RE: Axis2 commons-httpclient 3.1 dependencies
There was recent discussion on HTTP client on the axis2 dev list. I suggest you ask there. George _ From: Jeudy, Guillaume [mailto:gje...@teksystems.com] Sent: Wednesday, April 15, 2009 7:57 AM To: axis-user@ws.apache.org Subject: Axis2 commons-httpclient 3.1 dependencies Hi, I'm considering upgrading axis2 to use the new httpclient 4.0 in conjunction with jcifs library in order to support HTTP NTLMv2 connections. I need feedback from axis2 contributors/developers. Please confirm what steps I should take to achieve that. 1. Implement a new TransportSender using httpclient 4.0. I'm hoping I can base my code on the existing CommonsHTTPTransportSender and port it to use httpclient 4.0. 2. Modify axis2.xml to use my new TransportSender. Can anyone tell me if there are any hidden runtime dependencies I should be aware of? Based on the axis2 source code analysis I made; it seems like httpclient 3.1 is only used in CommonsHTTPTransportSender class and that class can be completely ignored at runtime if axis2.xml is not configured to use it, please correct me if i'm wrong. Thank you! -Guillaume Jeudy _ This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.
RE: Axis2c Support for WS-* Protocols
WS-Security Policy was lacking the support for alternative policies (ie, accept username token OR saml token) last time I checked so unless this has been fixed, fully is not the right word here for at least this standard. -Original Message- From: Manjula Peiris [mailto:manj...@wso2.com] Sent: Monday, February 02, 2009 9:28 PM To: jayant_we...@yahoo.com Cc: axis-c-user@ws.apache.org Subject: Re: Axis2c Support for WS-* Protocols WS -Security (Rampart/C), WS- Security Policy ,WS-UsernameToken, WS- Addressing are fully supported. In addition WS-Reliable messaging(Sandehsa2/C) and WS-Eventing (Savan/C) specs are fully supported by Axis2/C. Thanks, -Manjula. On Mon, 2009-02-02 at 02:42 -0800, jayant wete wrote: Hi, I am implementing web service application using axis2c. The main requirement is the implementation has to be according to the WS -* protocols. Following protocols are mandatory. Please let me know is axis2c supports these protocols and if not are there any plans or any development is going on to support these protocols. WS Protocols required to support are:--- a) WS - Security Framework b) WS - Discovery c) WS - Addressing d) WS - Security Policy e) WS-Base Notification f) WS-Topics g) WS-UsernameToken Thanks in advance... Jayant ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. **
Rampart, Addressing mustUndestand
Hi, I have observed the following behavior with Axis2 1.3 and corresponding Rampart and Addressing modules enganged. When a response message [1] is received that contains some WSA headers with @mustUnderstand=1, Axis2 throws an AxisFault [2] even though they have been processed by the Addressing module. I dug in the code and discovered that this is caused by Rampart - with useDoom=false, all the processed members are reset to false when the envelope is converted back to Axiom by WSDoAllReceiver.java, line 237, Rampart 1.3 msgContext.setEnvelope(Axis2Util.getSOAPEnvelopeFromDOMDocument(doc, useDoom)); Setting WSSHandlerConstants.USE_DOOM property to true fixes the problem however it is not enabled by default. So here are my questions: 1. Is this really a problem or I am doing something incorrectly 2. Why is DOOM not enabled by default 3. Is there a way to make it enabled by default, besides setting it up on the MessageContext 4. Is there another workaround 5. If indeed its a problem, is there already JIRA about it and is it fixed in Axis2 1.4/Rampart 1.4 Thanks in advance, George [1] ?xml version=1.0 encoding=UTF-8? soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; soapenv:Header ns1:Action soapenv:mustUnderstand=1 xmlns:ns1=http://www.w3.org/2005/08/addressing;http://schemas.xmlsoap. org/ws/2005/02/trust/RSTR/Issue/ns1:Action ns2:RelatesTo soapenv:mustUnderstand=0 xmlns:ns2=http://www.w3.org/2005/08/addressing;urn:uuid:BC22575115F9F4 68281212509302599/ns2:RelatesTo ns3:MessageID soapenv:mustUnderstand=0 xmlns:ns3=http://www.w3.org/2005/08/addressing;urn:uuid:F59568DC50C64D 873A1212509303095/ns3:MessageID ns4:To soapenv:mustUnderstand=1 xmlns:ns4=http://www.w3.org/2005/08/addressing;http://www.w3.org/2005/ 08/addressing/anonymous/ns4:To ns5:Security soapenv:mustUnderstand=1 xmlns:ns5=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-secext-1.0.xsd ns6:Timestamp xmlns:ns6=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd ns6:Created2008-06-03T16:08:23Z/ns6:Created ns6:Expires2008-06-10T16:08:23Z/ns6:Expires /ns6:Timestamp /ns5:Security /soapenv:Header soapenv:Body {...} /soapenv:Body /soapenv:Envelope [2] Caused by: org.apache.axis2.AxisFault: Must Understand check failed for header http://www.w3.org/2005/08/addressing : Action at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:8 6) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:135) at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(Out InAxisOperation.java:336) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOper ation.java:389) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInA xisOperation.java:211) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163 ) Best Regards, George George Stanchev Sr. Software Developer Serena Software, Inc (801) 299-9634 [EMAIL PROTECTED] Serena Software, Inc http://www.serena.com/signature/serena_corporate.gif www.serena.com http://www.serena.com/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SAML and XCAML
