Thanks Amila for the elaborate response. I have taken sample 04 (SecureConversation) shipped with rampart 1.5 release as a base. I have added another supporting token UserName token to the policy. (see the bold data in the xml below.) *Note: I plan to use rampart for endpoint authentication as well as user(actor) authentication.*
But I think I can configure only one rampart user i.e * <ramp:user>clientKeyName</ramp:user>*. Since I need to pass the userName token i.e userName as well I have configured rampart config in supportingTokens (username) tag I am observing that only global rampart config is honored. i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is invoked.* *i.e. UserName tokens username value is not passes in the callback. Callback is invoked 2 times with the identifier "client" * Questions:* 1. How can I set userName value & keyAliasName both in the rampart. is there any workaround ? 2. Can there be only one rampart config & not supporting token specific config ? <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:SecureConversationToken sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:RequireDerivedKeys/> <sp:BootstrapPolicy> <wsp:Policy> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:RequireDerivedKeys/> <sp:RequireThumbprintReference/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128Rsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:EncryptSignature/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:EndorsingSupportingTokens> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:EndorsingSupportingTokens> * <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"; /> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>token2</ramp:user> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:Policy> </sp:SupportingTokens>* <sp:Wss11> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> <sp:RequireSignatureConfirmation/> </wsp:Policy> </sp:Wss11> <sp:Trust10> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> </wsp:Policy> </sp:BootstrapPolicy> </wsp:Policy> </sp:SecureConversationToken> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128Rsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:EncryptSignature/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11 xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> <sp:EncryptedParts xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:EncryptedParts> <ramp:RampartConfig xmlns:ramp=" http://ws.apache.org/rampart/policy";> <ramp:user>client</ramp:user> <ramp:encryptionUser>service</ramp:encryptionUser> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:signatureCrypto> <ramp:encryptionCypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:encryptionCypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <[email protected]> wrote: > Hi Harshit, > Some answers are inline. > Thanks > AmilaJ > > Harshit Bapna wrote: > >> Hi All, >> >> I am thinking of using RAMPART module for ws security. >> >> Requirement: >> To perform endpoint authentication as well as user authentication. >> >> Client endpoint authentication :- To allow only a configured client to >> invoke the web service. >> User authentication :- To allow only a specific user/actor to invoke the >> service. The reason for this requirement is that the same endpoint can be >> used by different type of users(Admin, CSR, normal user) >> >> I have gone through various sample 1-8 supplied wih rampart 1.5 install. >> >> Question: >> 1. Can I combine userName & WssX509V3Token10 token for user and endpoint >> auth ? >> UserName token - for user authentication) >> WssX509V3Token10 - for endpoint PKI credential authentication >> >> > Yes, you can. Inorder to get WssX509V3Token10 support you can either > use SymmetricBinding or AsymmetricBinding mechanisms. With one of above > bindings you can use UserName token as a supporting token. > >> 2. Also can secure conversation benefits be available when the above two >> type of tokens are used. >> >> > As far as i know you should be able to use secure conversation with above > mentioned tokens. Again you can use symmetric binding or asymmetric binding > and you should use SecureConversationToken. Thus the user name token should > be added as a supporting token. > > >> If you have any better suggestion to handle this requirement please let me >> know. >> >> > I guess the way you are heading is ok. In-case if you need more security > you should use SymmetricBinding or AsymmetricBinding. When you use > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each > message differ from another. But if you are more concern about performance > you can use Secure conversation. In secure conversation Rampart uses the > same key to encrypt/sign messages for a given period of time. > >> Harshit Bapna >> Team Lead >> Arcot Systems >> >> >> > > -- -- Harshit Bapna
