> wrote:
> > Hi,
> >
> > I want to support WS-SECURITY on request coming in to my server, but I
> > also want clients to be able to send SOAP requests with no WS-SECURITY
> > and provide the userid/password by inserting them into the request as
> > regular elements. I also want my REST calls to work without RAMPART
> > doing anything with them. Is there a way to configure the server this
> > way?
> >
> > So I want to support the following all with one services.xml file:
> >
> > 1. SOAP WS-SECURITY requests.
> > 2. SOAP requests with no WS-SECURITY header.
> > 3. REST calls.
> >
> > Thanks,
> >
> > -Dave.
> >
> >
> > **********************************************************************
> > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
> > **********************************************************************
> >
> >
Re: [RAMPART/C] Question about making the WS-SECURITY optional from call to call
Posted by Supun Kamburugamuva <su...@gmail.com>.
Hi Dave,
Rampart cannot be configured in a request basis. So we cannot use
Rampart for one set of requests and do not use it for another set of
requests.
Rampart uses policy to decide what to build and process security
headers. At the moment policy is specified for the whole service. If
we support policy for endpoints we could support your requirement. But
still we are not supporting that.
Regards,
Supun.
On Thu, Feb 21, 2008 at 6:15 PM, Dave Meier <DM...@serena.com> wrote:
> Hi,
>
> I want to support WS-SECURITY on request coming in to my server, but I
> also want clients to be able to send SOAP requests with no WS-SECURITY
> and provide the userid/password by inserting them into the request as
> regular elements. I also want my REST calls to work without RAMPART
> doing anything with them. Is there a way to configure the server this
> way?
>
> So I want to support the following all with one services.xml file:
>
> 1. SOAP WS-SECURITY requests.
> 2. SOAP requests with no WS-SECURITY header.
> 3. REST calls.
>
> Thanks,
>
> -Dave.
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
> **********************************************************************
>
>
Re: [RAMPART/C] Question about making the WS-SECURITY optional from
call to call
Posted by Kaushalye Kapuruge <ka...@wso2.com>.
Supun Kamburugamuva wrote:
> Hi,
>
> Correct me if I'm wrong. The idea behind rest is to use the existing
> infrastructure of the web. If a user want to secure a rest message he
> has to go for mechanisms like https. Rampart is developed according to
> the SOAP message security (not rest). REST users cannot get the
> granularity provided by the SOAP message security. That is the biggest
> disadvantage for the REST users.
>
Yes.
(Hope we would not go into the REST v SOAP war here.) :-)
-Kau
> Regards,
> Supun.
>
>
>
>
> On Thu, Feb 21, 2008 at 11:13 PM, Kaushalye Kapuruge <ka...@wso2.com> wrote:
>
>> Senaka Fernando wrote:
>> > Hi Kaushalye,
>> >
>> > Does this mean no-REST with Rampart/C services???
>> What are Rampart/C service? If you mean secured services, Apache
>> Ramaprt/C is only for SOAP.
>>
>>
>>> That's a big issue I
>>>
>> > guess. Why isn't it possible to make partially secure services. The whole
>> > idea is to meet the requirement of a provider. If he can't partially
>> > secure then he would rather drop WS-Security. This won't solve at least
>> > some of his expectations. Thoughts??
>> >
>> What are partially secured services? A service is either secured or
>> not.:) The same service cannot be allowed to treat two requests in
>> different ways. For example think about authentication. What's the
>> rationale behind allowing one request to add claims and another to not?
>> Why would I bother adding username tokens if the service is kind enough
>> to pass without them?
>> Cheers,
>> Kau
>>
>>
>>
>> > Regards,
>> > Senaka
>> >
>> >
>> >> Hi Kaushalye and Supun,
>> >>
>> >> Thanks for your responses. So I would think REST calls will also only
>> >> work if I am not configuring the service to use rampart, correct? You
>> >> are right that I can define 2 services and leave one open for REST and
>> >> other means of security. The customer will decide what they want based
>> >> on where they are deploying their service.
>> >>
>> >> -Dave.