Try latest openSAML (2.x) release from Internet2, they have added XCAML support. It is not working with Axis2 though, so you'll have some work to do. Best Regards, George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 17, 2008 4:32 AM To: axis-user@ws.apache.org Subject: SAML and XCAML Hi! Is there any useful option to use Policy and authorization management in Axis? I was googling but I could not find any thing that looks relevant! Regards, Pere Urbón-Bayes [EMAIL PROTECTED] I+D Engineer Tel: +34932279206 Hospital Clínic i Provincial de Barcelona (htpp://www.csc.es) Barcelona - Catalonia Spain - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Example policy file needed
Hi Ruchith, While I agree that the client needs to have a way of picking the alternative, server side enablement is more pressing. In most cases I've encountered, the authn alternatives are expressed via out-of-band means - docs, mutual agreement, etc. I'd love to see WS-MEX or some kind of policy exchange in rampart but right now the pressing issue (for us and apparently to others) is to enable the service to receive alternative authn materials. Best Regards, George -Original Message- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 10:05 PM To: axis-user@ws.apache.org Subject: Re: Example policy file needed IMHO we have to improve both Axis2 and Rampart if we are to support policy alternatives. A service can express a set of alternatives that it can handle and right now we should be able to fix Rampart to support this. However at the client side we should have some way of picking the alternative. At this point we have to decide how Axis2 client API has to behave. Thoughts? Thanks, Ruchith On Wed, Mar 5, 2008 at 8:31 PM, George Stanchev [EMAIL PROTECTED] wrote: Hi Nandana, Is that Neethi or Rampart shortcoming? I also am in need of alternative policy support for the same two token types as in Simon's message. Do you need a JIRA? Best Regards, George -Original Message- From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 1:31 AM To: axis-user@ws.apache.org Subject: Re: Example policy file needed Hi Simon, Currently Apache Rampart doesn't support alternative security policies for an endpoint. Current workaround is having two separate EPRs with the alternative policies. Would that suit your scenario ? If not you can try to convince the Rampart community to support alternative security policies starting a thread in the Rampart dev list. thanks, /nandana On Tue, Mar 4, 2008 at 10:58 PM, Glenn Dougherty [EMAIL PROTECTED] wrote: Nandana, et al, We are looking for a combined ws-policy example that supports both Username Token and SAML assertions. Meaning, we need to provide a service that supports the caller passing either a username token or a SAML assertion. Does anyone have an example that shows these two options within in one ws-policy file? We have not been successful in configuring the Axis2 1.3 stack for this effort. Regards, Glenn -Original Message- From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 3:27 AMTo: axis-user@ws.apache.orgSubject: Re: Example policy file needed Hi Simon, Please take a look at samples come with the Apache Rampart distribution. They contain policies that defines Sample 01 - Username Token authentication Sample 05 - SAML token thanks, nandana [1] - https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/module s/ramp art-samples/policy/sample01/ [2] - https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/module s/ramp art-samples/policy/sample02/ On Thu, Feb 21, 2008 at 12:36 AM, Simon Nunn [EMAIL PROTECTED] wrote: I am trying to use ws-policy for my webservice. I would like for the service to receive either a saml assertion or a username token for authetication. I have been unsuccessful in getting a ws-policy configured for this. Does anyone have an example of a policy file that does this? Thanks, Simon -- Nandana Mihindukulasooriya Software Engineer WSO2 inc. http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message
RE: Example policy file needed
Hi Nandana, Is that Neethi or Rampart shortcoming? I also am in need of alternative policy support for the same two token types as in Simon's message. Do you need a JIRA? Best Regards, George -Original Message- From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 1:31 AM To: axis-user@ws.apache.org Subject: Re: Example policy file needed Hi Simon, Currently Apache Rampart doesn't support alternative security policies for an endpoint. Current workaround is having two separate EPRs with the alternative policies. Would that suit your scenario ? If not you can try to convince the Rampart community to support alternative security policies starting a thread in the Rampart dev list. thanks, /nandana On Tue, Mar 4, 2008 at 10:58 PM, Glenn Dougherty [EMAIL PROTECTED] wrote: Nandana, et al, We are looking for a combined ws-policy example that supports both Username Token and SAML assertions. Meaning, we need to provide a service that supports the caller passing either a username token or a SAML assertion. Does anyone have an example that shows these two options within in one ws-policy file? We have not been successful in configuring the Axis2 1.3 stack for this effort. Regards, Glenn -Original Message- From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 3:27 AM To: axis-user@ws.apache.org Subject: Re: Example policy file needed Hi Simon, Please take a look at samples come with the Apache Rampart distribution. They contain policies that defines Sample 01 - Username Token authentication Sample 05 - SAML token thanks, nandana [1] - https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/module s/ramp art-samples/policy/sample01/ [2] - https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/module s/ramp art-samples/policy/sample02/ On Thu, Feb 21, 2008 at 12:36 AM, Simon Nunn [EMAIL PROTECTED] wrote: I am trying to use ws-policy for my webservice. I would like for the service to receive either a saml assertion or a username token for authetication. I have been unsuccessful in getting a ws-policy configured for this. Does anyone have an example of a policy file that does this? Thanks, Simon -- Nandana Mihindukulasooriya Software Engineer WSO2 inc. http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [Axis2] Manually parse SAML token
