You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Stadelmann Josef <jo...@axa-winterthur.ch> on 2011/09/13 12:11:10 UTC
[Axis2] Rampart and .NET WCF Interoperability / Aproach Questions
Hi developers,
We have a Axis2 and Addressing.mar on Tomcat on JDK 1.5 on OpenVMS -
And our Web Service runs in scope="soapsession", which makes long
lasting sessions.
We have a .NET .VB .C# WCF 3.5 WS Client communicating through a
SOAP-XML over HTTP Protocoll
using the ServicegroupId Header to make long lasting sessions in
scope="soapsession" possible.
All works fine and performat !!! Thanks to Axis2 and WCF 3.5 .NET
Now we need to secure the following !!!
Username and Password is a part of a login-request-soap-body-element
This is no longer allowed to be transmitted un-encrypted in clear text
over the network.
We could switch to HTTPS/SSL and the game is over !!!!
But, we are interessted in using a more WS oriented approach and in
learning!
Hence in this situation INTEROPERABILITY is our major issue!
And a Tools Based Appraoch to reach that fast is another issue!
(even time is not a killer, but we want to learn how to make faster
progress with Web Services and in particular security)
We like to remain with Tomcat and Axis2 running on OpenVMS 8.4 and a JDK
1.5.0 or JDK 6.0.
What technology shall we use to encrypt the password in a SOAP-BOADY,
maybe we like to have sort of re-authentication after some time-out
later in a SOAP-HEADER.
We intend to use Rampart with the Axis2-Engine running our WS
BUT
What do we need on the Client Site to get first
the password encrypted (Message Level Security) and
later other sensible SOAP-HEADER/BODY-ELEMENTS
How do this things fit together? .NET and WS-* (Security)
Is there a good article somewhere how to achive that?
How could WSIT from SUN (the Metro WS Stack) help us?
Does Apache Axis2-Team run or participate on the PLUG-FEST from
Microsoft and SUN
where participants demonstrate theire interoperability capabilities
against defined web-service servers/szenarios?
What whould be your approach / response to this Security Based
Interoperabiliy Issues?
And how can we best make use of NetBeans (anything that supports us)
Thank'sfull for a Hint
Josef
Re: [Axis2] Rampart and .NET WCF Interoperability / Aproach Questions
Posted by Amila Suriarachchi <am...@gmail.com>.
On Tue, Sep 13, 2011 at 7:11 AM, Stadelmann Josef <
josef.stadelmann@axa-winterthur.ch> wrote:
> **
>
> Hi developers,
>
> We have a Axis2 and Addressing.mar on Tomcat on JDK 1.5 on OpenVMS –
>
> And our Web Service runs in scope="soapsession", which makes long lasting
> sessions.
>
> We have a .NET .VB .C# WCF 3.5 WS Client communicating through a SOAP-XML
> over HTTP Protocoll
>
> using the ServicegroupId Header to make long lasting sessions inscope="soapsession"possible.
>
> All works fine and performat !!! Thanks to Axis2 and WCF 3.5 .NET
>
> Now we need to secure the following !!!
>
> Username and Password is a part of a login-request-soap-body-element
>
> This is no longer allowed to be transmitted un-encrypted in clear text
> over the network.
>
> We could switch to HTTPS/SSL and the game is over !!!!
>
> But, we are interessted in using a more WS oriented approach and in
> learning!
>
I am not sure why you have to send the user name and password in soap body.
But with WS-Security you can use the User name Token to authenticate the
users and send the message with http/ssl.
thanks,
Amila.
> Hence in this situation INTEROPERABILITY is our major issue!
>
> And a Tools Based Appraoch to reach that fast is another issue!
>
> (even time is not a killer, but we want to learn how to make faster progress
> with Web Services and in particular security)
>
> We like to remain with Tomcat and Axis2 running on OpenVMS 8.4 and a JDK
> 1.5.0 or JDK 6.0.
>
> What technology shall we use to encrypt the password in a SOAP-BOADY,
>
> maybe we like to have sort of re-authentication after some time-out laterin a SOAP-HEADER
> .
>
> We intend to use Rampart with the Axis2-Engine running our WS
>
> BUT
>
> What do we need on the Client Site to get first
>
> the password encrypted (Message Level Security) and
>
> later other sensible SOAP-HEADER/BODY-ELEMENTS
>
> How do this things fit together? .NET and WS-* (Security)
>
> Is there a good article somewhere how to achive that?
>
> How could WSIT from SUN (the Metro WS Stack) help us?
>
> Does Apache Axis2-Team run or participate on the PLUG-FEST from Microsoft
> and SUN
>
> where participants demonstrate theire interoperability capabilitiesagainst defined web-service servers/szenarios
> ?
