Hi Harshit,
In that case, the best solution for you is to set the rampart
configuration dynamically at the runtime [1].
Best Regards,
Nandana
[1] - http://blog.thilinamb.com/2009/12/how-to-build-rampart-config.html
On Thu, Sep 16, 2010 at 2:00 PM, Harshit Bapna <[email protected]> wrote:
> Hello Nandan,
>
> I would like to first state what I am trying to achieve through Rampart
> module.
>
> Rampart is superb for endpoint authentication i.e only authentic client can
> invoke the service. We can use various credentials such as WssX509V3Token10
> token or UserName token to authenticate a client.
>
> Now there can be many users who might be invoking the service from that
> trusted client.(say trusted using PKI credential).
> So I want to also authenticate the actors/users who is invoking the
> service.
>
> We need to provide the clientKey alias(required for endpoint auth) in the
> rampart-user tag in rampart config.
> Now If I want to use the userName token for the user(described above) than
> how can I pass the userName value.
>
> Let me know If its still not clear.
>
>
> On Thu, Sep 16, 2010 at 5:06 PM, Nandana Mihindukulasooriya <
> [email protected]> wrote:
>
> > Hi Harshit,
> > I don't understand the relationship between the fact that
> different
> > users have to invoke the service and the rampart-user parameter in the
> > server side. It's the identity of the service. Most of the time the
> > configuration of both user, and userCertAlias is necessary only in the
> > client side because for the service doesn't need to create a username
> token
> > for itself.
> > Note that verification of a user-name token is done by password
> > callback handler [1] and you don't need to have those userid's in your
> > server side config to validate them. Check the section "Different usages
> of
> > the password callback handler" for more details.
> >
> > Best Regards,
> > Nandana
> >
> > [1] - http://wso2.org/library/3733
> >
> >
> > On Thu, Sep 16, 2010 at 1:12 PM, Harshit Bapna <[email protected]>
> wrote:
> >
> > > Hello Amila & Nandana,
> > >
> > > I want to authenticate the endpoint as well as various different users
> > > invoking service.
> > >
> > > Example: Users for example devUser, adminUser and csr can use the same
> > > endpoint say EP1 to send the request.
> > > So the username will keep changing as the service is invoked by
> different
> > > actors/users.
> > >
> > > But the endpoint is same the endpoints key won't change. PKI signature
> is
> > > used for its authentication.
> > >
> > > Hence rampart-user will have to be modified based on the user's
> username
> > so
> > > the questions in my earlier remain is unanswered.
> > > Please let me know if I can some other approach or a workaround to do
> > both
> > > authentication is possible
> > >
> > >
> > > On Thu, Sep 16, 2010 at 4:20 PM, Nandana Mihindukulasooriya <
> > > [email protected]> wrote:
> > >
> > > > Hi Harshit,
> > > > If you have a user-name token and a key, you can the two
> > > parameters
> > > > user, userCertAlias [1] to provide both of them to Rampart Engine.
> > > >
> > > > Best Regards,
> > > > Nandana
> > > >
> > > > [1] - http://ws.apache.org/rampart/rampartconfig-guide.html
> > > >
> > > > On Thu, Sep 16, 2010 at 12:27 PM, Harshit Bapna <[email protected]>
> > > wrote:
> > > >
> > > > > Thanks Amila for the elaborate response.
> > > > > I have taken sample 04 (SecureConversation) shipped with rampart
> 1.5
> > > > > release
> > > > > as a base.
> > > > > I have added another supporting token UserName token to the policy.
> > > (see
> > > > > the
> > > > > bold data in the xml below.)
> > > > > *Note: I plan to use rampart for endpoint authentication as well as
> > > > > user(actor) authentication.*
> > > > >
> > > > > But I think I can configure only one rampart user i.e *
> > > > > <ramp:user>clientKeyName</ramp:user>*.
> > > > > Since I need to pass the userName token i.e userName as well I have
> > > > > configured rampart config in supportingTokens (username) tag I am
> > > > observing
> > > > > that only global rampart config is honored.
> > > > > i.e. PWCBHandler1 is not getting invoked and only PWCBHandler is
> > > > invoked.*
> > > > > *i.e. UserName tokens username value is not passes in the callback.
> > > > > Callback
> > > > > is invoked 2 times with the identifier "client" *
> > > > >
> > > > > Questions:*
> > > > > 1. How can I set userName value & keyAliasName both in the rampart.
> > is
> > > > > there
> > > > > any workaround ?
> > > > > 2. Can there be only one rampart config & not supporting token
> > specific
> > > > > config ?
