Hello Nandan, I would like to first state what I am trying to achieve through Rampart module.
Rampart is superb for endpoint authentication i.e only authentic client can invoke the service. We can use various credentials such as WssX509V3Token10 token or UserName token to authenticate a client. Now there can be many users who might be invoking the service from that trusted client.(say trusted using PKI credential). So I want to also authenticate the actors/users who is invoking the service. We need to provide the clientKey alias(required for endpoint auth) in the rampart-user tag in rampart config. Now If I want to use the userName token for the user(described above) than how can I pass the userName value. Let me know If its still not clear. On Thu, Sep 16, 2010 at 5:06 PM, Nandana Mihindukulasooriya < [email protected]> wrote: > Hi Harshit, > I don't understand the relationship between the fact that different > users have to invoke the service and the rampart-user parameter in the > server side. It's the identity of the service. Most of the time the > configuration of both user, and userCertAlias is necessary only in the > client side because for the service doesn't need to create a username token > for itself. > Note that verification of a user-name token is done by password > callback handler [1] and you don't need to have those userid's in your > server side config to validate them. Check the section "Different usages of > the password callback handler" for more details. > > Best Regards, > Nandana > > [1] - http://wso2.org/library/3733 > > > On Thu, Sep 16, 2010 at 1:12 PM, Harshit Bapna <[email protected]> wrote: > > > Hello Amila & Nandana, > > > > I want to authenticate the endpoint as well as various different users > > invoking service. > > > > Example: Users for example devUser, adminUser and csr can use the same > > endpoint say EP1 to send the request. > > So the username will keep changing as the service is invoked by different > > actors/users. > > > > But the endpoint is same the endpoints key won't change. PKI signature is > > used for its authentication. > > > > Hence rampart-user will have to be modified based on the user's username > so > > the questions in my earlier remain is unanswered. > > Please let me know if I can some other approach or a workaround to do > both > > authentication is possible > > > > > > On Thu, Sep 16, 2010 at 4:20 PM, Nandana Mihindukulasooriya < > > [email protected]> wrote: > > > > > Hi Harshit, > > > If you have a user-name token and a key, you can the two > > parameters > > > user, userCertAlias [1] to provide both of them to Rampart Engine. > > > > > > Best Regards, > > > Nandana > > > > > > [1] - http://ws.apache.org/rampart/rampartconfig-guide.html > > > > > > On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <[email protected]> > > wrote: > > > > > > > Thanks Amila for the elaborate response. > > > > I have taken sample 04 (SecureConversation) shipped with rampart 1.5 > > > > release > > > > as a base. > > > > I have added another supporting token UserName token to the policy. > > (see > > > > the > > > > bold data in the xml below.) > > > > *Note: I plan to use rampart for endpoint authentication as well as > > > > user(actor) authentication.* > > > > > > > > But I think I can configure only one rampart user i.e * > > > > <ramp:user>clientKeyName</ramp:user>*. > > > > Since I need to pass the userName token i.e userName as well I have > > > > configured rampart config in supportingTokens (username) tag I am > > > observing > > > > that only global rampart config is honored. > > > > i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is > > > invoked.