You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Vincenzo Campanile <vi...@eng.it> on 2010/02/18 18:17:32 UTC
Saml as SupportingToken
Hi,
in a WS-Trust scenario, i have a issuer policy with SAML defined as
supporting token. My STS issues a SAML token on basis of a SAML token.
It seems to me that rampart simply ignores the <SupportingTokens>
element i added to the issuer policy. How will i attach a SAML token in
the security header of my RST using rampart?
Thanks, vicampan.
My issuer policy looks like:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"
/>
<wsp:Policy>
<sp:WssSamlV11Token11/>
</wsp:Policy>
</wsp:Policy>
</sp:SupportingTokens>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>client</ramp:user>
<ramp:encryptionUser>server</ramp:encryptionUser>
<ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
My service policy is:
<wsp:Policy wsu:Id="SgnOnlyAnonymous"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<Address
xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8080/axis2/services/STS</Address>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<t:TokenType
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">256</t:KeySize>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<!-- <sp:RequireClientEntropy/> -->
<!-- <sp:RequireServerEntropy/> -->
</wsp:Policy>
</sp:Trust10>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>client</ramp:user>
<ramp:encryptionUser>server</ramp:encryptionUser>
<ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Ing. Vincenzo Campanile
Engineering Ingegneria Informatica s.p.a.
Via Ferrante Imparato 192-198
Centro Mercato 2, ed. F
80146 Napoli
Tel. 081 5650654 - Fax: 081 5650636
e-mail: vincenzo.campanile@eng.it
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Re: Saml as SupportingToken
Posted by Vincenzo Campanile <vi...@eng.it>.
Ok, setting a fake SupportingTokens/IssuedToken in my issuer policy and
following your guidelines, now i can add a custom SAML token to my RST.
Thank you Thilina and Hakon.
Il 19/02/2010 14.53, Thilina Mahesh Buddhika ha scritto:
> Hi Vicampan,
>
> How about trying something similar to following. This approach was deduced
> from the general WS-Trust scenario implemented using Rampart. AFAIK there is
> no clean approach for doing this, because this scenario is not that common.
>
> - First Create a Token which contains the SAML token.
>
> - Add it to the trust store.
>
> TokenStorage store = TrustUtil.getTokenStore(confContext);
> store.add(token);
>
> - Create an Options object and add the following entity. Then set it to the
> STSClient.
>
> options.setProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN,
> responseToken.getId());
> stsClient.setOptions(options);
>
> - Set the STSPOlicy correctly at the client's end.
>
> Hope this helps.
>
> Thanks.
> /thilina
>
> Thilina Mahesh Buddhika
> http://blog.thilinamb.com
>
>
> On Fri, Feb 19, 2010 at 2:08 PM, Vincenzo Campanile<vi...@eng.it> wrote:
>
>
>> I want my client to work like in policy sample 05 but my STS will issue a
>> SAML token on basis of a provided SAML token. Server side there won't be a
>> rahas based STS and neither an axis2 service.
>> What do you mean by "inflow and outflow code"?
>>
>> thanks, vicampan.
>>
>> Il 18/02/2010 18.46, Martin Gainty ha scritto:
>>
>> difficult to say (without seeing the inflow and outflow code)
>>
>>> thanks,
>>> Martin Gainty
>>> ______________________________________________
>>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>>>
>>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
>>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
>>> dient lediglich dem Austausch von Informationen und entfaltet keine
>>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
>>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
>>> de ceci est interdite. Ce message sert à l'information seulement et n'aura
>>> pas n'importe quel effet légalement obligatoire. Étant donné que les email
>>> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
>>> aucune responsabilité pour le contenu fourni.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Date: Thu, 18 Feb 2010 18:17:32 +0100
>>>> From: vicampan@eng.it
>>>> To: rampart-dev@ws.apache.org
>>>> Subject: Saml as SupportingToken
>>>>
>>>> Hi,
>>>> in a WS-Trust scenario, i have a issuer policy with SAML defined as
>>>> supporting token. My STS issues a SAML token on basis of a SAML token.
>>>> It seems to me that rampart simply ignores the<SupportingTokens>
>>>> element i added to the issuer policy. How will i attach a SAML token in
>>>> the security header of my RST using rampart?
>>>>
>>>> Thanks, vicampan.
