Hello Amila & Nandana, I want to authenticate the endpoint as well as various different users invoking service.
Example: Users for example devUser, adminUser and csr can use the same endpoint say EP1 to send the request. So the username will keep changing as the service is invoked by different actors/users. But the endpoint is same the endpoints key won't change. PKI signature is used for its authentication. Hence rampart-user will have to be modified based on the user's username so the questions in my earlier remain is unanswered. Please let me know if I can some other approach or a workaround to do both authentication is possible On Thu, Sep 16, 2010 at 4:20 PM, Nandana Mihindukulasooriya < [email protected]> wrote: > Hi Harshit, > If you have a user-name token and a key, you can the two parameters > user, userCertAlias [1] to provide both of them to Rampart Engine. > > Best Regards, > Nandana > > [1] - http://ws.apache.org/rampart/rampartconfig-guide.html > > On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <[email protected]> wrote: > > > Thanks Amila for the elaborate response. > > I have taken sample 04 (SecureConversation) shipped with rampart 1.5 > > release > > as a base. > > I have added another supporting token UserName token to the policy. (see > > the > > bold data in the xml below.) > > *Note: I plan to use rampart for endpoint authentication as well as > > user(actor) authentication.* > > > > But I think I can configure only one rampart user i.e * > > <ramp:user>clientKeyName</ramp:user>*. > > Since I need to pass the userName token i.e userName as well I have > > configured rampart config in supportingTokens (username) tag I am > observing > > that only global rampart config is honored. > > i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is > invoked.* > > *i.e. UserName tokens username value is not passes in the callback. > > Callback > > is invoked 2 times with the identifier "client" * > > > > Questions:* > > 1. How can I set userName value & keyAliasName both in the rampart. is > > there > > any workaround ? > > 2. Can there be only one rampart config & not supporting token specific > > config ? > > > > > > > > <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:SymmetricBinding xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:SecureConversationToken sp:IncludeToken=" > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > "> > > <wsp:Policy> > > <sp:RequireDerivedKeys/> > > <sp:BootstrapPolicy> > > <wsp:Policy> > > <sp:EncryptedParts> > > <sp:Body/> > > </sp:EncryptedParts> > > <sp:SymmetricBinding> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never > "> > > > <wsp:Policy> > > > > <sp:RequireDerivedKeys/> > > > > <sp:RequireThumbprintReference/> > > > > <sp:WssX509V3Token10/> > > > > </wsp:Policy> > > > </sp:X509Token> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > > > <sp:Basic128Rsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > <sp:EncryptSignature/> > > > > <sp:OnlySignEntireHeadersAndBody/> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:EndorsingSupportingTokens> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken=" > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > "> > > <wsp:Policy> > > > > <sp:RequireThumbprintReference/> > > > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > > </sp:EndorsingSupportingTokens> > > * <sp:SupportingTokens> > > <wsp:Policy> > > <sp:UsernameToken > > sp:IncludeToken=" > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > " > > /> > > <ramp:RampartConfig > > xmlns:ramp="http://ws.apache.org/rampart/policy";> > > > > <ramp:user>token2</ramp:user> > > > > > > > <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass> > > </ramp:RampartConfig> > > </wsp:Policy> > > </sp:SupportingTokens>* > > <sp:Wss11> > > <wsp:Policy> > > > > <sp:MustSupportRefKeyIdentifier/> > > > > <sp:MustSupportRefIssuerSerial/> > > > > <sp:MustSupportRefThumbprint/> > > > > <sp:MustSupportRefEncryptedKey/> > > > > <sp:RequireSignatureConfirmation/> > > </wsp:Policy> > > </sp:Wss11> > > <sp:Trust10> > > <wsp:Policy> > > > > <sp:MustSupportIssuedTokens/> > > > > <sp:RequireClientEntropy/> > > > > <sp:RequireServerEntropy/> > > </wsp:Policy> > > </sp:Trust10> > > </wsp:Policy> > > </sp:BootstrapPolicy> > > </wsp:Policy> > > </sp:SecureConversationToken> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic128Rsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > <sp:EncryptSignature/> > > <sp:OnlySignEntireHeadersAndBody/> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:Wss11 xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier/> > > <sp:MustSupportRefIssuerSerial/> > > <sp:MustSupportRefThumbprint/> > > <sp:MustSupportRefEncryptedKey/> > > </wsp:Policy> > > </sp:Wss11> > > <sp:Trust10 xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <wsp:Policy> > > <sp:MustSupportIssuedTokens/> > > <sp:RequireClientEntropy/> > > <sp:RequireServerEntropy/> > > </wsp:Policy> > > </sp:Trust10> > > <sp:EncryptedParts xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <sp:Body/> > > </sp:EncryptedParts> > > <ramp:RampartConfig xmlns:ramp=" > > http://ws.apache.org/rampart/policy";> > > <ramp:user>client</ramp:user> > > <ramp:encryptionUser>service</ramp:encryptionUser> > > > > > > > <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass> > > > > <ramp:signatureCrypto> > > <ramp:crypto > > provider="org.apache.ws.security.components.crypto.Merlin"> > > <ramp:property > > > > > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > > <ramp:property > > > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> > > <ramp:property > > > > > name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> > > </ramp:crypto> > > </ramp:signatureCrypto> > > <ramp:encryptionCypto> > > <ramp:crypto > > provider="org.apache.ws.security.components.crypto.Merlin"> > > <ramp:property > > > > > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > > <ramp:property > > > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> > > <ramp:property > > > > > name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> > > </ramp:crypto> > > </ramp:encryptionCypto> > > > > </ramp:RampartConfig> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <[email protected]> > > wrote: > > > > > Hi Harshit, > > > Some answers are inline. > > > Thanks > > > AmilaJ > > > > > > Harshit Bapna wrote: > > > > > >> Hi All, > > >> > > >> I am thinking of using RAMPART module for ws security. > > >> > > >> Requirement: > > >> To perform endpoint authentication as well as user authentication. > > >> > > >> Client endpoint authentication :- To allow only a configured client to > > >> invoke the web service. > > >> User authentication :- To allow only a specific user/actor to invoke > the > > >> service. The reason for this requirement is that the same endpoint can > > be > > >> used by different type of users(Admin, CSR, normal user) > > >> > > >> I have gone through various sample 1-8 supplied wih rampart 1.5 > install. > > >> > > >> Question: > > >> 1. Can I combine userName & WssX509V3Token10 token for user and > endpoint > > >> auth ? > > >> UserName token - for user authentication) > > >> WssX509V3Token10 - for endpoint PKI credential authentication > > >> > > >> > > > Yes, you can. Inorder to get WssX509V3Token10 support you can > either > > > use SymmetricBinding or AsymmetricBinding mechanisms. With one of above > > > bindings you can use UserName token as a supporting token. > > > > > >> 2. Also can secure conversation benefits be available when the above > two > > >> type of tokens are used. > > >> > > >> > > > As far as i know you should be able to use secure conversation with > > above > > > mentioned tokens. Again you can use symmetric binding or asymmetric > > binding > > > and you should use SecureConversationToken. Thus the user name token > > should > > > be added as a supporting token. > > > > > > > > >> If you have any better suggestion to handle this requirement please > let > > me > > >> know. > > >> > > >> > > > I guess the way you are heading is ok. In-case if you need more > security > > > you should use SymmetricBinding or AsymmetricBinding. When you use > > > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign each > > > message differ from another. But if you are more concern about > > performance > > > you can use Secure conversation. In secure conversation Rampart uses > the > > > same key to encrypt/sign messages for a given period of time. > > > > > >> Harshit Bapna > > >> Team Lead > > >> Arcot Systems > > >> > > >> > > >> > > > > > > > > > > > > -- > > -- Harshit Bapna > > > -- -- Harshit Bapna
