You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by ma...@usbank.com on 2010/02/26 21:53:51 UTC
In Rampart version 1.4 is it possible to create a policy where the client is required to
send a WS_Security Header with an X509 cert and the service is not required to reply with
WS_Security header.
We are using Rampart 1.4. We require our clients to send soap requests
that contain a WS_Security header with an client side X509 digital
certificate. (The service authenticates and authorizes the client based
on the transmitted x509 certificate.) We do not not require the service
to return a reply with an WS_Security header. (That is our preference.)
In Rampart version 1.4 is it possible to create a policy where the client
is required to send a WS_Security Header with an X509 certificate and the
service is not required to reply with WS_Security header. We would like
the service to return a soap envelope with no WS_Security stuff.
If the answer is yes, can you tell me where I can find a sample policy
that supports these requirements.
Mark Cerf Berman
AVP - Application Architect
U.S. Bank
EP-MN-BGFD
Riverbank Business Center Office
2751 Shepard Road
St. Paul, MN 55116
mark.berman@usbank.com
651-205-2970 direct
651-205-0597 fax
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
---------------------------------------------------------------------
RE: In Rampart version 1.4 is it possible to create a policy where
the client is required to send a WS_Security Header with an X509 cert and
the service is not required to reply with WS_Security header.
Posted by "Doughty, Michael" <Mi...@bmc.com>.
I am not sure if there's a way to do this using the WS-Policy-based configuration. I tried several combinations about nine months ago with the Rampart 1.4 along with Axis 1.4, and was unable to strike the right balance to make that happen. So I would also be interested if there is a way of doing this sort of one-sided policy setting in Rampart.
Having said that, I was able to do this with the deprecated Rampart basic configuration, though I only tried it on the client-side. By setting the OutFlowSecurity parameter to include the necessary certificate and signature and setting the InFlowSecurity parameter to an empty set, the client was able to comform to this sort of policy. The same could probably be done on the service-side using Rampart-based.
-----Original Message-----
From: mark.berman@usbank.com [mailto:mark.berman@usbank.com]
Sent: Friday, February 26, 2010 2:54 PM
To: rampart-dev@ws.apache.org
Cc: sampath.malladi@usbank.com
Subject: In Rampart version 1.4 is it possible to create a policy where the client is required to send a WS_Security Header with an X509 cert and the service is not required to reply with WS_Security header.
We are using Rampart 1.4. We require our clients to send soap requests
that contain a WS_Security header with an client side X509 digital
certificate. (The service authenticates and authorizes the client based
on the transmitted x509 certificate.) We do not not require the service
to return a reply with an WS_Security header. (That is our preference.)
In Rampart version 1.4 is it possible to create a policy where the client
is required to send a WS_Security Header with an X509 certificate and the
service is not required to reply with WS_Security header. We would like
the service to return a soap envelope with no WS_Security stuff.
If the answer is yes, can you tell me where I can find a sample policy
that supports these requirements.
Mark Cerf Berman
AVP - Application Architect
U.S. Bank
EP-MN-BGFD
Riverbank Business Center Office
2751 Shepard Road
St. Paul, MN 55116
mark.berman@usbank.com
651-205-2970 direct
651-205-0597 fax
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
---------------------------------------------------------------------
Re: In Rampart version 1.4 is it possible to create a policy where
the client is required to send a WS_Security Header with an X509 cert and the
service is not required to reply with WS_Security header.
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Mark,
If I understood the scenario correctly, applying the policy at
message level should solve your problem i.e. you apply the policy only to
the incoming message ( w.r.t server side). This is possible with Rampart and
policy based configuration. This tutorial [1] explains how to do it.
regards,
Nandana
[1] - http://wso2.org/library/3786
On Fri, Feb 26, 2010 at 9:53 PM, <ma...@usbank.com> wrote:
> We are using Rampart 1.4. We require our clients to send soap requests
> that contain a WS_Security header with an client side X509 digital
> certificate. (The service authenticates and authorizes the client based
> on the transmitted x509 certificate.) We do not not require the service
> to return a reply with an WS_Security header. (That is our preference.)
>
>
> In Rampart version 1.4 is it possible to create a policy where the client
> is required to send a WS_Security Header with an X509 certificate and the
> service is not required to reply with WS_Security header. We would like
> the service to return a soap envelope with no WS_Security stuff.
>
> If the answer is yes, can you tell me where I can find a sample policy
> that supports these requirements.
>
> Mark Cerf Berman
> AVP - Application Architect
> U.S. Bank
> EP-MN-BGFD
> Riverbank Business Center Office
> 2751 Shepard Road
> St. Paul, MN 55116
> mark.berman@usbank.com
> 651-205-2970 direct
> 651-205-0597 fax
> U.S. BANCORP made the following annotations
> ---------------------------------------------------------------------
> Electronic Privacy Notice. This e-mail, and any attachments, contains
> information that is, or may be, covered by electronic communications privacy
> laws, and is also confidential and proprietary in nature. If you are not the
> intended recipient, please be advised that you are legally prohibited from
> retaining, using, copying, distributing, or otherwise disclosing this
> information in any manner. Instead, please reply to the sender that you have
> received this communication in error, and then immediately delete it. Thank
> you in advance for your cooperation.
>
>
>
> ---------------------------------------------------------------------
>
>
Re: In Rampart version 1.4 is it possible to create a policy where
the client is required to send a WS_Security Header with an X509 cert and the
service is not required to reply with WS_Security header.
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Mark,
If I understood the scenario correctly, applying the policy at
message level should solve your problem i.e. you apply the policy only to
the incoming message ( w.r.t server side). This is possible with Rampart and
policy based configuration. This tutorial [1] explains how to do it.
regards,
Nandana
[1] - http://wso2.org/library/3786
On Fri, Feb 26, 2010 at 9:53 PM, <ma...@usbank.com> wrote:
> We are using Rampart 1.4. We require our clients to send soap requests
> that contain a WS_Security header with an client side X509 digital
> certificate. (The service authenticates and authorizes the client based
> on the transmitted x509 certificate.) We do not not require the service
> to return a reply with an WS_Security header. (That is our preference.)
>
>
> In Rampart version 1.4 is it possible to create a policy where the client
> is required to send a WS_Security Header with an X509 certificate and the
> service is not required to reply with WS_Security header. We would like
> the service to return a soap envelope with no WS_Security stuff.
>
> If the answer is yes, can you tell me where I can find a sample policy
> that supports these requirements.
>
> Mark Cerf Berman
> AVP - Application Architect
> U.S. Bank
> EP-MN-BGFD
> Riverbank Business Center Office
> 2751 Shepard Road
> St. Paul, MN 55116
> mark.berman@usbank.com
> 651-205-2970 direct
> 651-205-0597 fax
> U.S. BANCORP made the following annotations
> ---------------------------------------------------------------------
> Electronic Privacy Notice. This e-mail, and any attachments, contains
> information that is, or may be, covered by electronic communications privacy
> laws, and is also confidential and proprietary in nature. If you are not the
> intended recipient, please be advised that you are legally prohibited from
> retaining, using, copying, distributing, or otherwise disclosing this
> information in any manner. Instead, please reply to the sender that you have
> received this communication in error, and then immediately delete it. Thank
> you in advance for your cooperation.
>
>
>
> ---------------------------------------------------------------------
>
>