>>>>
>>>> My issuer policy looks like:
>>>>
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <wsp:Policy wsu:Id="SigOnly"
>>>> xmlns:wsu="
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>> "
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>>> <wsp:ExactlyOne>
>>>> <wsp:All>
>>>> <sp:AsymmetricBinding
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:InitiatorToken>
>>>> <wsp:Policy>
>>>> <sp:X509Token
>>>> sp:IncludeToken="
>>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>>> ">
>>>> <wsp:Policy>
>>>> <sp:WssX509V3Token10 />
>>>> </wsp:Policy>
>>>> </sp:X509Token>
>>>> </wsp:Policy>
>>>> </sp:InitiatorToken>
>>>> <sp:RecipientToken>
>>>> <wsp:Policy>
>>>> <sp:X509Token
>>>> sp:IncludeToken="
>>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>>> ">
>>>> <wsp:Policy>
>>>> <sp:WssX509V3Token10 />
>>>> </wsp:Policy>
>>>> </sp:X509Token>
>>>> </wsp:Policy>
>>>> </sp:RecipientToken>
>>>> <sp:AlgorithmSuite>
>>>> <wsp:Policy>
>>>> <sp:Basic256Rsa15 />
>>>> </wsp:Policy>
>>>> </sp:AlgorithmSuite>
>>>> <sp:Layout>
>>>> <wsp:Policy>
>>>> <sp:Strict />
>>>> </wsp:Policy>
>>>> </sp:Layout>
>>>> <sp:EncryptBeforeSigning />
>>>> </wsp:Policy>
>>>> </sp:AsymmetricBinding>
>>>> <sp:SupportingTokens
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:SamlToken
>>>> sp:IncludeToken="
>>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>>> "
>>>> />
>>>> <wsp:Policy>
>>>> <sp:WssSamlV11Token11/>
>>>> </wsp:Policy>
>>>> </wsp:Policy>
>>>> </sp:SupportingTokens>
>>>> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>>>> ">
>>>> <wsp:Policy>
>>>> <sp:MustSupportRefKeyIdentifier />
>>>> <sp:MustSupportRefIssuerSerial />
>>>> </wsp:Policy>
>>>> </sp:Wss10>
>>>> <sp:SignedParts
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body />
>>>> </sp:SignedParts>
>>>> <sp:EncryptedParts
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body />
>>>> </sp:EncryptedParts>
>>>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>>> <ramp:user>client</ramp:user>
>>>> <ramp:encryptionUser>server</ramp:encryptionUser>
>>>>
>>>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>>>> <ramp:signatureCrypto>
>>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>>> </ramp:crypto>
>>>> </ramp:signatureCrypto>
>>>> <ramp:encryptionCypto>
>>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>>> </ramp:crypto>
>>>> </ramp:encryptionCypto>
>>>> </ramp:RampartConfig>
>>>> </wsp:All>
>>>> </wsp:ExactlyOne>
>>>> </wsp:Policy>
>>>>
>>>> My service policy is:
>>>>
>>>> <wsp:Policy wsu:Id="SgnOnlyAnonymous"
>>>> xmlns:wsu="
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>> "
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:ExactlyOne>
>>>> <wsp:All>
>>>> <sp:AsymmetricBinding
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:InitiatorToken>
>>>> <wsp:Policy>
>>>> <sp:X509Token
>>>> sp:IncludeToken="
>>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>>> ">
>>>> <wsp:Policy>
>>>> <sp:WssX509V3Token10 />
>>>> </wsp:Policy>
>>>> </sp:X509Token>
>>>> </wsp:Policy>
>>>> </sp:InitiatorToken>
>>>> <sp:RecipientToken>
>>>> <wsp:Policy>
>>>> <sp:X509Token
>>>> sp:IncludeToken="
>>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>>> ">
>>>> <wsp:Policy>
>>>> <sp:WssX509V3Token10 />
>>>> </wsp:Policy>
>>>> </sp:X509Token>
>>>> </wsp:Policy>
>>>> </sp:RecipientToken>
>>>> <sp:AlgorithmSuite>
>>>> <wsp:Policy>
>>>> <sp:Basic256Rsa15 />
>>>> </wsp:Policy>
>>>> </sp:AlgorithmSuite>
>>>> <sp:Layout>
>>>> <wsp:Policy>
>>>> <sp:Strict />
>>>> </wsp:Policy>
>>>> </sp:Layout>
>>>> <sp:EncryptBeforeSigning />
>>>> </wsp:Policy>
>>>> </sp:AsymmetricBinding>
>>>> <sp:SupportingTokens
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:IssuedToken
>>>> sp:IncludeToken="
>>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>>>> ">
>>>> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <Address
>>>> xmlns="http://www.w3.org/2005/08/addressing">
>>>> http://localhost:8080/axis2/services/STS</Address>
>>>> </Issuer>
>>>> <sp:RequestSecurityTokenTemplate>
>>>> <t:TokenType
