You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Christina Larocca <ch...@gmail.com> on 2007/08/14 04:58:39 UTC
[Axis2] SAML security tokens generation
Hi all Axis2 users:
I have been managing some web services using UsernameTokens (without using
rampart) to convey identities. I've a client that connects to a Token issuer
service that provides it an EndpointReference and the Username token needed
to authenticate. Now I must remodelate the security of the whole model and
instead of that, SAML tokens with encryption of the user name and signature
will be used. The last axis2 version I've been using was the 1.1 and now I'm
thinking about updating to the newest one and start using rampart.
I have read that, unfortunatelly, Rampart itself can't be configured to add
the SAML token to the Security header and that it delegates those functions
to a STS called Rahas. The documentation I found about Rahas is very weak
and despite my experience I don't have a clue about where or how to start.
Could anyone indicate me where to find a good tutorial or use examples? Or,
even better, could anyone show me some code to generate the tokens? If it's
possible, I would prefer to config rahas with code instead of creating text
config files.
Thanks in advance.
Christina.
UDDI v3 useType Deserialization using Axis 1.4
Posted by "Shah, Sumit" <su...@cgi.com>.
Hello,
I am trying to de-serialize SOAP response for the Find_binding() API for
UDDI v3. Its failing to deserialize 'useType' attribute of the
'accessPoint' element.
While trying to get the Type Mapping for 'useType' in
org.apache.axis.encoding.TypeMappingImpl#getTypeQNameExact() it gets the
xmlType QName as '{http://www.w3.org/2000/09/xmldsig#}KeyName' instead
of {urn:uddi-org:api_v3}useType.
I have tried to register the QName as:
QName v3useTypeQName = new QName("urn:uddi-org:api_v3","useType");
wsifPort.getCall().registerTypeMapping(String.class, v3useTypeQName, new
SimpleSerializerFactory(String.class,v3useTypeQName), new
SimpleDeserializerFactory(String.class,v3useTypeQName));
I am not sure from where and why is it getting xmlType QName as
{http://www.w3.org/2000/09/xmldsig#}KeyName. I would highly appreciate
any help on this.
Thanks
Sumit
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2] SAML security tokens generation
Posted by Dimuthu Leelaratne <di...@gmail.com>.
Hi Christina,
Check the contents under "Setting up a Security Token Service"
available at [1] if you want to set up Rahas. Another sample is
available at [2].
If you want to supply your own name identifier in the SAML token
please implement the CallbackHanlder like this[3] and specify it in
the <saml-config> as follows
<dataCallbackHandlerClass>org.apache.rahas.MySAMLDataProvider</dataCallbackHandlerClass>
Whole lot of test cases are available at [4], but I don't know how
reader-friendly they are.
There is also a concept of "TokenCallbackHandler". I will check
whether it is possible to add a SAML token using this concept without
using Rahas.
Cheers,
Dimuthu.
[1]http://ws.apache.org/rampart/quick-start.html
[2]https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/policy/sample05/
[3]https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-integration/src/test/java/org/apache/rahas/SAMLDataProvider.java
[3]https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-integration/src/test/java/org/apache/rahas/
On 8/14/07, Christina Larocca <ch...@gmail.com> wrote:
> Hi all Axis2 users:
>
> I have been managing some web services using UsernameTokens (without using
> rampart) to convey identities. I've a client that connects to a Token issuer
> service that provides it an EndpointReference and the Username token needed
> to authenticate. Now I must remodelate the security of the whole model and
> instead of that, SAML tokens with encryption of the user name and signature
> will be used. The last axis2 version I've been using was the 1.1 and now I'm
> thinking about updating to the newest one and start using rampart.
>
> I have read that, unfortunatelly, Rampart itself can't be configured to add
> the SAML token to the Security header and that it delegates those functions
> to a STS called Rahas. The documentation I found about Rahas is very weak
> and despite my experience I don't have a clue about where or how to start.
> Could anyone indicate me where to find a good tutorial or use examples? Or,
> even better, could anyone show me some code to generate the tokens? If it's
> possible, I would prefer to config rahas with code instead of creating text
> config files.
>
> Thanks in advance.
>
> Christina.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2] SAML security tokens generation
Posted by Christina Larocca <ch...@gmail.com>.