>> >>
>> >> -----Original Message-----
>> >> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
>> >> Sent: Thursday, February 21, 2008 9:38 PM
>> >> To: rampart-c-dev@ws.apache.org
>> >> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional
>> >> from call to call
>> >>
>> >> Hi,
>> >> Having different security requirements for the same endpoint doesn't
>> >> make any sense. A service should treat all incoming messages in the same
>> >> way.
>> >> Saying that, we do not support the operational level security. The
>> >> smallest unit of security requirements is for a service. So if you need
>> >> to have different security requirements, you need to have different
>> >> services. Then again, you have to be careful exposing your business
>> >> logic. If a secured service is exposed with another then an attacker can
>> >> easily pick the latter.:) Cheers, Kau
>> >>
>> >> Dave Meier wrote:
>> >>
>> >>> Hi,
>> >>>
>> >>> I want to support WS-SECURITY on request coming in to my server, but I
>> >>>
>> >>> also want clients to be able to send SOAP requests with no WS-SECURITY
>> >>>
>> >>> and provide the userid/password by inserting them into the request as
>> >>> regular elements. I also want my REST calls to work without RAMPART
>> >>> doing anything with them. Is there a way to configure the server this
>> >>>
>> >>> way?
>> >>>
>> >>> So I want to support the following all with one services.xml file:
>> >>>
>> >>> 1. SOAP WS-SECURITY requests.
>> >>> 2. SOAP requests with no WS-SECURITY header.
>> >>> 3. REST calls.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> -Dave.
>> >>>
>> >>>
>> >>> **********************************************************************
>> >>> This email and any files transmitted with it are confidential and
>> >>>
>> >> intended solely for the use of the individual or entity to whom they are
>> >> addressed. Any unauthorized review, use, disclosure or distribution is
>> >> prohibited. If you are not the intended recipient, please contact the
>> >> sender by reply e-mail and destroy all copies of the original message.
>> >>
>> >>> **********************************************************************
>> >>>
>> >>>
>> >>>
>> >>>
>> >> --
>> >> http://blog.kaushalye.org/
>> >> http://wso2.org/
>> >>
>> >>
>> >>
>> >
>> >
>> >
>>
>>
>> --
>>
>>
>> http://blog.kaushalye.org/
>> http://wso2.org/
>>
>>
>>
>
>
--
http://blog.kaushalye.org/
http://wso2.org/
Re: [RAMPART/C] Question about making the WS-SECURITY optional from call to call
Posted by Supun Kamburugamuva <su...@gmail.com>.
Hi,
Correct me if I'm wrong. The idea behind rest is to use the existing
infrastructure of the web. If a user want to secure a rest message he
has to go for mechanisms like https. Rampart is developed according to
the SOAP message security (not rest). REST users cannot get the
granularity provided by the SOAP message security. That is the biggest
disadvantage for the REST users.
Regards,
Supun.
On Thu, Feb 21, 2008 at 11:13 PM, Kaushalye Kapuruge <ka...@wso2.com> wrote:
> Senaka Fernando wrote:
> > Hi Kaushalye,
> >
> > Does this mean no-REST with Rampart/C services???
> What are Rampart/C service? If you mean secured services, Apache
> Ramaprt/C is only for SOAP.
>
> > That's a big issue I
> > guess. Why isn't it possible to make partially secure services. The whole
> > idea is to meet the requirement of a provider. If he can't partially
> > secure then he would rather drop WS-Security. This won't solve at least
> > some of his expectations. Thoughts??
> >
> What are partially secured services? A service is either secured or
> not.:) The same service cannot be allowed to treat two requests in
> different ways. For example think about authentication. What's the
> rationale behind allowing one request to add claims and another to not?
> Why would I bother adding username tokens if the service is kind enough
> to pass without them?
> Cheers,
> Kau
>
>
>
> > Regards,
> > Senaka
> >
> >
> >> Hi Kaushalye and Supun,
> >>
> >> Thanks for your responses. So I would think REST calls will also only
> >> work if I am not configuring the service to use rampart, correct? You
> >> are right that I can define 2 services and leave one open for REST and
> >> other means of security. The customer will decide what they want based
> >> on where they are deploying their service.
> >>
> >> -Dave.