>>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>>>> </t:TokenType>
>>>> <t:KeyType
>>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>>>> http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
>>>> <t:KeySize
>>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">256</t:KeySize>
>>>> </sp:RequestSecurityTokenTemplate>
>>>> <wsp:Policy>
>>>> <sp:RequireInternalReference />
>>>> </wsp:Policy>
>>>> </sp:IssuedToken>
>>>> </wsp:Policy>
>>>> </sp:SupportingTokens>
>>>> <sp:SignedParts>
>>>> <sp:Body />
>>>> </sp:SignedParts>
>>>> <sp:EncryptedParts>
>>>> <sp:Body />
>>>> </sp:EncryptedParts>
>>>> <sp:Wss11>
>>>> <wsp:Policy>
>>>> <sp:MustSupportRefKeyIdentifier />
>>>> <sp:MustSupportRefIssuerSerial />
>>>> <sp:MustSupportRefThumbprint />
>>>> <sp:MustSupportRefEncryptedKey />
>>>> <sp:RequireSignatureConfirmation />
>>>> </wsp:Policy>
>>>> </sp:Wss11>
>>>> <sp:Trust10>
>>>> <wsp:Policy>
>>>> <sp:MustSupportIssuedTokens />
>>>> <!--<sp:RequireClientEntropy/> -->
>>>> <!--<sp:RequireServerEntropy/> -->
>>>> </wsp:Policy>
>>>> </sp:Trust10>
>>>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>>> <ramp:user>client</ramp:user>
>>>> <ramp:encryptionUser>server</ramp:encryptionUser>
>>>>
>>>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>>>> <ramp:signatureCrypto>
>>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>>> </ramp:crypto>
>>>> </ramp:signatureCrypto>
>>>> <ramp:encryptionCypto>
>>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>>> <ramp:property
>>>>
>>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>>> </ramp:crypto>
>>>> </ramp:encryptionCypto>
>>>> </ramp:RampartConfig>
>>>> </wsp:All>
>>>> </wsp:ExactlyOne>
>>>> </wsp:Policy>
>>>>
>>>> --
>>>>
>>>>
>>>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>>>
>>>> Ing. Vincenzo Campanile
>>>>
>>>> Engineering Ingegneria Informatica s.p.a.
>>>>
>>>> Via Ferrante Imparato 192-198
>>>> Centro Mercato 2, ed. F
>>>> 80146 Napoli
>>>>
>>>> Tel. 081 5650654 - Fax: 081 5650636
>>>> e-mail: vincenzo.campanile@eng.it
>>>>
>>>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>>>
>>>>
>>>>
>>>>
>>> _________________________________________________________________
>>> Hotmail: Powerful Free email with security by Microsoft.
>>> http://clk.atdmt.com/GBL/go/201469230/direct/01/
>>>
>>>
>>>
>> --
>>
>>
>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>
>> Ing. Vincenzo Campanile
>>
>> Engineering Ingegneria Informatica s.p.a.
>>
>> Via Ferrante Imparato 192-198
>> Centro Mercato 2, ed. F
>> 80146 Napoli
>>
>> Tel. 081 5650654 - Fax: 081 5650636
>> e-mail: vincenzo.campanile@eng.it
>>
>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>
>>
>>
>
--
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Ing. Vincenzo Campanile
Engineering Ingegneria Informatica s.p.a.
Via Ferrante Imparato 192-198
Centro Mercato 2, ed. F
80146 Napoli
Tel. 081 5650654 - Fax: 081 5650636
e-mail: vincenzo.campanile@eng.it
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Re: Saml as SupportingToken
Posted by Thilina Mahesh Buddhika <th...@gmail.com>.
Hi Vicampan,
How about trying something similar to following. This approach was deduced
from the general WS-Trust scenario implemented using Rampart. AFAIK there is
no clean approach for doing this, because this scenario is not that common.
- First Create a Token which contains the SAML token.
- Add it to the trust store.
TokenStorage store = TrustUtil.getTokenStore(confContext);
store.add(token);
- Create an Options object and add the following entity. Then set it to the
STSClient.
options.setProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN,
responseToken.getId());
stsClient.setOptions(options);
- Set the STSPOlicy correctly at the client's end.
Hope this helps.
Thanks.
/thilina
Thilina Mahesh Buddhika
http://blog.thilinamb.com
On Fri, Feb 19, 2010 at 2:08 PM, Vincenzo Campanile <vi...@eng.it> wrote:
> I want my client to work like in policy sample 05 but my STS will issue a
> SAML token on basis of a provided SAML token. Server side there won't be a
> rahas based STS and neither an axis2 service.