Look at opensaml library 1.1 can do SAML 1.0/1.1. opensaml 2 can do all SAML specs -Original Message- From: Lasse Tyrihjell [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 19, 2008 5:38 AM To: axis-user@ws.apache.org Subject: [Axis2] Manually parse SAML token Hi! I am using an external SOAP web service that uses a nearly WS* compliant version of the SAML token implementation - i.e. Rampart deployed as an Axis2 module is not an option. Are there any helper classes/java-api's available that can help me parse/decrypt the SAML token? br -LT - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [axis2] [IMPORTANT] JDK 1.4 compatibility - feedback requested
Hi Glen, As as committer on another open source project that uses axis2 as a dependency, I second the vote to keep 1.4 compatibility. A lot of older, bigger organizations keep older JVMs for the reasons already stated by others. If you switch axis2 1.4 and above to JVM 1.5, you will loose a lot of adopters, especially in the bigger enterprises which will be forced to stick to older releases for JVM compatibility issues. Give it another year and ask the same question again :-) Best Regards, George -Original Message- From: Glen Daniels [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 14, 2007 10:26 PM To: Axis-Dev; axis-user@ws.apache.org Subject: [axis2] [IMPORTANT] JDK 1.4 compatibility - feedback requested Importance: High Hi Axis2 developers and users! There has been a bunch of discussion lately revolving around the question of JDK1.4 compatibility. It has been suggested that Axis2 move to JDK 1.5, in order to gain the benefits of things like generics, built-in concurrency (no backport lib), and annotations. Some folks feel that there are enough people out there still in a 1.4 environment that we should hold off, and others think we should bite the bullet and move to 1.5. HERE'S YOUR CHANCE TO PROVIDE VALUABLE INPUT! Are you using, or planning to use, Axis2 in an environment that is locked to JDK 1.4? If so, please let us know by responding to this thread and telling us (if you can) about the particulars of what's tying you to 1.4 - is it your app server? Company policy? Something else? We'd really like to take good care of our users, and doing that involves figuring out whether we can jump into 1.5-land or if we need to keep things working with 1.4. Thanks, --Glen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Rampart Without Axis
Rampart is just a wrapper around WSS4J library that plugs in Axs2 as a module. If you need to implement some custom stuff, try using it directly. From: W Strater [mailto:[EMAIL PROTECTED] Sent: Thu 6/28/2007 2:09 PM To: axis-user@ws.apache.org Subject: Rampart Without Axis Is it possible to use Rampart without Axis? We are using Weblogic and already have many webservice built and running but now we want to implement a SecureTokenService issueing SAML v1.1 tokens and protect some webservices with the tokens. Wes. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
username token with different signature user using deprecated configuration structures
I have asked this on the rampart and wss4j lists but they dont get alot of traffic, so i am posting it on the user list as well Hi, I am trying to create a message with Timestamp UsernameToken Signature actions using the old deprecated InflowConfiguration() and OutflowConfiguration() settings (please no switch to policy-based config suggestions) and I am having a little trouble making it work when the subject in the wsse:UsernameToken needs to be different than the one signing the message. Here is what I do: OutflowConfiguration ofc = new OutflowConfiguration(2); ofc.setActionItems(Timestamp UsernameToken); ofc.setUser(joeshmoe); ofc.setPasswordType(WSConstants.PW_TEXT); myCallback.setUTUsername(joeschmoe); myCallback.setUTPassword(joeschmoe's secret); ofc.nextAction(); ofc.setUser(signature-joeshmoe); ofc.setSignaturePropRefId(cyrpto_props); ofc.setSignatureKeyIdentifier(DirectReference); ofc.setOptimizeParts(...blah-blah...); myCallback.setKeystorePassword(secret); myCallback.setSignatureKeyAlias(joeshmoes-key-alias); ofc.previousAction(); // to reset to the action list [0] Properties cryptoProvider = new Properties(); cryptoProvider.setProperty(org.apache.ws.security.crypto.provider, org.apache.ws.security.components.crypto.Merlin); cryptoProvider.setProperty(org.apache.ws.security.crypto.merlin.file, c:/keystore.jks); cryptoProvider.setProperty(org.apache.ws.security.crypto.merlin.keystor e.type, JKS); cryptoProvider.setProperty(org.apache.ws.security.crypto.merlin.keystor e.password, secret); options.put(cyrpto_props, cryptoProvider); options.put(WSHandlerConstants.PW_CALLBACK_REF, myCallback); // invoke However, when I have two actions entries, the signature handler from within wss4j is complaining that it cannot find the crypto_props. That works fine if I have 1 action entry (say Timestamp UsernameToken Signature). Any ideas what do I need to do to pass the the crypto provider to the signature handler? I am using Rampart 1.2 btw... Thanks in advance! George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. **