>
> What whould be your approach / response to this Security Based
> Interoperabiliy Issues?
>
> And how can we best make use of NetBeans (anything that supports us)
>
> Thank'sfull for a Hint
>
> Josef
>
--
Amila Suriarachchi
WSO2 Inc.
blog: http://amilachinthaka.blogspot.com/
AW: [Axis2] Rampart and .NET WCF Interoperability / Aproach Questions
Posted by Stadelmann Josef <jo...@axa-winterthur.ch>.
Hi Amila
Thanks for the reply;
We will go for message level encryption;
The password is until today sent via a login-request() sent in the message-body;
this because we need the password in clear-text at the java-web-services login()
to be used inside login() when we call a WSIT (HP) java-bean for the
VMSLOGIN(string username, string password) to establish an IPC
(inter process channel) to our legacy server;
If the password can be sent encrypted in a header AND if that password can be
retrieved as clear text inside the called login() web service method from the
soap-header that would be fine too.
Josef
-----Ursprüngliche Nachricht-----
Von: Amila Jayasekara [mailto:amilaj@wso2.com]
Gesendet: Mittwoch, 14. September 2011 15:50
An: java-user@axis.apache.org
Cc: axis-user@ws.apache.org
Betreff: Re: [Axis2] Rampart and .NET WCF Interoperability / Aproach Questions
Hello Josef,
You mail has few questions. Let me answer those, one by one.
What technology shall we use to encrypt the password in a SOAP-BOADY ?
According to your description and to my knowledge the best methodology
to secure SOAP body is to use message level encryption. Thus i believe
"symmetric binding" based mechanism would be sufficient. You may able
to specify password in header during re-authentication. But to do this
you need to define your "endpoint security policy" with alternatives
(i.e. to provision both username token and x509 token). Personally i
haven't used 2 policy alternatives for particular service, therefore i
am not sure about practical implications.
Does Apache Axis2-Team run or participate on the PLUG-FEST from
Microsoft and SUN
where participants demonstrate theire interoperability capabilities
against defined web-service servers/scenarios?
We have tested Rampart against Microsoft PLUG-FEST. We also have set
of test case which is used to test against Microsoft PLUG-FEST
services. But personally i had issues running these test cases against
Microsoft services as some of those (Microsoft Plug-Fest [1])
endpoints are not available (in recent past). E.g :-
http://131.107.72.15/Security_WsSecurity_Service_Indigo/. I am not
sure whether these services are hosted in some other place.
I am not sure about SUN.
What would be your approach / response to this Security Based
Interoperability Issues?
We will try our best to fix inter-operable issues but we need to make
sure those fixes are compatible with basic security profile [2].
[1] http://mssoapinterop.org/
[2] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html
Thanks
AmilaJ
On Tue, Sep 13, 2011 at 3:41 PM, Stadelmann Josef
<jo...@axa-winterthur.ch> wrote:
> Hi developers,
>
> We have a Axis2 and Addressing.mar on Tomcat on JDK 1.5 on OpenVMS -
>
> And our Web Service runs in scope="soapsession", which makes long lasting
> sessions.
>
> We have a .NET .VB .C# WCF 3.5 WS Client communicating through a SOAP-XML
> over HTTP Protocoll
>
> using the ServicegroupId Header to make long lasting sessions in
> scope="soapsession" possible.
>
> All works fine and performat !!! Thanks to Axis2 and WCF 3.5 .NET
>
> Now we need to secure the following !!!
>
> Username and Password is a part of a login-request-soap-body-element
>
> This is no longer allowed to be transmitted un-encrypted in clear text over
> the network.
>
> We could switch to HTTPS/SSL and the game is over !!!!
>
> But, we are interessted in using a more WS oriented approach and in
> learning!
>
> Hence in this situation INTEROPERABILITY is our major issue!
>
> And a Tools Based Appraoch to reach that fast is another issue!
>
> (even time is not a killer, but we want to learn how to make faster progress
> with Web Services and in particular security)
>
> We like to remain with Tomcat and Axis2 running on OpenVMS 8.4 and a JDK
> 1.5.0 or JDK 6.0.
>
> What technology shall we use to encrypt the password in a SOAP-BOADY,
>
> maybe we like to have sort of re-authentication after some time-out later in
> a SOAP-HEADER.
>
> We intend to use Rampart with the Axis2-Engine running our WS
>
> BUT
>
> What do we need on the Client Site to get first
>
> the password encrypted (Message Level Security) and
>
> later other sensible SOAP-HEADER/BODY-ELEMENTS
>
> How do this things fit together? .NET and WS-* (Security)
>
> Is there a good article somewhere how to achive that?