> What do you mean by "inflow and outflow code"?
>
> thanks, vicampan.
>
> Il 18/02/2010 18.46, Martin Gainty ha scritto:
>
> difficult to say (without seeing the inflow and outflow code)
>>
>> thanks,
>> Martin Gainty
>> ______________________________________________
>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>>
>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
>> dient lediglich dem Austausch von Informationen und entfaltet keine
>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
>> de ceci est interdite. Ce message sert à l'information seulement et n'aura
>> pas n'importe quel effet légalement obligatoire. Étant donné que les email
>> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
>> aucune responsabilité pour le contenu fourni.
>>
>>
>>
>>
>>
>>
>>> Date: Thu, 18 Feb 2010 18:17:32 +0100
>>> From: vicampan@eng.it
>>> To: rampart-dev@ws.apache.org
>>> Subject: Saml as SupportingToken
>>>
>>> Hi,
>>> in a WS-Trust scenario, i have a issuer policy with SAML defined as
>>> supporting token. My STS issues a SAML token on basis of a SAML token.
>>> It seems to me that rampart simply ignores the<SupportingTokens>
>>> element i added to the issuer policy. How will i attach a SAML token in
>>> the security header of my RST using rampart?
>>>
>>> Thanks, vicampan.
>>>
>>> My issuer policy looks like:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <wsp:Policy wsu:Id="SigOnly"
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> "
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:AsymmetricBinding
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:InitiatorToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:InitiatorToken>
>>> <sp:RecipientToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:RecipientToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256Rsa15 />
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict />
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:EncryptBeforeSigning />
>>> </wsp:Policy>
>>> </sp:AsymmetricBinding>
>>> <sp:SupportingTokens
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:SamlToken
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> "
>>> />
>>> <wsp:Policy>
>>> <sp:WssSamlV11Token11/>
>>> </wsp:Policy>
>>> </wsp:Policy>
>>> </sp:SupportingTokens>
>>> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>>> ">
>>> <wsp:Policy>
>>> <sp:MustSupportRefKeyIdentifier />
>>> <sp:MustSupportRefIssuerSerial />
>>> </wsp:Policy>
>>> </sp:Wss10>
>>> <sp:SignedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body />
>>> </sp:SignedParts>
>>> <sp:EncryptedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body />
>>> </sp:EncryptedParts>
>>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>> <ramp:user>client</ramp:user>
>>> <ramp:encryptionUser>server</ramp:encryptionUser>
>>>
>>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>>> <ramp:signatureCrypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:signatureCrypto>
>>> <ramp:encryptionCypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:encryptionCypto>
>>> </ramp:RampartConfig>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> My service policy is:
>>>
>>> <wsp:Policy wsu:Id="SgnOnlyAnonymous"
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> "
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:AsymmetricBinding
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:InitiatorToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:InitiatorToken>
>>> <sp:RecipientToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:RecipientToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256Rsa15 />
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict />
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:EncryptBeforeSigning />
>>> </wsp:Policy>
>>> </sp:AsymmetricBinding>
>>> <sp:SupportingTokens
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:IssuedToken
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>>> ">
>>> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <Address
>>> xmlns="http://www.w3.org/2005/08/addressing">
>>> http://localhost:8080/axis2/services/STS</Address>
>>> </Issuer>
>>> <sp:RequestSecurityTokenTemplate>
>>> <t:TokenType
>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>>> </t:TokenType>
>>> <t:KeyType
>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>>> http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
>>> <t:KeySize
>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">256</t:KeySize>
>>> </sp:RequestSecurityTokenTemplate>
>>> <wsp:Policy>
>>> <sp:RequireInternalReference />
>>> </wsp:Policy>
>>> </sp:IssuedToken>
>>> </wsp:Policy>
>>> </sp:SupportingTokens>
>>> <sp:SignedParts>
>>> <sp:Body />
>>> </sp:SignedParts>
>>> <sp:EncryptedParts>
>>> <sp:Body />
>>> </sp:EncryptedParts>
>>> <sp:Wss11>
>>> <wsp:Policy>
>>> <sp:MustSupportRefKeyIdentifier />
>>> <sp:MustSupportRefIssuerSerial />
>>> <sp:MustSupportRefThumbprint />
>>> <sp:MustSupportRefEncryptedKey />
>>> <sp:RequireSignatureConfirmation />
>>> </wsp:Policy>
>>> </sp:Wss11>
>>> <sp:Trust10>
>>> <wsp:Policy>
>>> <sp:MustSupportIssuedTokens />
>>> <!--<sp:RequireClientEntropy/> -->
>>> <!--<sp:RequireServerEntropy/> -->
>>> </wsp:Policy>
>>> </sp:Trust10>
>>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>> <ramp:user>client</ramp:user>
>>> <ramp:encryptionUser>server</ramp:encryptionUser>
>>>
>>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>>> <ramp:signatureCrypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:signatureCrypto>
>>> <ramp:encryptionCypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:encryptionCypto>
>>> </ramp:RampartConfig>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> --
>>>
>>>
>>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>>
>>> Ing. Vincenzo Campanile
>>>
>>> Engineering Ingegneria Informatica s.p.a.