RE: Axis2 and SAML
Hi Michael, In addition to be a structure for carrying identity information, SAML defines different profiles, bindings, etc protocol related specifications for requesting, canceling, verification, etc manipulations of security tokens. In a sense it does the same thing as WS-Trust but for SAML-tokens while WS-Trust allows other tokens as well. The internet2 Shibboleth project uses fully SAML-based identity solution - you might want to check it out (google it, it will come up). Its not only the token, but how you request it, cancel it in secure manner etc. In addition, if you are building a web based single sign on solution, you migh want to check the WS-Federation Passive Requestor profile, which defines a standardized way of building web-based SSO solutions which can be federated. Best Regards, George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, June 25, 2007 9:10 AM To: axis-user@ws.apache.org Subject: RE: Axis2 and SAML Thanks George, For some reason it took me a whole week to come across this post. Anyway, you say you'd recommend SAML, but you also say you prefer WS-Trust. I'm a bit confused - I thought SAML was a language for representing users and their permissions, whereas WS-Trust was for exchanging security tokens. In other words, I thought these addressed two different classes of use cases. I'm still very new to this stuff... cheers, md -Original Message- From: George Stanchev [mailto:[EMAIL PROTECTED] Sent: Monday, June 18, 2007 12:15 PM To: axis-user@ws.apache.org Subject: RE: Axis2 and SAML Hi Michael, The support for SAML in Rampart is rather weak and if you go with SAML, do not expect much help from it. It uses is internally for the more of a special case of WS-SecureConversation SC token. In addition, in Rampart 1.1 there was a way to create a signed and unsigned SAML tokens but you get the token only in the outbound SOAP and you don't have much control over what goes inside (for example SAML attributes). I'd definetely recommend SAML as the way to go for tokens in an SSO implementation - it is standard, its been around for a while, its proven, it is signed and it is extensible. In addtion, the SAML 2.0 by it self defines a security language rivaling WS-Trust so you can just stay with it, though I prefer WS-Trust based exchanges as more standard and supported way to go. Internet2's OpenSAML libraries are the only mature open source SAML libraries that I know of. Version 1.1 supports SAML 1.0 and 1.1 and version 2 supports all SAML standards. OpenSAML2 is still being developed and even though it is stable for most parts it will change somewhat around some of the more peripherical cases (Encryption is one that comes to mind). Though it does have a steeper learning curve, I'd start with OpenSAML2. Good luck with the SSO implementation. Best Regards, George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 15, 2007 2:36 PM To: axis-user@ws.apache.org Subject: Axis2 and SAML Hi, I'm working on a single-sign-on service for our organization's intranet. The idea an application can send a username, and password and application identifier to the service, and the service responds with a list of permissions that the user has for the particular application. Just to get started, I created a service that returns a string from which I can parse out what I need. But I'm wondering if I could gain anything (such as greater interoperability) by using a standard such as SAML to represent a user and his/her permissions. I see that there is a framework for working with SAML: http://www.opensaml.org/ Does this sound reasonable or am I heading in the wrong direction? Will I end up with a schema nightmare if I return a SAML xml document as a service payload? BTW, I plan on writing the client and server by hand, because later I will probably want to add rampart and have more control over headers and stuff. Thanks Michael Davis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL
RE: Axis2 and SAML
Hi Michael, The support for SAML in Rampart is rather weak and if you go with SAML, do not expect much help from it. It uses is internally for the more of a special case of WS-SecureConversation SC token. In addition, in Rampart 1.1 there was a way to create a signed and unsigned SAML tokens but you get the token only in the outbound SOAP and you don't have much control over what goes inside (for example SAML attributes). I'd definetely recommend SAML as the way to go for tokens in an SSO implementation - it is standard, its been around for a while, its proven, it is signed and it is extensible. In addtion, the SAML 2.0 by it self defines a security language rivaling WS-Trust so you can just stay with it, though I prefer WS-Trust based exchanges as more standard and supported way to go. Internet2's OpenSAML libraries are the only mature open source SAML libraries that I know of. Version 1.1 supports SAML 1.0 and 1.1 and version 2 supports all SAML standards. OpenSAML2 is still being developed and even though it is stable for most parts it will change somewhat around some of the more peripherical cases (Encryption is one that comes to mind). Though it does have a steeper learning curve, I'd start with OpenSAML2. Good