* > > > > *i.e. UserName tokens username value is not passes in the callback. > > > > Callback > > > > is invoked 2 times with the identifier "client" * > > > > > > > > Questions:* > > > > 1. How can I set userName value & keyAliasName both in the rampart. > is > > > > there > > > > any workaround ? > > > > 2. Can there be only one rampart config & not supporting token > specific > > > > config ? > > > > > > > > > > > > > > > > <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu=" > > > > > > > > > > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > > > " > > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > > > > <wsp:ExactlyOne> > > > > <wsp:All> > > > > <sp:SymmetricBinding xmlns:sp=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <wsp:Policy> > > > > <sp:ProtectionToken> > > > > <wsp:Policy> > > > > <sp:SecureConversationToken > > sp:IncludeToken=" > > > > > > > > > > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > > > "> > > > > <wsp:Policy> > > > > <sp:RequireDerivedKeys/> > > > > <sp:BootstrapPolicy> > > > > <wsp:Policy> > > > > <sp:EncryptedParts> > > > > <sp:Body/> > > > > </sp:EncryptedParts> > > > > <sp:SymmetricBinding> > > > > <wsp:Policy> > > > > > <sp:ProtectionToken> > > > > <wsp:Policy> > > > > > > <sp:X509Token > > > > sp:IncludeToken=" > > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never > > > "> > > > > > > > <wsp:Policy> > > > > > > > > <sp:RequireDerivedKeys/> > > > > > > > > <sp:RequireThumbprintReference/> > > > > > > > > <sp:WssX509V3Token10/> > > > > > > > > </wsp:Policy> > > > > > > > </sp:X509Token> > > > > </wsp:Policy> > > > > > > </sp:ProtectionToken> > > > > > <sp:AlgorithmSuite> > > > > <wsp:Policy> > > > > > > > > <sp:Basic128Rsa15/> > > > > </wsp:Policy> > > > > > </sp:AlgorithmSuite> > > > > <sp:Layout> > > > > <wsp:Policy> > > > > > <sp:Strict/> > > > > </wsp:Policy> > > > > </sp:Layout> > > > > > > <sp:IncludeTimestamp/> > > > > > > <sp:EncryptSignature/> > > > > > > > > <sp:OnlySignEntireHeadersAndBody/> > > > > </wsp:Policy> > > > > </sp:SymmetricBinding> > > > > > > <sp:EndorsingSupportingTokens> > > > > <wsp:Policy> > > > > <sp:X509Token > > > > sp:IncludeToken=" > > > > > > > > > > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > > > "> > > > > <wsp:Policy> > > > > > > > > <sp:RequireThumbprintReference/> > > > > > > > > <sp:WssX509V3Token10/> > > > > </wsp:Policy> > > > > </sp:X509Token> > > > > </wsp:Policy> > > > > > > > </sp:EndorsingSupportingTokens> > > > > * <sp:SupportingTokens> > > > > <wsp:Policy> > > > > <sp:UsernameToken > > > > sp:IncludeToken=" > > > > > > > > > > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > > > " > > > > /> > > > > > <ramp:RampartConfig > > > > xmlns:ramp="http://ws.apache.org/rampart/policy";> > > > > > > > > <ramp:user>token2</ramp:user> > > > > > > > > > > > > > > > > > > <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass> > > > > > > </ramp:RampartConfig> > > > > </wsp:Policy> > > > > </sp:SupportingTokens>* > > > > <sp:Wss11> > > > > <wsp:Policy> > > > > > > > > <sp:MustSupportRefKeyIdentifier/> > > > > > > > > <sp:MustSupportRefIssuerSerial/> > > > > > > > > <sp:MustSupportRefThumbprint/> > > > > > > > > <sp:MustSupportRefEncryptedKey/> > > > > > > > > <sp:RequireSignatureConfirmation/> > > > > </wsp:Policy> > > > > </sp:Wss11> > > > > <sp:Trust10> > > > > <wsp:Policy> > > > > > > > > <sp:MustSupportIssuedTokens/> > > > > > > > > <sp:RequireClientEntropy/> > > > > > > > > <sp:RequireServerEntropy/> > > > > </wsp:Policy> > > > > </sp:Trust10> > > > > </wsp:Policy> > > > > </sp:BootstrapPolicy> > > > > </wsp:Policy> > > > > </sp:SecureConversationToken> > > > > </wsp:Policy> > > > > </sp:ProtectionToken> > > > > <sp:AlgorithmSuite> > > > > <wsp:Policy> > > > > <sp:Basic128Rsa15/> > > > > </wsp:Policy> > > > > </sp:AlgorithmSuite> > > > > <sp:Layout> > > > > <wsp:Policy> > > > > <sp:Strict/> > > > > </wsp:Policy> > > > > </sp:Layout> > > > > <sp:IncludeTimestamp/> > > > > <sp:EncryptSignature/> > > > > <sp:OnlySignEntireHeadersAndBody/> > > > > </wsp:Policy> > > > > </sp:SymmetricBinding> > > > > <sp:Wss11 xmlns:sp=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <wsp:Policy> > > > > <sp:MustSupportRefKeyIdentifier/> > > > > <sp:MustSupportRefIssuerSerial/> > > > > <sp:MustSupportRefThumbprint/> > > > > <sp:MustSupportRefEncryptedKey/> > > > > </wsp:Policy> > > > > </sp:Wss11> > > > > <sp:Trust10 xmlns:sp=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <wsp:Policy> > > > > <sp:MustSupportIssuedTokens/> > > > > <sp:RequireClientEntropy/> > > > > <sp:RequireServerEntropy/> > > > > </wsp:Policy> > > > > </sp:Trust10> > > > > <sp:EncryptedParts xmlns:sp=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > > <sp:Body/> > > > > </sp:EncryptedParts> > > > > <ramp:RampartConfig