> >>
> >> -----Original Message-----
> >> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
> >> Sent: Thursday, February 21, 2008 9:38 PM
> >> To: rampart-c-dev@ws.apache.org
> >> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional
> >> from call to call
> >>
> >> Hi,
> >> Having different security requirements for the same endpoint doesn't
> >> make any sense. A service should treat all incoming messages in the same
> >> way.
> >> Saying that, we do not support the operational level security. The
> >> smallest unit of security requirements is for a service. So if you need
> >> to have different security requirements, you need to have different
> >> services. Then again, you have to be careful exposing your business
> >> logic. If a secured service is exposed with another then an attacker can
> >> easily pick the latter.:) Cheers, Kau
> >>
> >> Dave Meier wrote:
> >>
> >>> Hi,
> >>>
> >>> I want to support WS-SECURITY on request coming in to my server, but I
> >>>
> >>> also want clients to be able to send SOAP requests with no WS-SECURITY
> >>>
> >>> and provide the userid/password by inserting them into the request as
> >>> regular elements. I also want my REST calls to work without RAMPART
> >>> doing anything with them. Is there a way to configure the server this
> >>>
> >>> way?
> >>>
> >>> So I want to support the following all with one services.xml file:
> >>>
> >>> 1. SOAP WS-SECURITY requests.
> >>> 2. SOAP requests with no WS-SECURITY header.
> >>> 3. REST calls.
> >>>
> >>> Thanks,
> >>>
> >>> -Dave.
> >>>
> >>>
> >>> **********************************************************************
> >>> This email and any files transmitted with it are confidential and
> >>>
> >> intended solely for the use of the individual or entity to whom they are
> >> addressed. Any unauthorized review, use, disclosure or distribution is
> >> prohibited. If you are not the intended recipient, please contact the
> >> sender by reply e-mail and destroy all copies of the original message.
> >>
> >>> **********************************************************************
> >>>
> >>>
> >>>
> >>>
> >> --
> >> http://blog.kaushalye.org/
> >> http://wso2.org/
> >>
> >>
> >>
> >
> >
> >
>
>
> --
>
>
> http://blog.kaushalye.org/
> http://wso2.org/
>
>
Re: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Posted by Senaka Fernando <se...@wso2.com>.
Hi Dumindu,
WSDL 2.0 HTTP Binding is what we use as REST, and therefore you can't say
REST has nothing to do with WS.
Regards,
Senaka
> On Fri, Feb 22, 2008 at 3:32 PM, Senaka Fernando <se...@wso2.com> wrote:
>> Hi Kaushalye,
>>
>> I know that Rampart/C is only for SOAP. I mean if someone exposes a
>> WS-Security enabled service as REST, what would be the behaviour?
>
> I guess the question should rather be what *should* be the behaviour.
>
> IMHO, we should not allow a service which has rampart engaged to be
> exposed as REST. Clearly rampart is WS specific.
>
> What could possibly be the reason why one needs to do so?
>
> -Dumindu.
>
> --
> Dumindu Pallewela
> http://blog.dumindu.com
> GPG ID: 0x9E131672
>
> WSO2 | "Oxygenating the Web Service Platform" | http://wso2.com
>
Re: [RAMPART/C] Question about making the WS-SECURITY optional from call to call
Posted by Dumindu Pallewela <pa...@gmail.com>.
On Fri, Feb 22, 2008 at 3:32 PM, Senaka Fernando <se...@wso2.com> wrote:
> Hi Kaushalye,
>
> I know that Rampart/C is only for SOAP. I mean if someone exposes a
> WS-Security enabled service as REST, what would be the behaviour?
I guess the question should rather be what *should* be the behaviour.
IMHO, we should not allow a service which has rampart engaged to be
exposed as REST. Clearly rampart is WS specific.
What could possibly be the reason why one needs to do so?
-Dumindu.
--
Dumindu Pallewela
http://blog.dumindu.com
GPG ID: 0x9E131672
WSO2 | "Oxygenating the Web Service Platform" | http://wso2.com
Re: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Posted by Senaka Fernando <se...@wso2.com>.
Hi Kaushalye,
OK. This makes sense now. That means REST should not work for a
WS-Security service. That's because WS-Security must ensure service level
security. I believe it is better if you could make users aware that you
can't make the secure services available as REST, as Axis2/C says, any
service can be either SOAP or REST.