luck with the SSO implementation. Best Regards, George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 15, 2007 2:36 PM To: axis-user@ws.apache.org Subject: Axis2 and SAML Hi, I'm working on a single-sign-on service for our organization's intranet. The idea an application can send a username, and password and application identifier to the service, and the service responds with a list of permissions that the user has for the particular application. Just to get started, I created a service that returns a string from which I can parse out what I need. But I'm wondering if I could gain anything (such as greater interoperability) by using a standard such as SAML to represent a user and his/her permissions. I see that there is a framework for working with SAML: http://www.opensaml.org/ Does this sound reasonable or am I heading in the wrong direction? Will I end up with a schema nightmare if I return a SAML xml document as a service payload? BTW, I plan on writing the client and server by hand, because later I will probably want to add rampart and have more control over headers and stuff. Thanks Michael Davis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Axis2 SSL
Thanks but I need it per connection. I have multiple threads opening multiple axis2 clients simultatneously and this is really not thread-safe. Is there any axis2-specific way to accomplish this? Thanks in advance! Best Regards, George -Original Message- From: Davanum Srinivas [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 30, 2007 11:09 AM To: axis-user@ws.apache.org Subject: Re: Axis2 SSL http://www.mail-archive.com/axis-user@ws.apache.org/msg19269.html On 5/30/07, George Stanchev [EMAIL PROTECTED] wrote: Hi, I am sure this question has been asked many many times... Can you please point me to a doc or sample on how to call service over SSL when the server is using self-signed certificate? Thanks in advance! George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Davanum Srinivas :: http://davanum.wordpress.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Axis2 SSL
Thanks Dims! Unfortunately I am stuck with official releases due to company policy. What is the 1.3 timeframe? Best Regards, George -Original Message- From: Davanum Srinivas [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 12:31 PM To: axis-user@ws.apache.org Subject: Re: Axis2 SSL George, If you are willing to use latest SVN, we have added support for HTTPConstants.CUSTOM_PROTOCOL_HANDLER You can create an instance of AuthSSLProtocolSocketFactory[1] and set it in Options for each ServiceClient. [1] http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src /contrib/org/apache/commons/httpclient/contrib/ssl/ thanks, dims On 6/6/07, George Stanchev [EMAIL PROTECTED] wrote: Thanks but I need it per connection. I have multiple threads opening multiple axis2 clients simultatneously and this is really not thread-safe. Is there any axis2-specific way to accomplish this? Thanks in advance! Best Regards, George -Original Message- From: Davanum Srinivas [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 30, 2007 11:09 AM To: axis-user@ws.apache.org Subject: Re: Axis2 SSL http://www.mail-archive.com/axis-user@ws.apache.org/msg19269.html On 5/30/07, George Stanchev [EMAIL PROTECTED] wrote: Hi, I am sure this question has been asked many many times... Can you please point me to a doc or sample on how to call service over SSL when the server is using self-signed certificate? Thanks in advance! George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Davanum Srinivas :: http://davanum.wordpress.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Davanum Srinivas :: http://davanum.wordpress.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Axis2 SSL
Hi, I am sure this question has been asked many many times... Can you please point me to a doc or sample on how to call service over SSL when the server is using self-signed certificate? Thanks in advance! George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Axis2] soap serialization
Hi, Another, probably basic, question: I need to serialize a SOAP call to a string buffer without sending it anywhere. How do I this with axis2/c? Can you give me some leads? On the java side, I had to go through some hoops to get this - I had to create a dummy transport that I used to reflect back the outbound message when I was doing a call-out serialization. How can I do the same thing in axis2/c? Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [Axis2] soap serialization
Atanacio, thanks a bunch! Best Regards, George -Original Message- From: Atanacio Reyes [mailto:[EMAIL PROTECTED] Sent: Thursday, March 08, 2007 6:15 PM To: Apache AXIS C User List Subject: Re: [Axis2] soap serialization axiom_xml_writer_t *xml_writer = NULL; axiom_output_t *om_output = NULL; axis2_char_t *buffer = NULL; xml_writer = axiom_xml_writer_create_for_memory(env, NULL, AXIS2_FALSE, AXIS2_FALSE, AXIS2_XML_PARSER_TYPE_BUFFER); om_output = axiom_output_create(env, xml_writer); AXIOM_NODE_SERIALIZE(node, env, om_output); buffer = (axis2_char_t*)AXIOM_XML_WRITER_GET_XML(xml_writer, env); axiom_node_t* node, is the document to serialize; - Original Message From: George Stanchev [EMAIL PROTECTED] To: Apache AXIS C User List axis-c-user@ws.apache.org Sent: Thursday, March 8, 2007 3:15:52 PM Subject: [Axis2] soap serialization Hi, Another, probably basic, question: I need to serialize a SOAP call to a string buffer without sending it anywhere. How do I this with axis2/c? Can you give me some leads? On the java side, I had to go through some hoops to get this - I had to create a dummy transport that I used to reflect back the outbound message when I was doing a call-out serialization. How can I do the same thing in axis2/c? Thanks! George Stanchev Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Axis2] rampart/security question
