I want my client to work like in policy sample 05 but my STS will issue
a SAML token on basis of a provided SAML token. Server side there won't
be a rahas based STS and neither an axis2 service.
What do you mean by "inflow and outflow code"?
thanks, vicampan.
Il 18/02/2010 18.46, Martin Gainty ha scritto:
difficult to say (without seeing the inflow and outflow code)
thanks,
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
Date: Thu, 18 Feb 2010 18:17:32 +0100
From: [email protected]
To: [email protected]
Subject: Saml as SupportingToken
Hi,
in a WS-Trust scenario, i have a issuer policy with SAML defined as
supporting token. My STS issues a SAML token on basis of a SAML token.
It seems to me that rampart simply ignores the<SupportingTokens>
element i added to the issuer policy. How will i attach a SAML token in
the security header of my RST using rampart?
Thanks, vicampan.
My issuer policy looks like:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";
/>
<wsp:Policy>
<sp:WssSamlV11Token11/>
</wsp:Policy>
</wsp:Policy>
</sp:SupportingTokens>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body />
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>client</ramp:user>
<ramp:encryptionUser>server</ramp:encryptionUser>
<ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
My service policy is:
<wsp:Policy wsu:Id="SgnOnlyAnonymous"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:EncryptBeforeSigning />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<Address
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/STS</Address>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<t:TokenType
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>256</t:KeySize>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<!--<sp:RequireClientEntropy/> -->
<!--<sp:RequireServerEntropy/> -->
</wsp:Policy>
</sp:Trust10>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>client</ramp:user>
<ramp:encryptionUser>server</ramp:encryptionUser>
<ramp:passwordCallbackClass>it.eng.mmg.ibisDocument.client.utils.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore/client001.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Ing. Vincenzo Campanile
Engineering Ingegneria Informatica s.p.a.
Via Ferrante Imparato 192-198
Centro Mercato 2, ed. F
80146 Napoli
Tel. 081 5650654 - Fax: 081 5650636
e-mail: [email protected]
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/201469230/direct/01/
--
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Ing. Vincenzo Campanile
Engineering Ingegneria Informatica s.p.a.
Via Ferrante Imparato 192-198
Centro Mercato 2, ed. F
80146 Napoli
Tel. 081 5650654 - Fax: 081 5650636
e-mail: [email protected]
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