Regards,
Senaka
> Hi Senaka,
> As I said earlier, if a user enabled WS-Security, the service is
> expecting SOAP messages. That means if there are not credentials in the
> SOAP header the security phase will block the message. Practically it is
> not advisable and not practical too to build same message using REST.
> Think about encrypted messages where lots of random parameters comes to
> play.
> If the user likes to expose the same business logic using REST he is
> free to do so with another service. But I repeat it has some security
> vulnerabilities. One is secured and other is less. Note that the
> strength of a chain is in its weakest link. :-)
> Cheers,
> Kau
>
> Senaka Fernando wrote:
>> Hi Kaushalye,
>>
>> I know that Rampart/C is only for SOAP. I mean if someone exposes a
>> WS-Security enabled service as REST, what would be the behaviour?
>>
>> Regards,
>> Senaka
>>
>>
>>> Senaka Fernando wrote:
>>>
>>>> Hi Kaushalye,
>>>>
>>>> Does this mean no-REST with Rampart/C services???
>>>>
>>> What are Rampart/C service? If you mean secured services, Apache
>>> Ramaprt/C is only for SOAP.
>>>
>>>> That's a big issue I
>>>> guess. Why isn't it possible to make partially secure services. The
>>>> whole
>>>> idea is to meet the requirement of a provider. If he can't partially
>>>> secure then he would rather drop WS-Security. This won't solve at
>>>> least
>>>> some of his expectations. Thoughts??
>>>>
>>>>
>>> What are partially secured services? A service is either secured or
>>> not.:) The same service cannot be allowed to treat two requests in
>>> different ways. For example think about authentication. What's the
>>> rationale behind allowing one request to add claims and another to not?
>>> Why would I bother adding username tokens if the service is kind enough
>>> to pass without them?
>>> Cheers,
>>> Kau
>>>
>>>
>>>> Regards,
>>>> Senaka
>>>>
>>>>
>>>>
>>>>> Hi Kaushalye and Supun,
>>>>>
>>>>> Thanks for your responses. So I would think REST calls will also
>>>>> only
>>>>> work if I am not configuring the service to use rampart, correct?
>>>>> You
>>>>> are right that I can define 2 services and leave one open for REST
>>>>> and
>>>>> other means of security. The customer will decide what they want
>>>>> based
>>>>> on where they are deploying their service.
>>>>>
>>>>> -Dave.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
>>>>> Sent: Thursday, February 21, 2008 9:38 PM
>>>>> To: rampart-c-dev@ws.apache.org
>>>>> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY
>>>>> optional
>>>>> from call to call
>>>>>
>>>>> Hi,
>>>>> Having different security requirements for the same endpoint doesn't
>>>>> make any sense. A service should treat all incoming messages in the
>>>>> same
>>>>> way.
>>>>> Saying that, we do not support the operational level security. The
>>>>> smallest unit of security requirements is for a service. So if you
>>>>> need
>>>>> to have different security requirements, you need to have different
>>>>> services. Then again, you have to be careful exposing your business
>>>>> logic. If a secured service is exposed with another then an attacker
>>>>> can
>>>>> easily pick the latter.:) Cheers, Kau
>>>>>
>>>>> Dave Meier wrote:
>>>>>
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I want to support WS-SECURITY on request coming in to my server, but
>>>>>> I
>>>>>>
>>>>>> also want clients to be able to send SOAP requests with no
>>>>>> WS-SECURITY
>>>>>>
>>>>>> and provide the userid/password by inserting them into the request
>>>>>> as
>>>>>> regular elements. I also want my REST calls to work without RAMPART
>>>>>> doing anything with them. Is there a way to configure the server
>>>>>> this
>>>>>>
>>>>>> way?
>>>>>>
>>>>>> So I want to support the following all with one services.xml file:
>>>>>>
>>>>>> 1. SOAP WS-SECURITY requests.
>>>>>> 2. SOAP requests with no WS-SECURITY header.
>>>>>> 3. REST calls.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> -Dave.
>>>>>>
>>>>>>
>>>>>> **********************************************************************
>>>>>> This email and any files transmitted with it are confidential and
>>>>>>
>>>>>>
>>>>> intended solely for the use of the individual or entity to whom they
>>>>> are
>>>>> addressed. Any unauthorized review, use, disclosure or distribution
>>>>> is
>>>>> prohibited. If you are not the intended recipient, please contact the
>>>>> sender by reply e-mail and destroy all copies of the original
>>>>> message.