>>>
>>> Via Ferrante Imparato 192-198
>>> Centro Mercato 2, ed. F
>>> 80146 Napoli
>>>
>>> Tel. 081 5650654 - Fax: 081 5650636
>>> e-mail: vincenzo.campanile@eng.it
>>>
>>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>>
>>>
>>>
>>
>> _________________________________________________________________
>> Hotmail: Powerful Free email with security by Microsoft.
>> http://clk.atdmt.com/GBL/go/201469230/direct/01/
>>
>>
>
> --
>
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
> Ing. Vincenzo Campanile
>
> Engineering Ingegneria Informatica s.p.a.
>
> Via Ferrante Imparato 192-198
> Centro Mercato 2, ed. F
> 80146 Napoli
>
> Tel. 081 5650654 - Fax: 081 5650636
> e-mail: vincenzo.campanile@eng.it
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
>
Re: Saml as SupportingToken
Posted by Håkon Sagehaug <ha...@uni.no>.
Hi
Is the client axis2? In my axis2 based stub client I do it like this
// Read the sample token for the service into a java object
OMElement samlAssert =
fromInputFileToOmElm("/xmlMessages/SAMLAssertion.xml");
/*
* Creates a Rampart token, that wrappes the SAML token so it's
* easier to use it when adding it to the service request.
*/
Token token = null; = new Token("myToken", samlAssert, from,
to);
/* Configuration for the axis2 client */
ConfigurationContext config = ConfigurationContextFactory
.createConfigurationContextFromFileSystem("src/test/resources/repository");
/* A storage for the token. */
TokenStorage store = TrustUtil.getTokenStore(config);
store.add(token);
/*
* options for the client, like setting the token and ws-policy
for
* the service it calls.
*/
Options options = new Options();
/* Sets the endpoint where the client should make the call. */
options.setTo(new EndpointReference(tcpmon));
/* sets the policy for the service to call */
options
.setProperty(
RampartMessageData.KEY_RAMPART_POLICY,
loadPolicy("src/test/resources/policy/policy_sts_saml.xml"));
/*
* Sets the property so that the toekn will be attached to the
* request.
*/
options.setProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN,
token.getId());
UserMgntClient client = new UserMgntClient(options, config,
true);
Hope this helps
cheers, Håkon
On 19 February 2010 09:38, Vincenzo Campanile <vi...@eng.it> wrote:
> I want my client to work like in policy sample 05 but my STS will issue a
> SAML token on basis of a provided SAML token. Server side there won't be a
> rahas based STS and neither an axis2 service.
> What do you mean by "inflow and outflow code"?
>
> thanks, vicampan.
>
> Il 18/02/2010 18.46, Martin Gainty ha scritto:
>
> difficult to say (without seeing the inflow and outflow code)
>>
>> thanks,
>> Martin Gainty
>> ______________________________________________
>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>>
>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
>> dient lediglich dem Austausch von Informationen und entfaltet keine
>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
>> de ceci est interdite. Ce message sert à l'information seulement et n'aura
>> pas n'importe quel effet légalement obligatoire. Étant donné que les email
>> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
>> aucune responsabilité pour le contenu fourni.
>>
>>
>>
>>
>>
>>
>>> Date: Thu, 18 Feb 2010 18:17:32 +0100
>>> From: vicampan@eng.it
>>> To: rampart-dev@ws.apache.org
>>> Subject: Saml as SupportingToken
>>>
>>> Hi,
>>> in a WS-Trust scenario, i have a issuer policy with SAML defined as
>>> supporting token. My STS issues a SAML token on basis of a SAML token.
>>> It seems to me that rampart simply ignores the<SupportingTokens>
>>> element i added to the issuer policy. How will i attach a SAML token in
>>> the security header of my RST using rampart?
