You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Seshi Patibanda <se...@gmail.com> on 2009/01/29 22:00:03 UTC
Re: How to Include SAML token in the Security header! Possible
Solution!!!
All,
For those who are interested, I have found a way to include the "obtained"
SAML token in the created Security header (<wsse:Security>) of the SOAP
message.
Used Axis2 AXIOM API methods to insert the Security header with the correct
namespace. Upon creating the security header , we just need to add the
obtained SAML token.
Importantly, this approach will completely BYPASS Rampart module engagement
with Axis2 client.
Attached is the code snippet that goes in to the WSDL2Java generated stub
class method toEnvelope(org.apache.axiom.soap.SOAPFactory factory, .. ,
...).
=======================================================
try {
//get SAML assertion token
String assertion = getAssertion();
org.apache.axiom.soap.SOAPEnvelope emptyEnvelope =
factory.getDefaultEnvelope();
OMNamespace ns = factory.createOMNamespace(
http://docs.oasis-open.org/wss/2004/01/oasis-2000401-wss-wssecurity-secext-1.0.xsd,
"wsse");
org.apache.axiom.soap.SOAPHeaderBlock soapHeaderBlock =
factory.createSOAPHeaderBlock("Security", ns);
//set the SAML assertion token in the SOAP Header block
soapHeaderBlock.setText(assertion);
//add the Header block to the header
emptyEnvelope.getHeader().addChild(soapHeaderBlock);
//add the relevant body to the envelope
emptyEnvelope.getBody().addChild(...);
return emptyEnvelope;
} catch (org.apache.axis2.databinding.ADBException e) {
throw org.apache.axis2.AxisFault.makeFault(e);
}
As a result, we will get the following SOAP header message:
<soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<Assertion ...>....</Assertion>
</wsse:Security>
</soapenv:Header>
============================================================
DISCLAIMER: When the SOAP message was intercepted (by setting
log4j.logger.httpclient.wire.header = DEBUG in the log4j.properties file),
found out that the "<" and ">" chars of the Assertion string was being
encoded to the corresponding "<" and ">".
If anyone has suggestions to pass the Assertion string correctly (without
encoding), please share your thoughts...
Thanks,
Seshi Patibanda
On Tue, Jan 27, 2009 at 12:21 PM, Seshi Patibanda <se...@gmail.com>wrote:
> Hello all,
>
> As per the thread seen on markmail.org (
> http://markmail.org/thread/iq4j6x7g247wi75x), there was an update from
> Ruchith Fernando dated Nov 4, 2007 about the ways to include the obtained
> SAML token in the Security header.
>
> First option was given as:
>
> " By creating a wsse:Securityheader element and adding the token element
> into the header. Rampart processing down the line will re-use this header. "
>
> Could anyone please expand on how to implement this option using Apache
> Rampart 1.4?
>
> At my end, I have problems inserting an obtained SAML token in the Security
> header of my SOAP request. I have sent an email to axis-user@ws.apache.orgmailing list requesting feedback but haven't received any yet. All I need to
> do is just pass the retrieved SAML token to the remote web service
> (SSL-enabled) via SOAP header in the request.
>
>
> My configuration:
> Deployed Apache Rampart 1.4 module correctly as per the samples. Using
> Axis2 1.4 client and stubs generated by WSDL2Java tool. Based on my
> configuration, would policy based approach work? If so, does anyone have any
> sample Transport-level security policies to implement the SAML passing?
>
> Any feedback/suggestion is highly appreciated.
>
> Thanks,
>
> Seshi Patibanda
> seship67@gmail.com
>
>
Re: How to Include SAML token in the Security header! Possible
Solution!!!
Posted by Seshi Patibanda <se...@gmail.com>.
Hello Masi,
Thank you for the pointer. As the setText() method is encoding the "<" and
">" chars in the SOAP header, I have used the following code to get it
working. Also, as my SAML assertion is being passed as a String, I have to
use the org.apache.axiom.om.impl.llom.util.AXIOMUtil.stringToOM() method to
create the OMElement.
private OMElement createSecurityHeader( String securityAssertion ) throws
Exception
{
OMFactory omFactory = OMAbstractFactory.getOMFactory();
OMNamespace wsseNs = fac.createOMNamespace(
NameSpaceUtils.WSSE_SECURITY_NS, "wsse" );
OMElement wsseSecurityHeaderOM = fac.createOMElement( "Security",
wsseNs );
OMElement omAssertionElement =
AXIOMUtil.stringToOM(securityAssertion);
wsseSecurityHeaderOM.addChild( omAssertionElement );
return wsseSecurityHeaderOM;
}
In the toEnvelope() method of the stub class:
String assertion = getAssertion();
OMElement securityHeaderElement = createSecurityHeader(assertion);
emptyEnvelope.getHeader().addChild(securityHeaderElement);
....
Now I do not see the "<" and ">" chars being encoded in the Security header
block. So far so good.
Thanks,
Seshi Patibanda
On Thu, Jan 29, 2009 at 4:51 PM, Massimiliano Masi <ma...@math.unifi.it>wrote:
> Seshi,
>
> I think you don't have to use the setText.