>>>>>
>>>>>
>>>>>> **********************************************************************
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> http://blog.kaushalye.org/
>>>>> http://wso2.org/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> --
>>> http://blog.kaushalye.org/
>>> http://wso2.org/
>>>
>>>
>>>
>>
>>
>>
>
>
> --
> http://blog.kaushalye.org/
> http://wso2.org/
>
>
Re: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Posted by Kaushalye Kapuruge <ka...@wso2.com>.
Hi Senaka,
As I said earlier, if a user enabled WS-Security, the service is
expecting SOAP messages. That means if there are not credentials in the
SOAP header the security phase will block the message. Practically it is
not advisable and not practical too to build same message using REST.
Think about encrypted messages where lots of random parameters comes to
play.
If the user likes to expose the same business logic using REST he is
free to do so with another service. But I repeat it has some security
vulnerabilities. One is secured and other is less. Note that the
strength of a chain is in its weakest link. :-)
Cheers,
Kau
Senaka Fernando wrote:
> Hi Kaushalye,
>
> I know that Rampart/C is only for SOAP. I mean if someone exposes a
> WS-Security enabled service as REST, what would be the behaviour?
>
> Regards,
> Senaka
>
>
>> Senaka Fernando wrote:
>>
>>> Hi Kaushalye,
>>>
>>> Does this mean no-REST with Rampart/C services???
>>>
>> What are Rampart/C service? If you mean secured services, Apache
>> Ramaprt/C is only for SOAP.
>>
>>> That's a big issue I
>>> guess. Why isn't it possible to make partially secure services. The
>>> whole
>>> idea is to meet the requirement of a provider. If he can't partially
>>> secure then he would rather drop WS-Security. This won't solve at least
>>> some of his expectations. Thoughts??
>>>
>>>
>> What are partially secured services? A service is either secured or
>> not.:) The same service cannot be allowed to treat two requests in
>> different ways. For example think about authentication. What's the
>> rationale behind allowing one request to add claims and another to not?
>> Why would I bother adding username tokens if the service is kind enough
>> to pass without them?
>> Cheers,
>> Kau
>>
>>
>>> Regards,
>>> Senaka
>>>
>>>
>>>
>>>> Hi Kaushalye and Supun,
>>>>
>>>> Thanks for your responses. So I would think REST calls will also only
>>>> work if I am not configuring the service to use rampart, correct? You
>>>> are right that I can define 2 services and leave one open for REST and
>>>> other means of security. The customer will decide what they want based
>>>> on where they are deploying their service.
>>>>
>>>> -Dave.
>>>>
>>>> -----Original Message-----
>>>> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
>>>> Sent: Thursday, February 21, 2008 9:38 PM
>>>> To: rampart-c-dev@ws.apache.org
>>>> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional
>>>> from call to call
>>>>
>>>> Hi,
>>>> Having different security requirements for the same endpoint doesn't
>>>> make any sense. A service should treat all incoming messages in the
>>>> same
>>>> way.
>>>> Saying that, we do not support the operational level security. The
>>>> smallest unit of security requirements is for a service. So if you need
>>>> to have different security requirements, you need to have different
>>>> services. Then again, you have to be careful exposing your business
>>>> logic. If a secured service is exposed with another then an attacker
>>>> can
>>>> easily pick the latter.:) Cheers, Kau
>>>>
>>>> Dave Meier wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I want to support WS-SECURITY on request coming in to my server, but I
>>>>>
>>>>> also want clients to be able to send SOAP requests with no WS-SECURITY
>>>>>
>>>>> and provide the userid/password by inserting them into the request as
>>>>> regular elements. I also want my REST calls to work without RAMPART
>>>>> doing anything with them. Is there a way to configure the server this
>>>>>
>>>>> way?
>>>>>
>>>>> So I want to support the following all with one services.xml file:
>>>>>
>>>>> 1. SOAP WS-SECURITY requests.
>>>>> 2. SOAP requests with no WS-SECURITY header.
>>>>> 3. REST calls.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Dave.