Hi. I will continue in this thread to Finally it seems that we're going to
keep using the axis2 1.1 version so we don't have to recompilate everything.
I proved the sample05 example from the repository adjusting it for the
version 1.1 and I've found two problems: It seems that there's a problem
with the keys, not being able to process the signature from the client:
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/none
</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:33A9BEE1DA4319E68D11879091814372</wsa:MessageID>
<wsa:Action>http://www.w3.org/2005/08/addressing/soap/fault
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Client</faultcode>
<faultstring>The signature verification failed (The provided
certificate is invalid)</faultstring>
<detail>
<Exception>org.apache.axis2.AxisFault: The signature
verification failed (The provided certificate is invalid); nested exception
is: org.apache.ws.security.WSSecurityException: The signature
verification failed (The provided certificate is invalid)
 at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:73)
at org.apache.axis2.engine.Phase.invoke(Phase.java:381)
 at
org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:518)
 at
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:483)
 at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(
HTTPTransportUtils.java:319)
 at
org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:230)
at
org.apache.axis2.transport.http.server.DefaultHttpServiceProcessor.doService
(DefaultHttpServiceProcessor.java:179)
 at
org.apache.http.protocol.HttpService.handleRequest(HttpService.java:123)
at org.apache.axis2.transport.http.server.DefaultHttpServiceProcessor.run(
DefaultHttpServiceProcessor.java:251)
 at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask
(ThreadPoolExecutor.java:665)
 at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java:690)
 at
java.lang.Thread.run(Thread.java:595)
Caused
by: org.apache.ws.security.WSSecurityException: The signature verification
failed (The provided certificate is invalid)
 at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(
SignatureProcessor.java:257)
 at
org.apache.ws.security.processor.SignatureProcessor.handleToken(
SignatureProcessor.java:79)
 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
WSSecurityEngine.java:279)
 at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(
WSSecurityEngine.java:201)
 at
org.apache.rampart.RampartEngine.process(RampartEngine.java:71)
 at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:69)
... 11 more
</Exception>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
I guess the keys are outdated. Is there an updated version of the keys?
Second: The SAML tokens I need must be SAML2.0 tokens. Is rahas or rampart
capable of generating SAML2.0 tokens? It seems that opensaml-1.1.jar is
used, which I think that only provides SAML1.0 tokens. Could you confirm me
this? I hope I'm wrong and rampart and rahas can provide SAML2.0 tokens as
well, I tried to change in the client the line in the getPayload method:
tokenTypeElem.setText(RahasConstants.TOK_TYPE_SAML_10);
to:
tokenTypeElem.setText(RahasConstants.TOK_TYPE_SAML_20);
without any results.
Any help would be greatly appreciated, thanks in advance.
Christina.
2007/8/14, Christina Larocca <ch...@gmail.com>:
>
> Thanks for your quick response. I'm going to put the examples to work.
>
> Regards.
>
> Christina.
>
> 2007/8/14, Ruchith Fernando < ruchith.fernando@gmail.com>:
> >
> > Hi Christina,
> >
> > Rampart supports adding SAML Tokens to the security header in the
> > policy based implementation. You can see an example here :
> >
> > http://marc.info/?l=axis-user&m=118665642802630&w=2
> >
> > By the way note that this requires the service to express it
> > requirements in policy and this sample uses the token acquired from
> > the Security Token Service to encrypt and sign the message.
> >
> > I'm not sure what you mean by "...SAML tokens with encryption of the
> > user name and signature will be used ...". Please check whether the
> > above sample fits your requirement.
> >
> > Thanks,
> > Ruchith
> >
> > On 8/14/07, Christina Larocca < christina.larocca@gmail.com> wrote:
> > > Hi all Axis2 users:
> > >
> > > I have been managing some web services using UsernameTokens (without
> > using
> > > rampart) to convey identities. I've a client that connects to a Token
> > issuer
> > > service that provides it an EndpointReference and the Username token
> > needed
> > > to authenticate. Now I must remodelate the security of the whole model
> > and
> > > instead of that, SAML tokens with encryption of the user name and
> > signature
> > > will be used. The last axis2 version I've been using was the 1.1 and
> > now I'm
> > > thinking about updating to the newest one and start using rampart.