>
> I was using something like:
>
> /**
> * Create a new fresh security header with WSSE 1.1 and Security as
> localName
> * @param securityAssertion
> * @return
> * @throws Exception
> */
> private Element createSecurityHeader( Element securityAssertion ) throws
> Exception
> {
> OMFactory fac = OMAbstractFactory.getOMFactory();
> OMNamespace wsseNs = fac.createOMNamespace(
> NameSpaceUtils.WSSE_SECURITY_NS, "wsse" );
> OMElement wsseSecurityHeaderOM = fac.createOMElement( "Security",
> wsseNs );
> OMElement securityAssertionOM = XMLUtils.toOM( securityAssertion );
> wsseSecurityHeaderOM.addChild( securityAssertionOM );
> return XMLUtils.toDOM( wsseSecurityHeaderOM );
> }
>
>
> But it's not clean and correct. Simply use the addChild method.
>
> I'm searching on how to produce a SecurityPolicy for including it.
>
>
> Quoting Seshi Patibanda <se...@gmail.com>:
>
> All,
>>
>> For those who are interested, I have found a way to include the "obtained"
>> SAML token in the created Security header (<wsse:Security>) of the SOAP
>> message.
>>
>> Used Axis2 AXIOM API methods to insert the Security header with the
>> correct
>> namespace. Upon creating the security header , we just need to add the
>> obtained SAML token.
>>
>> Importantly, this approach will completely BYPASS Rampart module
>> engagement
>> with Axis2 client.
>>
>> Attached is the code snippet that goes in to the WSDL2Java generated stub
>> class method toEnvelope(org.apache.axiom.soap.SOAPFactory factory, .. ,
>> ...).
>> =======================================================
>> try {
>>
>> //get SAML assertion token
>> String assertion = getAssertion();
>>
>> org.apache.axiom.soap.SOAPEnvelope emptyEnvelope =
>> factory.getDefaultEnvelope();
>>
>> OMNamespace ns = factory.createOMNamespace(
>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-2000401-wss-wssecurity-secext-1.0.xsd
>> ,
>> "wsse");
>>
>> org.apache.axiom.soap.SOAPHeaderBlock soapHeaderBlock =
>> factory.createSOAPHeaderBlock("Security", ns);
>>
>> //set the SAML assertion token in the SOAP Header block
>> soapHeaderBlock.setText(assertion);
>>
>> //add the Header block to the header
>> emptyEnvelope.getHeader().addChild(soapHeaderBlock);
>>
>> //add the relevant body to the envelope
>> emptyEnvelope.getBody().addChild(...);
>>
>> return emptyEnvelope;
>>
>> } catch (org.apache.axis2.databinding.ADBException e) {
>> throw org.apache.axis2.AxisFault.makeFault(e);
>> }
>>
>>
>> As a result, we will get the following SOAP header message:
>>
>> <soapenv:Header>
>> <wsse:Security xmlns:wsse="
>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> ">
>> <Assertion ...>....</Assertion>
>> </wsse:Security>
>> </soapenv:Header>
>>
>> ============================================================
>>
>> DISCLAIMER: When the SOAP message was intercepted (by setting
>> log4j.logger.httpclient.wire.header = DEBUG in the log4j.properties file),
>> found out that the "<" and ">" chars of the Assertion string was being
>> encoded to the corresponding "<" and ">".
>>
>> If anyone has suggestions to pass the Assertion string correctly (without
>> encoding), please share your thoughts...
>>
>> Thanks,
>>
>> Seshi Patibanda
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 27, 2009 at 12:21 PM, Seshi Patibanda <seship67@gmail.com
>> >wrote:
>>
>> Hello all,
>>>
>>> As per the thread seen on markmail.org (
>>> http://markmail.org/thread/iq4j6x7g247wi75x), there was an update from
>>> Ruchith Fernando dated Nov 4, 2007 about the ways to include the obtained
>>> SAML token in the Security header.
>>>
>>> First option was given as:
>>>
>>> " By creating a wsse:Securityheader element and adding the token element
>>> into the header. Rampart processing down the line will re-use this
>>> header. "
>>>
>>> Could anyone please expand on how to implement this option using Apache
>>> Rampart 1.4?
>>>
>>> At my end, I have problems inserting an obtained SAML token in the
>>> Security
>>> header of my SOAP request. I have sent an email to
>>> axis-user@ws.apache.orgmailing list requesting feedback but haven't
>>> received any yet. All I need to
>>> do is just pass the retrieved SAML token to the remote web service
>>> (SSL-enabled) via SOAP header in the request.
>>>
>>>
>>> My configuration:
>>> Deployed Apache Rampart 1.4 module correctly as per the samples. Using
>>> Axis2 1.4 client and stubs generated by WSDL2Java tool. Based on my
>>> configuration, would policy based approach work? If so, does anyone have
>>> any
>>> sample Transport-level security policies to implement the SAML passing?
>>>
>>> Any feedback/suggestion is highly appreciated.