>>>>>
>>>>>
>>>>> **********************************************************************
>>>>> This email and any files transmitted with it are confidential and
>>>>>
>>>>>
>>>> intended solely for the use of the individual or entity to whom they
>>>> are
>>>> addressed. Any unauthorized review, use, disclosure or distribution is
>>>> prohibited. If you are not the intended recipient, please contact the
>>>> sender by reply e-mail and destroy all copies of the original message.
>>>>
>>>>
>>>>> **********************************************************************
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> http://blog.kaushalye.org/
>>>> http://wso2.org/
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>> --
>> http://blog.kaushalye.org/
>> http://wso2.org/
>>
>>
>>
>
>
>
--
http://blog.kaushalye.org/
http://wso2.org/
Re: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Posted by Senaka Fernando <se...@wso2.com>.
Hi Kaushalye,
I know that Rampart/C is only for SOAP. I mean if someone exposes a
WS-Security enabled service as REST, what would be the behaviour?
Regards,
Senaka
> Senaka Fernando wrote:
>> Hi Kaushalye,
>>
>> Does this mean no-REST with Rampart/C services???
> What are Rampart/C service? If you mean secured services, Apache
> Ramaprt/C is only for SOAP.
>> That's a big issue I
>> guess. Why isn't it possible to make partially secure services. The
>> whole
>> idea is to meet the requirement of a provider. If he can't partially
>> secure then he would rather drop WS-Security. This won't solve at least
>> some of his expectations. Thoughts??
>>
> What are partially secured services? A service is either secured or
> not.:) The same service cannot be allowed to treat two requests in
> different ways. For example think about authentication. What's the
> rationale behind allowing one request to add claims and another to not?
> Why would I bother adding username tokens if the service is kind enough
> to pass without them?
> Cheers,
> Kau
>
>> Regards,
>> Senaka
>>
>>
>>> Hi Kaushalye and Supun,
>>>
>>> Thanks for your responses. So I would think REST calls will also only
>>> work if I am not configuring the service to use rampart, correct? You
>>> are right that I can define 2 services and leave one open for REST and
>>> other means of security. The customer will decide what they want based
>>> on where they are deploying their service.
>>>
>>> -Dave.
>>>
>>> -----Original Message-----
>>> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
>>> Sent: Thursday, February 21, 2008 9:38 PM
>>> To: rampart-c-dev@ws.apache.org
>>> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional
>>> from call to call
>>>
>>> Hi,
>>> Having different security requirements for the same endpoint doesn't
>>> make any sense. A service should treat all incoming messages in the
>>> same
>>> way.
>>> Saying that, we do not support the operational level security. The
>>> smallest unit of security requirements is for a service. So if you need
>>> to have different security requirements, you need to have different
>>> services. Then again, you have to be careful exposing your business
>>> logic. If a secured service is exposed with another then an attacker
>>> can
>>> easily pick the latter.:) Cheers, Kau
>>>
>>> Dave Meier wrote:
>>>
>>>> Hi,
>>>>
>>>> I want to support WS-SECURITY on request coming in to my server, but I
>>>>
>>>> also want clients to be able to send SOAP requests with no WS-SECURITY
>>>>
>>>> and provide the userid/password by inserting them into the request as
>>>> regular elements. I also want my REST calls to work without RAMPART
>>>> doing anything with them. Is there a way to configure the server this
>>>>
>>>> way?
>>>>
>>>> So I want to support the following all with one services.xml file:
>>>>
>>>> 1. SOAP WS-SECURITY requests.
>>>> 2. SOAP requests with no WS-SECURITY header.
>>>> 3. REST calls.
>>>>
>>>> Thanks,
>>>>
>>>> -Dave.
>>>>
>>>>
>>>> **********************************************************************
>>>> This email and any files transmitted with it are confidential and
>>>>
>>> intended solely for the use of the individual or entity to whom they
>>> are
>>> addressed. Any unauthorized review, use, disclosure or distribution is
>>> prohibited. If you are not the intended recipient, please contact the
>>> sender by reply e-mail and destroy all copies of the original message.