>>>
>>> Thanks, vicampan.
>>>
>>> My issuer policy looks like:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <wsp:Policy wsu:Id="SigOnly"
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> "
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:AsymmetricBinding
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:InitiatorToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:InitiatorToken>
>>> <sp:RecipientToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:RecipientToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256Rsa15 />
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict />
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:EncryptBeforeSigning />
>>> </wsp:Policy>
>>> </sp:AsymmetricBinding>
>>> <sp:SupportingTokens
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:SamlToken
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> "
>>> />
>>> <wsp:Policy>
>>> <sp:WssSamlV11Token11/>
>>> </wsp:Policy>
>>> </wsp:Policy>
>>> </sp:SupportingTokens>
>>> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>>> ">
>>> <wsp:Policy>
>>> <sp:MustSupportRefKeyIdentifier />
>>> <sp:MustSupportRefIssuerSerial />
>>> </wsp:Policy>
>>> </sp:Wss10>
>>> <sp:SignedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body />
>>> </sp:SignedParts>
>>> <sp:EncryptedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body />
>>> </sp:EncryptedParts>
>>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>> <ramp:user>client</ramp:user>
>>> <ramp:encryptionUser>server</ramp:encryptionUser>
>>>
>>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>>> <ramp:signatureCrypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:signatureCrypto>
>>> <ramp:encryptionCypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:encryptionCypto>
>>> </ramp:RampartConfig>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> My service policy is:
>>>
>>> <wsp:Policy wsu:Id="SgnOnlyAnonymous"
>>> xmlns:wsu="
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> "
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:AsymmetricBinding
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:InitiatorToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:InitiatorToken>
>>> <sp:RecipientToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
>>> ">
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10 />
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:RecipientToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256Rsa15 />
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict />
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:EncryptBeforeSigning />
>>> </wsp:Policy>
>>> </sp:AsymmetricBinding>
>>> <sp:SupportingTokens
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:IssuedToken
>>> sp:IncludeToken="
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>>> ">
>>> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <Address
>>> xmlns="http://www.w3.org/2005/08/addressing">
>>> http://localhost:8080/axis2/services/STS</Address>
>>> </Issuer>
>>> <sp:RequestSecurityTokenTemplate>
>>> <t:TokenType
>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>>> </t:TokenType>
>>> <t:KeyType
>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>>> http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
>>> <t:KeySize
>>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">256</t:KeySize>
>>> </sp:RequestSecurityTokenTemplate>
>>> <wsp:Policy>
>>> <sp:RequireInternalReference />
>>> </wsp:Policy>
>>> </sp:IssuedToken>
>>> </wsp:Policy>
>>> </sp:SupportingTokens>
>>> <sp:SignedParts>
>>> <sp:Body />
>>> </sp:SignedParts>
>>> <sp:EncryptedParts>
>>> <sp:Body />
>>> </sp:EncryptedParts>
>>> <sp:Wss11>
>>> <wsp:Policy>
>>> <sp:MustSupportRefKeyIdentifier />
>>> <sp:MustSupportRefIssuerSerial />
>>> <sp:MustSupportRefThumbprint />
>>> <sp:MustSupportRefEncryptedKey />
>>> <sp:RequireSignatureConfirmation />
>>> </wsp:Policy>
>>> </sp:Wss11>
>>> <sp:Trust10>
>>> <wsp:Policy>
>>> <sp:MustSupportIssuedTokens />
>>> <!--<sp:RequireClientEntropy/> -->
>>> <!--<sp:RequireServerEntropy/> -->
>>> </wsp:Policy>
>>> </sp:Trust10>
>>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>> <ramp:user>client</ramp:user>
>>> <ramp:encryptionUser>server</ramp:encryptionUser>
>>>
>>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>>> <ramp:signatureCrypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:signatureCrypto>
>>> <ramp:encryptionCypto>
>>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>>> <ramp:property
>>>
>>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>>> </ramp:crypto>
>>> </ramp:encryptionCypto>
>>> </ramp:RampartConfig>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> --
>>>
>>>
>>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>>
>>> Ing. Vincenzo Campanile
>>>
>>> Engineering Ingegneria Informatica s.p.a.
>>>
>>> Via Ferrante Imparato 192-198
>>> Centro Mercato 2, ed. F
>>> 80146 Napoli
>>>
>>> Tel. 081 5650654 - Fax: 081 5650636
>>> e-mail: vincenzo.campanile@eng.it
>>>
>>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>>
>>>
>>>
>>
>> _________________________________________________________________
>> Hotmail: Powerful Free email with security by Microsoft.