> > > > >
> > > > >
> > > > >
> > > > > <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="
> > > > >
> > > > >
> > > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > > > "
> > > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> > > > > <wsp:ExactlyOne>
> > > > > <wsp:All>
> > > > > <sp:SymmetricBinding xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > > > > <wsp:Policy>
> > > > > <sp:ProtectionToken>
> > > > > <wsp:Policy>
> > > > > <sp:SecureConversationToken
> > > sp:IncludeToken="
> > > > >
> > > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > > ">
> > > > > <wsp:Policy>
> > > > > <sp:RequireDerivedKeys/>
> > > > > <sp:BootstrapPolicy>
> > > > > <wsp:Policy>
> > > > > <sp:EncryptedParts>
> > > > > <sp:Body/>
> > > > > </sp:EncryptedParts>
> > > > > <sp:SymmetricBinding>
> > > > > <wsp:Policy>
> > > > >
> > <sp:ProtectionToken>
> > > > > <wsp:Policy>
> > > > >
> > > <sp:X509Token
> > > > > sp:IncludeToken="
> > > > >
> > >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> > > > ">
> > > > >
> > > > <wsp:Policy>
> > > > >
> > > > > <sp:RequireDerivedKeys/>
> > > > >
> > > > > <sp:RequireThumbprintReference/>
> > > > >
> > > > > <sp:WssX509V3Token10/>
> > > > >
> > > > > </wsp:Policy>
> > > > >
> > > > </sp:X509Token>
> > > > >
> </wsp:Policy>
> > > > >
> > > </sp:ProtectionToken>
> > > > >
> > <sp:AlgorithmSuite>
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:Basic128Rsa15/>
> > > > >
> </wsp:Policy>
> > > > >
> > </sp:AlgorithmSuite>
> > > > > <sp:Layout>
> > > > > <wsp:Policy>
> > > > >
> > <sp:Strict/>
> > > > >
> </wsp:Policy>
> > > > > </sp:Layout>
> > > > >
> > > <sp:IncludeTimestamp/>
> > > > >
> > > <sp:EncryptSignature/>
> > > > >
> > > > > <sp:OnlySignEntireHeadersAndBody/>
> > > > > </wsp:Policy>
> > > > > </sp:SymmetricBinding>
> > > > >
> > > <sp:EndorsingSupportingTokens>
> > > > > <wsp:Policy>
> > > > > <sp:X509Token
> > > > > sp:IncludeToken="
> > > > >
> > > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > > ">
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:RequireThumbprintReference/>
> > > > >
> > > > > <sp:WssX509V3Token10/>
> > > > >
> </wsp:Policy>
> > > > > </sp:X509Token>
> > > > > </wsp:Policy>
> > > > >
> > > > </sp:EndorsingSupportingTokens>
> > > > > * <sp:SupportingTokens>
> > > > > <wsp:Policy>
> > > > >
> <sp:UsernameToken
> > > > > sp:IncludeToken="
> > > > >
> > > > >
> > > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > > > "
> > > > > />
> > > > >
> > <ramp:RampartConfig
> > > > > xmlns:ramp="http://ws.apache.org/rampart/policy";>
> > > > >
> > > > > <ramp:user>token2</ramp:user>
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler1</ramp:passwordCallbackClass>
> > > > >
> > > </ramp:RampartConfig>
> > > > > </wsp:Policy>
> > > > > </sp:SupportingTokens>*
> > > > > <sp:Wss11>
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:MustSupportRefKeyIdentifier/>
> > > > >
> > > > > <sp:MustSupportRefIssuerSerial/>
> > > > >
> > > > > <sp:MustSupportRefThumbprint/>
> > > > >
> > > > > <sp:MustSupportRefEncryptedKey/>
> > > > >
> > > > > <sp:RequireSignatureConfirmation/>
> > > > > </wsp:Policy>
> > > > > </sp:Wss11>
> > > > > <sp:Trust10>
> > > > > <wsp:Policy>
> > > > >
> > > > > <sp:MustSupportIssuedTokens/>
> > > > >
> > > > > <sp:RequireClientEntropy/>
> > > > >
> > > > > <sp:RequireServerEntropy/>
> > > > > </wsp:Policy>
> > > > > </sp:Trust10>
> > > > > </wsp:Policy>
> > > > > </sp:BootstrapPolicy>
> > > > > </wsp:Policy>
> > > > > </sp:SecureConversationToken>
> > > > > </wsp:Policy>
> > > > > </sp:ProtectionToken>
> > > > > <sp:AlgorithmSuite>
> > > > > <wsp:Policy>
> > > > > <sp:Basic128Rsa15/>
> > > > > </wsp:Policy>
> > > > > </sp:AlgorithmSuite>
> > > > > <sp:Layout>
> > > > > <wsp:Policy>
> > > > > <sp:Strict/>
> > > > > </wsp:Policy>
> > > > > </sp:Layout>
> > > > > <sp:IncludeTimestamp/>
> > > > > <sp:EncryptSignature/>
> > > > > <sp:OnlySignEntireHeadersAndBody/>
> > > > > </wsp:Policy>
> > > > > </sp:SymmetricBinding>
> > > > > <sp:Wss11 xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > > > > <wsp:Policy>
> > > > > <sp:MustSupportRefKeyIdentifier/>
> > > > > <sp:MustSupportRefIssuerSerial/>
> > > > > <sp:MustSupportRefThumbprint/>
> > > > > <sp:MustSupportRefEncryptedKey/>
> > > > > </wsp:Policy>
> > > > > </sp:Wss11>
> > > > > <sp:Trust10 xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > > > > <wsp:Policy>
> > > > > <sp:MustSupportIssuedTokens/>