>
> How could WSIT from SUN (the Metro WS Stack) help us?
>
> Does Apache Axis2-Team run or participate on the PLUG-FEST from Microsoft
> and SUN
>
> where participants demonstrate theire interoperability capabilities against
> defined web-service servers/szenarios?
>
> What whould be your approach / response to this Security Based
> Interoperabiliy Issues?
>
> And how can we best make use of NetBeans (anything that supports us)
>
> Thank'sfull for a Hint
>
> Josef
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org
Re: [Axis2] Rampart and .NET WCF Interoperability / Aproach Questions
Posted by Amila Jayasekara <am...@wso2.com>.
Hello Josef,
You mail has few questions. Let me answer those, one by one.
What technology shall we use to encrypt the password in a SOAP-BOADY ?
According to your description and to my knowledge the best methodology
to secure SOAP body is to use message level encryption. Thus i believe
"symmetric binding" based mechanism would be sufficient. You may able
to specify password in header during re-authentication. But to do this
you need to define your “endpoint security policy” with alternatives
(i.e. to provision both username token and x509 token). Personally i
haven't used 2 policy alternatives for particular service, therefore i
am not sure about practical implications.
Does Apache Axis2-Team run or participate on the PLUG-FEST from
Microsoft and SUN
where participants demonstrate theire interoperability capabilities
against defined web-service servers/scenarios?
We have tested Rampart against Microsoft PLUG-FEST. We also have set
of test case which is used to test against Microsoft PLUG-FEST
services. But personally i had issues running these test cases against
Microsoft services as some of those (Microsoft Plug-Fest [1])
endpoints are not available (in recent past). E.g :-
http://131.107.72.15/Security_WsSecurity_Service_Indigo/. I am not
sure whether these services are hosted in some other place.
I am not sure about SUN.
What would be your approach / response to this Security Based
Interoperability Issues?
We will try our best to fix inter-operable issues but we need to make
sure those fixes are compatible with basic security profile [2].
[1] http://mssoapinterop.org/
[2] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html
Thanks
AmilaJ
On Tue, Sep 13, 2011 at 3:41 PM, Stadelmann Josef
<jo...@axa-winterthur.ch> wrote:
> Hi developers,
>
> We have a Axis2 and Addressing.mar on Tomcat on JDK 1.5 on OpenVMS –
>
> And our Web Service runs in scope="soapsession", which makes long lasting
> sessions.
>
> We have a .NET .VB .C# WCF 3.5 WS Client communicating through a SOAP-XML
> over HTTP Protocoll
>
> using the ServicegroupId Header to make long lasting sessions in
> scope="soapsession" possible.
>
> All works fine and performat !!! Thanks to Axis2 and WCF 3.5 .NET
>
> Now we need to secure the following !!!
>
> Username and Password is a part of a login-request-soap-body-element
>
> This is no longer allowed to be transmitted un-encrypted in clear text over
> the network.
>
> We could switch to HTTPS/SSL and the game is over !!!!
>
> But, we are interessted in using a more WS oriented approach and in
> learning!
>
> Hence in this situation INTEROPERABILITY is our major issue!
>
> And a Tools Based Appraoch to reach that fast is another issue!
>
> (even time is not a killer, but we want to learn how to make faster progress
> with Web Services and in particular security)
>
> We like to remain with Tomcat and Axis2 running on OpenVMS 8.4 and a JDK
> 1.5.0 or JDK 6.0.
>
> What technology shall we use to encrypt the password in a SOAP-BOADY,
>
> maybe we like to have sort of re-authentication after some time-out later in
> a SOAP-HEADER.
>
> We intend to use Rampart with the Axis2-Engine running our WS
>
> BUT
>
> What do we need on the Client Site to get first
>
> the password encrypted (Message Level Security) and
>
> later other sensible SOAP-HEADER/BODY-ELEMENTS
>
> How do this things fit together? .NET and WS-* (Security)
>
> Is there a good article somewhere how to achive that?
>
> How could WSIT from SUN (the Metro WS Stack) help us?
>
> Does Apache Axis2-Team run or participate on the PLUG-FEST from Microsoft
> and SUN
>
> where participants demonstrate theire interoperability capabilities against
> defined web-service servers/szenarios?
>
> What whould be your approach / response to this Security Based
> Interoperabiliy Issues?
>
> And how can we best make use of NetBeans (anything that supports us)
>
> Thank'sfull for a Hint
>
> Josef
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@axis.apache.org
For additional commands, e-mail: java-user-help@axis.apache.org