>> http://clk.atdmt.com/GBL/go/201469230/direct/01/
>>
>>
>
> --
>
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
> Ing. Vincenzo Campanile
>
> Engineering Ingegneria Informatica s.p.a.
>
> Via Ferrante Imparato 192-198
> Centro Mercato 2, ed. F
> 80146 Napoli
>
> Tel. 081 5650654 - Fax: 081 5650636
> e-mail: vincenzo.campanile@eng.it
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science(BCCS)
Uni BCCS/Uni Research
Hakon.Sagehaug@uni.no, phone +47 55584125
Re: Saml as SupportingToken
Posted by Vincenzo Campanile <vi...@eng.it>.
I want my client to work like in policy sample 05 but my STS will issue
a SAML token on basis of a provided SAML token. Server side there won't
be a rahas based STS and neither an axis2 service.
What do you mean by "inflow and outflow code"?
thanks, vicampan.
Il 18/02/2010 18.46, Martin Gainty ha scritto:
> difficult to say (without seeing the inflow and outflow code)
>
> thanks,
> Martin Gainty
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
>
>
>
>
>
>> Date: Thu, 18 Feb 2010 18:17:32 +0100
>> From: vicampan@eng.it
>> To: rampart-dev@ws.apache.org
>> Subject: Saml as SupportingToken
>>
>> Hi,
>> in a WS-Trust scenario, i have a issuer policy with SAML defined as
>> supporting token. My STS issues a SAML token on basis of a SAML token.
>> It seems to me that rampart simply ignores the<SupportingTokens>
>> element i added to the issuer policy. How will i attach a SAML token in
>> the security header of my RST using rampart?
>>
>> Thanks, vicampan.
>>
>> My issuer policy looks like:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <wsp:Policy wsu:Id="SigOnly"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:AsymmetricBinding
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:InitiatorToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>> <wsp:Policy>
>> <sp:WssX509V3Token10 />
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:InitiatorToken>
>> <sp:RecipientToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>> <wsp:Policy>
>> <sp:WssX509V3Token10 />
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:RecipientToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256Rsa15 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Strict />
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:EncryptBeforeSigning />
>> </wsp:Policy>
>> </sp:AsymmetricBinding>
>> <sp:SupportingTokens
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:SamlToken
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"
>> />
>> <wsp:Policy>
>> <sp:WssSamlV11Token11/>
>> </wsp:Policy>
>> </wsp:Policy>
>> </sp:SupportingTokens>
>> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:MustSupportRefKeyIdentifier />
>> <sp:MustSupportRefIssuerSerial />
>> </wsp:Policy>
>> </sp:Wss10>
>> <sp:SignedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <sp:Body />
>> </sp:SignedParts>
>> <sp:EncryptedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <sp:Body />
>> </sp:EncryptedParts>
>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>> <ramp:user>client</ramp:user>
>> <ramp:encryptionUser>server</ramp:encryptionUser>
>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>> <ramp:signatureCrypto>
>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>> </ramp:crypto>
>> </ramp:signatureCrypto>
>> <ramp:encryptionCypto>
>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>> </ramp:crypto>
>> </ramp:encryptionCypto>
>> </ramp:RampartConfig>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>>
>> My service policy is:
>>
>> <wsp:Policy wsu:Id="SgnOnlyAnonymous"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:AsymmetricBinding
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:InitiatorToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>> <wsp:Policy>
>> <sp:WssX509V3Token10 />
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:InitiatorToken>
>> <sp:RecipientToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>> <wsp:Policy>
>> <sp:WssX509V3Token10 />
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:RecipientToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256Rsa15 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Strict />
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:EncryptBeforeSigning />
>> </wsp:Policy>
>> </sp:AsymmetricBinding>
>> <sp:SupportingTokens
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:IssuedToken
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <Address
>> xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8080/axis2/services/STS</Address>
>> </Issuer>
>> <sp:RequestSecurityTokenTemplate>
>> <t:TokenType
>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
>> <t:KeyType
>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
>> <t:KeySize
>> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">256</t:KeySize>
>> </sp:RequestSecurityTokenTemplate>
>> <wsp:Policy>
>> <sp:RequireInternalReference />
>> </wsp:Policy>
>> </sp:IssuedToken>
>> </wsp:Policy>
>> </sp:SupportingTokens>
>> <sp:SignedParts>
>> <sp:Body />
>> </sp:SignedParts>
>> <sp:EncryptedParts>
>> <sp:Body />
>> </sp:EncryptedParts>
>> <sp:Wss11>
>> <wsp:Policy>
>> <sp:MustSupportRefKeyIdentifier />
>> <sp:MustSupportRefIssuerSerial />
>> <sp:MustSupportRefThumbprint />
>> <sp:MustSupportRefEncryptedKey />
>> <sp:RequireSignatureConfirmation />
>> </wsp:Policy>
>> </sp:Wss11>
>> <sp:Trust10>
>> <wsp:Policy>
>> <sp:MustSupportIssuedTokens />
>> <!--<sp:RequireClientEntropy/> -->
>> <!--<sp:RequireServerEntropy/> -->
>> </wsp:Policy>
>> </sp:Trust10>
>> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>> <ramp:user>client</ramp:user>
>> <ramp:encryptionUser>server</ramp:encryptionUser>
>> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
>> <ramp:signatureCrypto>
>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>> </ramp:crypto>
>> </ramp:signatureCrypto>
>> <ramp:encryptionCypto>
>> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
>> <ramp:property
>> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>> </ramp:crypto>
>> </ramp:encryptionCypto>
>> </ramp:RampartConfig>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>>
>> --
>>
>>
>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>
>> Ing. Vincenzo Campanile
>>
>> Engineering Ingegneria Informatica s.p.a.