>>>
>>>> **********************************************************************
>>>>
>>>>
>>>>
>>>>
>>> --
>>> http://blog.kaushalye.org/
>>> http://wso2.org/
>>>
>>>
>>>
>>
>>
>>
>
>
> --
> http://blog.kaushalye.org/
> http://wso2.org/
>
>
Re: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Posted by Kaushalye Kapuruge <ka...@wso2.com>.
Senaka Fernando wrote:
> Hi Kaushalye,
>
> Does this mean no-REST with Rampart/C services???
What are Rampart/C service? If you mean secured services, Apache
Ramaprt/C is only for SOAP.
> That's a big issue I
> guess. Why isn't it possible to make partially secure services. The whole
> idea is to meet the requirement of a provider. If he can't partially
> secure then he would rather drop WS-Security. This won't solve at least
> some of his expectations. Thoughts??
>
What are partially secured services? A service is either secured or
not.:) The same service cannot be allowed to treat two requests in
different ways. For example think about authentication. What's the
rationale behind allowing one request to add claims and another to not?
Why would I bother adding username tokens if the service is kind enough
to pass without them?
Cheers,
Kau
> Regards,
> Senaka
>
>
>> Hi Kaushalye and Supun,
>>
>> Thanks for your responses. So I would think REST calls will also only
>> work if I am not configuring the service to use rampart, correct? You
>> are right that I can define 2 services and leave one open for REST and
>> other means of security. The customer will decide what they want based
>> on where they are deploying their service.
>>
>> -Dave.
>>
>> -----Original Message-----
>> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
>> Sent: Thursday, February 21, 2008 9:38 PM
>> To: rampart-c-dev@ws.apache.org
>> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional
>> from call to call
>>
>> Hi,
>> Having different security requirements for the same endpoint doesn't
>> make any sense. A service should treat all incoming messages in the same
>> way.
>> Saying that, we do not support the operational level security. The
>> smallest unit of security requirements is for a service. So if you need
>> to have different security requirements, you need to have different
>> services. Then again, you have to be careful exposing your business
>> logic. If a secured service is exposed with another then an attacker can
>> easily pick the latter.:) Cheers, Kau
>>
>> Dave Meier wrote:
>>
>>> Hi,
>>>
>>> I want to support WS-SECURITY on request coming in to my server, but I
>>>
>>> also want clients to be able to send SOAP requests with no WS-SECURITY
>>>
>>> and provide the userid/password by inserting them into the request as
>>> regular elements. I also want my REST calls to work without RAMPART
>>> doing anything with them. Is there a way to configure the server this
>>>
>>> way?
>>>
>>> So I want to support the following all with one services.xml file:
>>>
>>> 1. SOAP WS-SECURITY requests.
>>> 2. SOAP requests with no WS-SECURITY header.
>>> 3. REST calls.
>>>
>>> Thanks,
>>>
>>> -Dave.
>>>
>>>
>>> **********************************************************************
>>> This email and any files transmitted with it are confidential and
>>>
>> intended solely for the use of the individual or entity to whom they are
>> addressed. Any unauthorized review, use, disclosure or distribution is
>> prohibited. If you are not the intended recipient, please contact the
>> sender by reply e-mail and destroy all copies of the original message.
>>
>>> **********************************************************************
>>>
>>>
>>>
>>>
>> --
>> http://blog.kaushalye.org/
>> http://wso2.org/
>>
>>
>>
>
>
>
--
http://blog.kaushalye.org/
http://wso2.org/
RE: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Posted by Senaka Fernando <se...@wso2.com>.
Hi Kaushalye,
Does this mean no-REST with Rampart/C services??? That's a big issue I
guess. Why isn't it possible to make partially secure services. The whole
idea is to meet the requirement of a provider. If he can't partially
secure then he would rather drop WS-Security. This won't solve at least
some of his expectations. Thoughts??
Regards,
Senaka
> Hi Kaushalye and Supun,
>
> Thanks for your responses. So I would think REST calls will also only
> work if I am not configuring the service to use rampart, correct? You
> are right that I can define 2 services and leave one open for REST and
> other means of security. The customer will decide what they want based
> on where they are deploying their service.
>
> -Dave.
>
> -----Original Message-----
> From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
> Sent: Thursday, February 21, 2008 9:38 PM
> To: rampart-c-dev@ws.apache.org
> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional
> from call to call
>
> Hi,
> Having different security requirements for the same endpoint doesn't
> make any sense. A service should treat all incoming messages in the same
> way.