> > > > > <sp:RequireClientEntropy/>
> > > > > <sp:RequireServerEntropy/>
> > > > > </wsp:Policy>
> > > > > </sp:Trust10>
> > > > > <sp:EncryptedParts xmlns:sp="
> > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > > > > <sp:Body/>
> > > > > </sp:EncryptedParts>
> > > > > <ramp:RampartConfig xmlns:ramp="
> > > > > http://ws.apache.org/rampart/policy";>
> > > > > <ramp:user>client</ramp:user>
> > > > > <ramp:encryptionUser>service</ramp:encryptionUser>
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04ex.PWCBHandler</ramp:passwordCallbackClass>
> > > > >
> > > > > <ramp:signatureCrypto>
> > > > > <ramp:crypto
> > > > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > > > <ramp:property
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > > > </ramp:crypto>
> > > > > </ramp:signatureCrypto>
> > > > > <ramp:encryptionCypto>
> > > > > <ramp:crypto
> > > > > provider="org.apache.ws.security.components.crypto.Merlin">
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> > > > > <ramp:property
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > > > > <ramp:property
> > > > >
> > > > >
> > > >
> > >
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> > > > > </ramp:crypto>
> > > > > </ramp:encryptionCypto>
> > > > >
> > > > > </ramp:RampartConfig>
> > > > > </wsp:All>
> > > > > </wsp:ExactlyOne>
> > > > > </wsp:Policy>
> > > > >
> > > > > On Thu, Sep 16, 2010 at 10:30 AM, Amila Jayasekara <
> [email protected]>
> > > > > wrote:
> > > > >
> > > > > > Hi Harshit,
> > > > > > Some answers are inline.
> > > > > > Thanks
> > > > > > AmilaJ
> > > > > >
> > > > > > Harshit Bapna wrote:
> > > > > >
> > > > > >> Hi All,
> > > > > >>
> > > > > >> I am thinking of using RAMPART module for ws security.
> > > > > >>
> > > > > >> Requirement:
> > > > > >> To perform endpoint authentication as well as user
> authentication.
> > > > > >>
> > > > > >> Client endpoint authentication :- To allow only a configured
> > client
> > > to
> > > > > >> invoke the web service.
> > > > > >> User authentication :- To allow only a specific user/actor to
> > invoke
> > > > the
> > > > > >> service. The reason for this requirement is that the same
> endpoint
> > > can
> > > > > be
> > > > > >> used by different type of users(Admin, CSR, normal user)
> > > > > >>
> > > > > >> I have gone through various sample 1-8 supplied wih rampart 1.5
> > > > install.
> > > > > >>
> > > > > >> Question:
> > > > > >> 1. Can I combine userName & WssX509V3Token10 token for user and
> > > > endpoint
> > > > > >> auth ?
> > > > > >> UserName token - for user authentication)
> > > > > >> WssX509V3Token10 - for endpoint PKI credential authentication
> > > > > >>
> > > > > >>
> > > > > > Yes, you can. Inorder to get WssX509V3Token10 support you
> can
> > > > either
> > > > > > use SymmetricBinding or AsymmetricBinding mechanisms. With one of
> > > above
> > > > > > bindings you can use UserName token as a supporting token.
> > > > > >
> > > > > >> 2. Also can secure conversation benefits be available when the
> > above
> > > > two
> > > > > >> type of tokens are used.
> > > > > >>
> > > > > >>
> > > > > > As far as i know you should be able to use secure conversation
> > with
> > > > > above
> > > > > > mentioned tokens. Again you can use symmetric binding or
> asymmetric
> > > > > binding
> > > > > > and you should use SecureConversationToken. Thus the user name
> > token
> > > > > should
> > > > > > be added as a supporting token.
> > > > > >
> > > > > >
> > > > > >> If you have any better suggestion to handle this requirement
> > please
> > > > let
> > > > > me
> > > > > >> know.
> > > > > >>
> > > > > >>
> > > > > > I guess the way you are heading is ok. In-case if you need more
> > > > security
> > > > > > you should use SymmetricBinding or AsymmetricBinding. When you
> use
> > > > > > SymmetricBinding or AsymmetricBinding, keys used to encrypt/sign
> > each
> > > > > > message differ from another. But if you are more concern about
> > > > > performance
> > > > > > you can use Secure conversation. In secure conversation Rampart
> > uses
> > > > the
> > > > > > same key to encrypt/sign messages for a given period of time.
> > > > > >
> > > > > >> Harshit Bapna
> > > > > >> Team Lead
> > > > > >> Arcot Systems
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > -- Harshit Bapna
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > -- Harshit Bapna
> > >
> >
>
>
>
> --
> -- Harshit Bapna
>