> > >
> > > I have read that, unfortunatelly, Rampart itself can't be configured
> > to add
> > > the SAML token to the Security header and that it delegates those
> > functions
> > > to a STS called Rahas. The documentation I found about Rahas is very
> > weak
> > > and despite my experience I don't have a clue about where or how to
> > start.
> > > Could anyone indicate me where to find a good tutorial or use
> > examples? Or,
> > > even better, could anyone show me some code to generate the tokens? If
> > it's
> > > possible, I would prefer to config rahas with code instead of creating
> > text
> > > config files.
> > >
> > > Thanks in advance.
> > >
> > > Christina.
> > >
> > >
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
Re: [Axis2] SAML security tokens generation
Posted by Christina Larocca <ch...@gmail.com>.
Thanks for your quick response. I'm going to put the examples to work.
Regards.
Christina.
2007/8/14, Ruchith Fernando <ru...@gmail.com>:
>
> Hi Christina,
>
> Rampart supports adding SAML Tokens to the security header in the
> policy based implementation. You can see an example here :
>
> http://marc.info/?l=axis-user&m=118665642802630&w=2
>
> By the way note that this requires the service to express it
> requirements in policy and this sample uses the token acquired from
> the Security Token Service to encrypt and sign the message.
>
> I'm not sure what you mean by "...SAML tokens with encryption of the
> user name and signature will be used ...". Please check whether the
> above sample fits your requirement.
>
> Thanks,
> Ruchith
>
> On 8/14/07, Christina Larocca <ch...@gmail.com> wrote:
> > Hi all Axis2 users:
> >
> > I have been managing some web services using UsernameTokens (without
> using
> > rampart) to convey identities. I've a client that connects to a Token
> issuer
> > service that provides it an EndpointReference and the Username token
> needed
> > to authenticate. Now I must remodelate the security of the whole model
> and
> > instead of that, SAML tokens with encryption of the user name and
> signature
> > will be used. The last axis2 version I've been using was the 1.1 and now
> I'm
> > thinking about updating to the newest one and start using rampart.
> >
> > I have read that, unfortunatelly, Rampart itself can't be configured to
> add
> > the SAML token to the Security header and that it delegates those
> functions
> > to a STS called Rahas. The documentation I found about Rahas is very
> weak
> > and despite my experience I don't have a clue about where or how to
> start.
> > Could anyone indicate me where to find a good tutorial or use examples?
> Or,
> > even better, could anyone show me some code to generate the tokens? If
> it's
> > possible, I would prefer to config rahas with code instead of creating
> text
> > config files.
> >
> > Thanks in advance.
> >
> > Christina.
> >
> >
>
>
> --
> www.ruchith.org
> www.wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
Re: [Axis2] SAML security tokens generation
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Christina,
Rampart supports adding SAML Tokens to the security header in the
policy based implementation. You can see an example here :
http://marc.info/?l=axis-user&m=118665642802630&w=2
By the way note that this requires the service to express it
requirements in policy and this sample uses the token acquired from
the Security Token Service to encrypt and sign the message.
I'm not sure what you mean by "...SAML tokens with encryption of the
user name and signature will be used ...". Please check whether the
above sample fits your requirement.
Thanks,
Ruchith
On 8/14/07, Christina Larocca <ch...@gmail.com> wrote:
> Hi all Axis2 users:
>
> I have been managing some web services using UsernameTokens (without using
> rampart) to convey identities. I've a client that connects to a Token issuer
> service that provides it an EndpointReference and the Username token needed
> to authenticate. Now I must remodelate the security of the whole model and
> instead of that, SAML tokens with encryption of the user name and signature
> will be used. The last axis2 version I've been using was the 1.1 and now I'm
> thinking about updating to the newest one and start using rampart.
>
> I have read that, unfortunatelly, Rampart itself can't be configured to add
> the SAML token to the Security header and that it delegates those functions
> to a STS called Rahas. The documentation I found about Rahas is very weak
> and despite my experience I don't have a clue about where or how to start.
> Could anyone indicate me where to find a good tutorial or use examples? Or,
> even better, could anyone show me some code to generate the tokens? If it's
> possible, I would prefer to config rahas with code instead of creating text
> config files.
>
> Thanks in advance.
>
> Christina.
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org