Hi, I am new to axis2/c and I had a use cases that wanted to see if it is supported. Clients of my services are expected to pass a SAML assertion in wsse header. The header is or it is not tagged with specific actor. The SAML asserttion needs to be checked for: * integrity (using its signature) * trust (using the PK/cert used to sign the assertion - checked against a local keystore) * expiration Finally, the assertion needs to be passed to the services (or the services need to be able to get a hold of it) so they can use it further. Can someone tell me what in the use case above its possible and what now currently and may be suggest implementation direction? Should I write a custom handler if rampart doesn't support this? Does axis2/c allows access to processed and unprocessed SOAP headers from within the services? Thanks in advance!! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAX-WS 2.0 support in GlassFish
GlassFish has one of the most highly performing Web services implementation as described at: http://weblogs.java.net/blog/vivekp/archive/2007/02/jaxws_21_fcs_fa.html A Sun project gets praised on a Sun blog. Who would've guessed! *grin* George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Rampart 1.1 dynamic configuration
Hi Nick, Here is a clue. You might want to tweak it around since i had to clear up some stuff from the existing code, but you get the idea. Hope this helps Properties prop1 = new Properties(); prop1.setProperty(org.apache.ws.security.crypto.provider, org.apache.ws.security.components.crypto.Merlin); prop1.setProperty(org.apache.ws.security.crypto.merlin.keystore.type, jks); prop1.setProperty(org.apache.ws.security.crypto.merlin.keystore.passwor d, password); prop1.setProperty(org.apache.ws.security.crypto.merlin.file, c:/mykeystore.jks); OutflowConfiguration ofc = new OutflowConfiguration(); ofc.setActionItems(Timestamp Signature); // other ofc setup goes here ofc.setSignaturePropRefId(cyrpto_props); ServiceClient.getOptions.setProperty(cyrpto_props, prop1); George From: Nick Haines [mailto:[EMAIL PROTECTED] Sent: Friday, February 16, 2007 10:19 AM To: axis-user@ws.apache.org Subject: Rampart 1.1 dynamic configuration Hi there, I'm trying to write a WebService client which dynamically configures the security for a WebService. My problem is that I don't really want to access the Signature/Encryption properties file from disk (client.properties), and I can't see a way to avoid this. Is there an option I've missed where I can configure this programmatically (such as passing a Properties object rather than a filename) into the Inflow/Outflow Configuration object (or as an Option)? I realize I could, and should be using policy files now, which I can build up dynamically from what I've seen, but I'm reluctant to redo everything else for this one reason if there is an alternative. Thanks in advance -Nick ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
setOperationContext on service
Hi, How can I get a hold of message context within a service? There are several places on the web that show that if the service implements a void setOprationContext(OperationContext) method, it will get called prior to the operation method. However I have not been successful in getting this method called. Several of the unit tests use void init(MessageContext) But this is not called either. Is there any other way to get a hold of the message context? I have tried the RawXMLInOutMessageReceiver and the RPCMessageReceiver. Has the method signature changed? Has it been removed? Thanks in advance! George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: setOperationContext on service
Hi Angerl, Yeah, I did this and it works fine. I just wanted to avoid it and use the out-of-the-box mechanism for obtaining the message context since there were several examples out there on the web indicating that setOperationContext should work. After I posted my question on this list I looked around the message receivers code and found out that currently (in 1.1.1) the DependencyManager class which is called inirectly from the invokeBusinessLogic method does attempt to call init method with ServiceContext parameter. This however, does not help me much. After initialization, the service class is cached on the service context and subsequent calls would not invoke the init method. Also I don't know if there is an easy way to get the message context from the service context. I guess I am stuck with my own custom receiver. Thanks! Best Regards, George -Original Message- From: Angel Todorov [mailto:[EMAIL PROTECTED] Sent: Thursday, February 01, 2007 11:56 AM To: axis-user@ws.apache.org Subject: Re: setOperationContext on service Hi George, You can probably implement a custom message receiver that extends any of the default ones, and inject any object in your service implementation. In this way you basically gain control over the lifecycle of the business logic. Regards, Angel On 2/1/07, George Stanchev [EMAIL PROTECTED] wrote: Hi, How can I get a hold of message context within a service? There are several places on the web that show that if the service implements a void setOprationContext(OperationContext) method, it will get called prior to the operation method. However I have not been successful in getting this method called. Several of the unit tests use void init(MessageContext) But this is not called either. Is there any other way to get a hold of the message context? I have tried the RawXMLInOutMessageReceiver and the RPCMessageReceiver. Has the method signature changed? Has it been removed? Thanks in advance! George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Use DOOM vs. not use DOOM