> Saying that, we do not support the operational level security. The
> smallest unit of security requirements is for a service. So if you need
> to have different security requirements, you need to have different
> services. Then again, you have to be careful exposing your business
> logic. If a secured service is exposed with another then an attacker can
> easily pick the latter.:) Cheers, Kau
>
> Dave Meier wrote:
>> Hi,
>>
>> I want to support WS-SECURITY on request coming in to my server, but I
>
>> also want clients to be able to send SOAP requests with no WS-SECURITY
>
>> and provide the userid/password by inserting them into the request as
>> regular elements. I also want my REST calls to work without RAMPART
>> doing anything with them. Is there a way to configure the server this
>
>> way?
>>
>> So I want to support the following all with one services.xml file:
>>
>> 1. SOAP WS-SECURITY requests.
>> 2. SOAP requests with no WS-SECURITY header.
>> 3. REST calls.
>>
>> Thanks,
>>
>> -Dave.
>>
>>
>> **********************************************************************
>> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the original message.
>> **********************************************************************
>>
>>
>>
>
>
> --
> http://blog.kaushalye.org/
> http://wso2.org/
>
>
RE: [RAMPART/C] Question about making the WS-SECURITY optional from call to call
Posted by Dave Meier <DM...@SERENA.com>.
Hi Kaushalye and Supun,
Thanks for your responses. So I would think REST calls will also only
work if I am not configuring the service to use rampart, correct? You
are right that I can define 2 services and leave one open for REST and
other means of security. The customer will decide what they want based
on where they are deploying their service.
-Dave.
-----Original Message-----
From: Kaushalye Kapuruge [mailto:kaushalye@wso2.com]
Sent: Thursday, February 21, 2008 9:38 PM
To: rampart-c-dev@ws.apache.org
Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional
from call to call
Hi,
Having different security requirements for the same endpoint doesn't
make any sense. A service should treat all incoming messages in the same
way.
Saying that, we do not support the operational level security. The
smallest unit of security requirements is for a service. So if you need
to have different security requirements, you need to have different
services. Then again, you have to be careful exposing your business
logic. If a secured service is exposed with another then an attacker can
easily pick the latter.:) Cheers, Kau
Dave Meier wrote:
> Hi,
>
> I want to support WS-SECURITY on request coming in to my server, but I
> also want clients to be able to send SOAP requests with no WS-SECURITY
> and provide the userid/password by inserting them into the request as
> regular elements. I also want my REST calls to work without RAMPART
> doing anything with them. Is there a way to configure the server this
> way?
>
> So I want to support the following all with one services.xml file:
>
> 1. SOAP WS-SECURITY requests.
> 2. SOAP requests with no WS-SECURITY header.
> 3. REST calls.
>
> Thanks,
>
> -Dave.
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
> **********************************************************************
>
>
>
--
http://blog.kaushalye.org/
http://wso2.org/
Re: [RAMPART/C] Question about making the WS-SECURITY optional from
call to call
Posted by Kaushalye Kapuruge <ka...@wso2.com>.
Hi,
Having different security requirements for the same endpoint doesn't
make any sense. A service should treat all incoming messages in the same
way.
Saying that, we do not support the operational level security. The
smallest unit of security requirements is for a service. So if you need
to have different security requirements, you need to have different
services. Then again, you have to be careful exposing your business
logic. If a secured service is exposed with another then an attacker can
easily pick the latter.:)
Cheers,
Kau
Dave Meier wrote:
> Hi,
>
> I want to support WS-SECURITY on request coming in to my server, but I
> also want clients to be able to send SOAP requests with no WS-SECURITY
> and provide the userid/password by inserting them into the request as
> regular elements. I also want my REST calls to work without RAMPART
> doing anything with them. Is there a way to configure the server this
> way?
>
> So I want to support the following all with one services.xml file:
>
> 1. SOAP WS-SECURITY requests.
> 2. SOAP requests with no WS-SECURITY header.
> 3. REST calls.
>
> Thanks,
>
> -Dave.
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
> **********************************************************************
>
>
>
--
http://blog.kaushalye.org/
http://wso2.org/