Saml as SupportingToken

Thu, 18 Feb 2010 09:18:04 -0800 

Hi,
in a WS-Trust scenario, i have a issuer policy with SAML defined as supporting token. My STS issues a SAML token on basis of a SAML token. It seems to me that rampart simply ignores the <SupportingTokens> element i added to the issuer policy. How will i attach a SAML token in the security header of my RST using rampart? 

Thanks, vicampan.

My issuer policy looks like:

<?xml version="1.0" encoding="UTF-8"?>

<wsp:Policy wsu:Id="SigOnly" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>

<wsp:ExactlyOne>
<wsp:All>

<sp:AsymmetricBinding 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>

<sp:SupportingTokens 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<wsp:Policy>

<sp:SamlToken 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"; 
/>

<wsp:Policy>
<sp:WssSamlV11Token11/>
</wsp:Policy>
</wsp:Policy>
</sp:SupportingTokens>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>

<sp:SignedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<sp:Body />
</sp:SignedParts>

<sp:EncryptedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<sp:Body />
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>client</ramp:user>
<ramp:encryptionUser>server</ramp:encryptionUser>
<ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">

<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>

</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">

<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>

</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

My service policy is:


<wsp:Policy wsu:Id="SgnOnlyAnonymous" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; 
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<wsp:ExactlyOne>
<wsp:All>

<sp:AsymmetricBinding 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>

<sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>

<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>

<sp:SupportingTokens 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<wsp:Policy>

<sp:IssuedToken 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>

<Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

<Address 
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/STS</Address>

</Issuer>
<sp:RequestSecurityTokenTemplate>

<t:TokenType 
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType 
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize 
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>256</t:KeySize>

</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<!-- <sp:RequireClientEntropy/> -->
<!-- <sp:RequireServerEntropy/> -->
</wsp:Policy>
</sp:Trust10>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>client</ramp:user>
<ramp:encryptionUser>server</ramp:encryptionUser>
<ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">

<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>

</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">

<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>

</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

--


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Ing. Vincenzo Campanile

Engineering Ingegneria Informatica s.p.a.

Via Ferrante Imparato 192-198
Centro Mercato 2, ed. F
80146 Napoli

Tel. 081 5650654 - Fax:  081 5650636
e-mail: [email protected]

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *























					Reply via email to