Hi, Can someone explain or point me to a write-up what is the purpose of DOOM processing flags (WSSHandlerConstants.DISABLE_DOOM) and when should DOOM be turned on or off. And what is DOOM mode anyways :-) Thanks in advance! George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: refering to tokens in rampart sec header
Created[1]. I added it as axis2 JIRA issue. May be I should've added it to the WSS4J jira space since its a more of a generic problem? Move it if I have placed it the wrong box http://issues.apache.org/jira/browse/AXIS2-1965 http://issues.apache.org/jira/browse/AXIS2-1965 Thanks! George From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Sat 1/6/2007 8:09 PM To: axis-user@ws.apache.org Subject: Re: refering to tokens in rampart sec header Please file a JIRA. Thanks, Ruchith On 1/6/07, George Stanchev [EMAIL PROTECTED] wrote: Thanks Ruchith, Do you need a JIRA opened for this enhancement to keep track or you already have it on the list? Best Regards, George -Original Message- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 03, 2007 5:01 AM To: axis-user@ws.apache.org Subject: Re: refering to tokens in rampart sec header Hi, On 12/20/06, George Stanchev [EMAIL PROTECTED] wrote: Hi, I need to create a securty token (saml, username) and refer to it from the message body via wsse:SecurtyTokenReference. I am thinking that this is impossible using rampart since at the time when the payload is created the token is not present and when the token gets created, there is no control to the client. Am I correct in my assumption? Yes! This is correct. Are there alternatives besides creating the token manually and stuffing it in the sec header prior to calling sending the call on its way? We don't haev an alternative right now and I believe this will be a useful feature with the WS-Trust use cases. We have to come up with a clean mechanism to do this where we can specify a token to be added to the security header and to be used for other purposes such as authentication or crypto operations. Thanks, Ruchith Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- www.ruchith.org www.wso2.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- www.ruchith.org www.wso2.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Generating UsernameToken with missing password
Hi, I need to be able to generate UsernameToken without wsse:Password element in it using either rampart or WSS4J? According to the specs, the password element is optional so the resulting UsernameToken it shouldn't be a non-conformant element. Is it another JIRA candidate? Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: refering to tokens in rampart sec header
Thanks Ruchith, Do you need a JIRA opened for this enhancement to keep track or you already have it on the list? Best Regards, George -Original Message- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 03, 2007 5:01 AM To: axis-user@ws.apache.org Subject: Re: refering to tokens in rampart sec header Hi, On 12/20/06, George Stanchev [EMAIL PROTECTED] wrote: Hi, I need to create a securty token (saml, username) and refer to it from the message body via wsse:SecurtyTokenReference. I am thinking that this is impossible using rampart since at the time when the payload is created the token is not present and when the token gets created, there is no control to the client. Am I correct in my assumption? Yes! This is correct. Are there alternatives besides creating the token manually and stuffing it in the sec header prior to calling sending the call on its way? We don't haev an alternative right now and I believe this will be a useful feature with the WS-Trust use cases. We have to come up with a clean mechanism to do this where we can specify a token to be added to the security header and to be used for other purposes such as authentication or crypto operations. Thanks, Ruchith Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- www.ruchith.org www.wso2.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [Axis2] com.ctc.wstx.exc.WstxEOFException
Wow! Thanks for the tip!!! I was stuck on this same error for a while!!! Disabling Kaspersky fixed it for me too George Stanchev From: Harald Herrmann [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 6:17 AM To: axis-user@ws.apache.org Subject: Re: [Axis2] com.ctc.wstx.exc.WstxEOFException It seems like Kaspersky Internet Security 6 ist cutting off the request body. After uninstallation things work well. Martin Gainty schrieb: Moxo/Hermann for verifying proper response for method getVersion as a quick check can you go to your version wsdl located at http://localhost:8080/axis2/services/version?wsdl your prolog should look something like wsdl:definitions xmlns:wsdl=http://schemas.xmlsoap.org/wsdl/; xmlns:axis2=http://ws.apache.org/axis2; xmlns:mime=http://schemas.xmlsoap.org/wsdl/mime/; xmlns:ns0=http://axisversion.sample/xsd; xmlns:soap12=http://schemas.xmlsoap.org/wsdl/soap12/; xmlns:http=http://schemas.xmlsoap.org/wsdl/http/; xmlns:ns1=http://org.apache.axis2/xsd; xmlns:xs=http://www.w3.org/2001/XMLSchema; xmlns:soap=http://schemas.xmlsoap.org/wsdl/soap/; targetNamespace=http://ws.apache.org/axis2; any