xmlns:ramp=" > > > > http://ws.apache.org/rampart/policy";> > > > > <ramp:user>client</ramp:user> > > > > <ramp:encryptionUser>service</ramp:encryptionUser> > > > > > > > > > > > > > > > > > > <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass> > > > > > > > > <ramp:signatureCrypto> > > > > <ramp:crypto > > > > provider="org.apache.ws.security.components.crypto.Merlin"> > > > > <ramp:property > > > > > > > > > > > > > > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > > > > <ramp:property > > > > > > > > > > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> > > > > <ramp:property > > > > > > > > > > > > > > name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> > > > > </ramp:crypto> > > > > </ramp:signatureCrypto> > > > > <ramp:encryptionCypto> > > > > <ramp:crypto > > > > provider="org.apache.ws.security.components.crypto.Merlin"> > > > > <ramp:property > > > > > > > > > > > > > > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > > > > <ramp:property > > > > > > > > > > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> > > > > <ramp:property > > > > > > > > > > > > > > name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> > > > > </ramp:crypto> > > > > </ramp:encryptionCypto> > > > > > > > > </ramp:RampartConfig> > > > > </wsp:All> > > > > </wsp:ExactlyOne> > > > > </wsp:Policy> > > > > > > > > On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <[email protected]> > > > > wrote: > > > > > > > > > Hi Harshit, > > > > > Some answers are inline. > > > > > Thanks > > > > > AmilaJ > > > > > > > > > > Harshit Bapna wrote: > > > > > > > > > >> Hi All, > > > > >> > > > > >> I am thinking of using RAMPART module for ws security. > > > > >> > > > > >> Requirement: > > > > >> To perform endpoint authentication as well as user authentication. > > > > >> > > > > >> Client endpoint authentication :- To allow only a configured > client > > to > > > > >> invoke the web service. > > > > >> User authentication :- To allow only a specific user/actor to > invoke > > > the > > > > >> service. The reason for this requirement is that the same endpoint > > can > > > > be > > > > >> used by different type of users(Admin, CSR, normal user) > > > > >> > > > > >> I have gone through various sample 1-8 supplied wih rampart 1.5 > > > install. > > > > >> > > > > >> Question: > > > > >> 1. Can I combine userName & WssX509V3Token10 token for user and > > > endpoint > > > > >> auth ? > > > > >> UserName token - for user authentication) > > > > >> WssX509V3Token10 - for endpoint PKI credential authentication > > > > >> > > > > >> > > > > > Yes, you can. Inorder to get WssX509V3Token10 support you can > > > either > > > > > use SymmetricBinding or AsymmetricBinding mechanisms. With one of > > above > > > > > bindings you can use UserName token as a supporting token. > > > > > > > > > >> 2. Also can secure conversation benefits be available when the > above > > > two > > > > >> type of tokens are used. > > > > >> > > > > >> > > > > > As far as i know you should be able to use secure conversation > with > > > > above > > > > > mentioned tokens. Again you can use symmetric binding or asymmetric > > > > binding > > > > > and you should use SecureConversationToken. Thus the user name > token > > > > should > > > > > be added as a supporting token. > > > > > > > > > > > > > > >> If you have any better suggestion to handle this requirement > please > > > let > > > > me > > > > >> know. > > > > >> > > > > >> > > > > > I guess the way you are heading is ok. In-case if you need more > > > security > > > > > you should use SymmetricBinding or AsymmetricBinding. When you use > > > > > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign > each > > > > > message differ from another. But if you are more concern about > > > > performance > > > > > you can use Secure conversation. In secure conversation Rampart > uses > > > the > > > > > same key to encrypt/sign messages for a given period of time. > > > > > > > > > >> Harshit Bapna > > > > >> Team Lead > > > > >> Arcot Systems > > > > >> > > > > >> > > > > >> > > > > > > > > > > > > > > > > > > > > > > -- > > > > -- Harshit Bapna > > > > > > > > > > > > > > > -- > > -- Harshit Bapna > > > -- -- Harshit Bapna