>>>
>>> Thanks,
>>>
>>> Seshi Patibanda
>>> seship67@gmail.com
>>>
>>>
>>>
>>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
Re: How to Include SAML token in the Security header! Possible
Solution!!!
Posted by Massimiliano Masi <ma...@math.unifi.it>.
Seshi,
I think you don't have to use the setText.
I was using something like:
/**
* Create a new fresh security header with WSSE 1.1 and Security
as localName
* @param securityAssertion
* @return
* @throws Exception
*/
private Element createSecurityHeader( Element securityAssertion )
throws Exception
{
OMFactory fac = OMAbstractFactory.getOMFactory();
OMNamespace wsseNs = fac.createOMNamespace(
NameSpaceUtils.WSSE_SECURITY_NS, "wsse" );
OMElement wsseSecurityHeaderOM = fac.createOMElement(
"Security", wsseNs );
OMElement securityAssertionOM = XMLUtils.toOM( securityAssertion );
wsseSecurityHeaderOM.addChild( securityAssertionOM );
return XMLUtils.toDOM( wsseSecurityHeaderOM );
}
But it's not clean and correct. Simply use the addChild method.
I'm searching on how to produce a SecurityPolicy for including it.
Quoting Seshi Patibanda <se...@gmail.com>:
> All,
>
> For those who are interested, I have found a way to include the "obtained"
> SAML token in the created Security header (<wsse:Security>) of the SOAP
> message.
>
> Used Axis2 AXIOM API methods to insert the Security header with the correct
> namespace. Upon creating the security header , we just need to add the
> obtained SAML token.
>
> Importantly, this approach will completely BYPASS Rampart module engagement
> with Axis2 client.
>
> Attached is the code snippet that goes in to the WSDL2Java generated stub
> class method toEnvelope(org.apache.axiom.soap.SOAPFactory factory, .. ,
> ...).
> =======================================================
> try {
>
> //get SAML assertion token
> String assertion = getAssertion();
>
> org.apache.axiom.soap.SOAPEnvelope emptyEnvelope =
> factory.getDefaultEnvelope();
>
> OMNamespace ns = factory.createOMNamespace(
> http://docs.oasis-open.org/wss/2004/01/oasis-2000401-wss-wssecurity-secext-1.0.xsd,
> "wsse");
>
> org.apache.axiom.soap.SOAPHeaderBlock soapHeaderBlock =
> factory.createSOAPHeaderBlock("Security", ns);
>
> //set the SAML assertion token in the SOAP Header block
> soapHeaderBlock.setText(assertion);
>
> //add the Header block to the header
> emptyEnvelope.getHeader().addChild(soapHeaderBlock);
>
> //add the relevant body to the envelope
> emptyEnvelope.getBody().addChild(...);
>
> return emptyEnvelope;
>
> } catch (org.apache.axis2.databinding.ADBException e) {
> throw org.apache.axis2.AxisFault.makeFault(e);
> }
>
>
> As a result, we will get the following SOAP header message:
>
> <soapenv:Header>
> <wsse:Security xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <Assertion ...>....</Assertion>
> </wsse:Security>
> </soapenv:Header>
>
> ============================================================
>
> DISCLAIMER: When the SOAP message was intercepted (by setting
> log4j.logger.httpclient.wire.header = DEBUG in the log4j.properties file),
> found out that the "<" and ">" chars of the Assertion string was being
> encoded to the corresponding "<" and ">".
>
> If anyone has suggestions to pass the Assertion string correctly (without
> encoding), please share your thoughts...
>
> Thanks,
>
> Seshi Patibanda
>
>
>
>
>
>
>
> On Tue, Jan 27, 2009 at 12:21 PM, Seshi Patibanda <se...@gmail.com>wrote:
>
>> Hello all,
>>
>> As per the thread seen on markmail.org (
>> http://markmail.org/thread/iq4j6x7g247wi75x), there was an update from
>> Ruchith Fernando dated Nov 4, 2007 about the ways to include the obtained
>> SAML token in the Security header.
>>
>> First option was given as:
>>
>> " By creating a wsse:Securityheader element and adding the token element
>> into the header. Rampart processing down the line will re-use this header. "
>>
>> Could anyone please expand on how to implement this option using Apache
>> Rampart 1.4?
>>
>> At my end, I have problems inserting an obtained SAML token in the Security
>> header of my SOAP request. I have sent an email to
>> axis-user@ws.apache.orgmailing list requesting feedback but haven't
>> received any yet. All I need to
>> do is just pass the retrieved SAML token to the remote web service
>> (SSL-enabled) via SOAP header in the request.
>>
>>
>> My configuration:
>> Deployed Apache Rampart 1.4 module correctly as per the samples. Using
>> Axis2 1.4 client and stubs generated by WSDL2Java tool. Based on my
>> configuration, would policy based approach work? If so, does anyone have any
>> sample Transport-level security policies to implement the SAML passing?
>>
>> Any feedback/suggestion is highly appreciated.
>>
>> Thanks,
>>
>> Seshi Patibanda
>> seship67@gmail.com
>>
>>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.