>>
>> Via Ferrante Imparato 192-198
>> Centro Mercato 2, ed. F
>> 80146 Napoli
>>
>> Tel. 081 5650654 - Fax: 081 5650636
>> e-mail: vincenzo.campanile@eng.it
>>
>> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>
>>
>
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> http://clk.atdmt.com/GBL/go/201469230/direct/01/
>
--
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Ing. Vincenzo Campanile
Engineering Ingegneria Informatica s.p.a.
Via Ferrante Imparato 192-198
Centro Mercato 2, ed. F
80146 Napoli
Tel. 081 5650654 - Fax: 081 5650636
e-mail: vincenzo.campanile@eng.it
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
RE: Saml as SupportingToken
Posted by Martin Gainty <mg...@hotmail.com>.
difficult to say (without seeing the inflow and outflow code)
thanks,
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Thu, 18 Feb 2010 18:17:32 +0100
> From: vicampan@eng.it
> To: rampart-dev@ws.apache.org
> Subject: Saml as SupportingToken
>
> Hi,
> in a WS-Trust scenario, i have a issuer policy with SAML defined as
> supporting token. My STS issues a SAML token on basis of a SAML token.
> It seems to me that rampart simply ignores the <SupportingTokens>
> element i added to the issuer policy. How will i attach a SAML token in
> the security header of my RST using rampart?
>
> Thanks, vicampan.
>
> My issuer policy looks like:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <wsp:Policy wsu:Id="SigOnly"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Rsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:EncryptBeforeSigning />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:SamlToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"
> />
> <wsp:Policy>
> <sp:WssSamlV11Token11/>
> </wsp:Policy>
> </wsp:Policy>
> </sp:SupportingTokens>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:EncryptedParts>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>client</ramp:user>
> <ramp:encryptionUser>server</ramp:encryptionUser>
> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
> <ramp:signatureCrypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> My service policy is:
>
> <wsp:Policy wsu:Id="SgnOnlyAnonymous"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Rsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:EncryptBeforeSigning />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:IssuedToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <Address
> xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8080/axis2/services/STS</Address>
> </Issuer>
> <sp:RequestSecurityTokenTemplate>
> <t:TokenType
> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
> <t:KeyType
> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
> <t:KeySize
> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">256</t:KeySize>
> </sp:RequestSecurityTokenTemplate>
> <wsp:Policy>
> <sp:RequireInternalReference />
> </wsp:Policy>
> </sp:IssuedToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> <sp:SignedParts>
> <sp:Body />
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> <sp:RequireSignatureConfirmation />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <!-- <sp:RequireClientEntropy/> -->
> <!-- <sp:RequireServerEntropy/> -->
> </wsp:Policy>
> </sp:Trust10>
> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
> <ramp:user>client</ramp:user>
> <ramp:encryptionUser>server</ramp:encryptionUser>
> <ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
> <ramp:signatureCrypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
> </ramp:crypto>
> </ramp:encryptionCypto>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> --
>
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
> Ing. Vincenzo Campanile
>
> Engineering Ingegneria Informatica s.p.a.
>
> Via Ferrante Imparato 192-198
> Centro Mercato 2, ed. F
> 80146 Napoli
>
> Tel. 081 5650654 - Fax: 081 5650636
> e-mail: vincenzo.campanile@eng.it
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/201469230/direct/01/