Hi Harshit,
If you have a user-name token and a key, you can the two parameters
user, userCertAlias [1] to provide both of them to Rampart Engine.
Best Regards,
Nandana
[1] - http://ws.apache.org/rampart/rampartconfig-guide.html
On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <[email protected]> wrote:
> Thanks Amila for the elaborate response.
> I have taken sample 04 (SecureConversation) shipped with rampart 1.5
> release
> as a base.
> I have added another supporting token UserName token to the policy. (see
> the
> bold data in the xml below.)
> *Note: I plan to use rampart for endpoint authentication as well as
> user(actor) authentication.*
>
> But I think I can configure only one rampart user i.e *
> <ramp:user>clientKeyName</ramp:user>*.
> Since I need to pass the userName token i.e userName as well I have
> configured rampart config in supportingTokens (username) tag I am observing
> that only global rampart config is honored.
> i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is invoked.*
> *i.e. UserName tokens username value is not passes in the callback.
> Callback
> is invoked 2 times with the identifier "client" *
>
> Questions:*
> 1. How can I set userName value & keyAliasName both in the rampart. is
> there
> any workaround ?
> 2. Can there be only one rampart config & not supporting token specific
> config ?
>
>
>
> <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:SecureConversationToken sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> <wsp:Policy>
>
> <sp:RequireDerivedKeys/>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> * <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> "
> />
> <ramp:RampartConfig
> xmlns:ramp="http://ws.apache.org/rampart/policy";>
>
> <ramp:user>token2</ramp:user>
>
>
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
> </ramp:RampartConfig>
> </wsp:Policy>
> </sp:SupportingTokens>*
> <sp:Wss11>
> <wsp:Policy>
>
> <sp:MustSupportRefKeyIdentifier/>
>
> <sp:MustSupportRefIssuerSerial/>
>
> <sp:MustSupportRefThumbprint/>
>
> <sp:MustSupportRefEncryptedKey/>
>
> <sp:RequireSignatureConfirmation/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
>
> <sp:MustSupportIssuedTokens/>
>
> <sp:RequireClientEntropy/>
>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10 xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> <sp:EncryptedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <sp:Body/>
> </sp:EncryptedParts>
> <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy";>
> <ramp:user>client</ramp:user>
> <ramp:encryptionUser>service</ramp:encryptionUser>
>
>
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
>
> <ramp:signatureCrypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> <ramp:encryptionCypto>
> <ramp:crypto
> provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> </ramp:crypto>
> </ramp:encryptionCypto>
>
> </ramp:RampartConfig>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <[email protected]>
> wrote:
>
> > Hi Harshit,
> > Some answers are inline.
> > Thanks
> > AmilaJ
> >
> > Harshit Bapna wrote:
> >
> >> Hi All,
> >>
> >> I am thinking of using RAMPART module for ws security.
> >>
> >> Requirement:
> >> To perform endpoint authentication as well as user authentication.
> >>
> >> Client endpoint authentication :- To allow only a configured client to
> >> invoke the web service.
> >> User authentication :- To allow only a specific user/actor to invoke the
> >> service. The reason for this requirement is that the same endpoint can
> be
> >> used by different type of users(Admin, CSR, normal user)
> >>
> >> I have gone through various sample 1-8 supplied wih rampart 1.5 install.
> >>
> >> Question:
> >> 1. Can I combine userName & WssX509V3Token10 token for user and endpoint
> >> auth ?
> >> UserName token - for user authentication)
> >> WssX509V3Token10 - for endpoint PKI credential authentication
> >>
> >>
> > Yes, you can. Inorder to get WssX509V3Token10 support you can either
> > use SymmetricBinding or AsymmetricBinding mechanisms. With one of above
> > bindings you can use UserName token as a supporting token.
> >
> >> 2. Also can secure conversation benefits be available when the above two
> >> type of tokens are used.
> >>
> >>
> > As far as i know you should be able to use secure conversation with
> above
> > mentioned tokens. Again you can use symmetric binding or asymmetric
> binding
> > and you should use SecureConversationToken. Thus the user name token
> should
> > be added as a supporting token.
> >
> >
> >> If you have any better suggestion to handle this requirement please let
> me
> >> know.
> >>
> >>
> > I guess the way you are heading is ok. In-case if you need more security
> > you should use SymmetricBinding or AsymmetricBinding. When you use
> > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each
> > message differ from another. But if you are more concern about
> performance
> > you can use Secure conversation. In secure conversation Rampart uses the
> > same key to encrypt/sign messages for a given period of time.
> >
> >> Harshit Bapna
> >> Team Lead
> >> Arcot Systems
> >>
> >>
> >>
> >
> >
>
>
> --
> -- Harshit Bapna
>