whitespace characters (space,tab,any non-displayable characters) before wsdl:definitions would cause the parser to think that is an EOF char then display the element within your wsdl labeled 'getVersionResponse' you *should* have an element that looks somewhat similar to - http://localhost:8080/axis2/services/version?wsdl# xs:element name=getVersionResponse - http://localhost:8080/axis2/services/version?wsdl# xs:complexType - http://localhost:8080/axis2/services/version?wsdl# xs:sequence xs:element type=xs:string name=return / /xs:sequence /xs:complexType /xs:element Thanks, M- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: moxi moxi mailto:[EMAIL PROTECTED] To: axis-user@ws.apache.org Sent: Saturday, December 16, 2006 12:06 PM Subject: Re: [Axis2] com.ctc.wstx.exc.WstxEOFException I have the same problem, I wrote a dotNET client, !surprise my WebService is working!, the problem is when I call webservice with the generated stub classes(Axis2, release 1.1). org.apache.axis2.AxisFault: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog at [row,col {unknown-source}]: [1,0] at org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:308) at ... 2006/12/15, Harald Herrmann [EMAIL PROTECTED] : Hi everyone, Here's some additional info to my problem: I made a simple but interesting experiment: I wrote a HTML form to post something to the webservice and debugged the AxisServlet.doPost() method as before. This time the InputStream contained the data I posted. The webservice failed of course, as the posted data was no valid soap request. But something seems to cut off the request body if it's containing XML. Regards, H. Herrmann Hi everyone, I get following exception as response when accessing the Version webservice from
RE: serializing/deserializing SOAP message and response
I am sending this, so if someone needs similiar thing in the future, to have ideas for reference I ended up creating a custom transport based on the local transport. It reflects back the message as base64 encoded string. For the response handling, i base64 encode the response and set it as options property. In the same local transport i put together, i check if this property is present on the options and if so i inject the response in the TRANSPORT_IN stream and set it on the context. In this case the outgoing msg is discarded. If both contexts are the same (and since I control the enviornment i know they are), this should solve the problem. One has to be carefull with the addressing since its party #2 which actually emits the call. George From: George Stanchev [mailto:[EMAIL PROTECTED] Sent: Wed 12/20/2006 11:15 AM To: axis-user@ws.apache.org Subject: serializing/deserializing SOAP message and response Hi, I have a strange scenario which I am not sure how to implement. I have 2 parties. Party #1 needs to generate a SOAP message via axis2 - do the processing, attach security etc. However this message needs not to be wired - it needs to be serialized into a sting. Then this string is transmitted via some method (not of importantance) to party#2. The party#2 needs to take the string as it is and call a remote service with the string message as a call and then to take the response and using similiar mechanism to package it into string and relay it back to party #1 which needs to receive it using axis2 again. The 2 parties are independent of each other (separate machines). It is imporant they exchange the message/response as SOAP-compliant XML string. The protocol for that exchange doesn't matter - thats why i need it reduced to string. The sending should be the easier of both operations though. Where I am out of ideas is how to tackle the receiving of a local message. I see there is a local trasport in org.apache.axis2.transport.local but I was unable to find examples for it. Do you think this is what I need? Any advise/suggestions on how to tackle this problem would be appreciated. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
refering to tokens in rampart sec header
Hi, I need to create a securty token (saml, username) and refer to it from the message body via wsse:SecurtyTokenReference. I am thinking that this is impossible using rampart since at the time when the payload is created the token is not present and when the token gets created, there is no control to the client. Am I correct in my assumption? Are there alternatives besides creating the token manually and stuffing it in the sec header prior to calling sending the call on its way? Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
serializing/deserializing SOAP message and response
Hi, I have a strange scenario which I am not sure how to implement. I have 2 parties. Party #1 needs to generate a SOAP message via axis2 - do the processing, attach security etc. However this message needs not to be wired - it needs to be serialized into a sting. Then this string is transmitted via some method (not of importantance) to party#2. The party#2 needs to take the string as it is and call a remote service with the string message as a call and then to take the response and using similiar mechanism to package it into string and relay it back to party #1 which needs to receive it using axis2 again. The 2 parties are independent of each other (separate machines). It is imporant they exchange the message/response as SOAP-compliant XML string. The protocol for that exchange doesn't matter - thats why i need it reduced to string. The sending should be the easier of both operations though. Where I am out of ideas is how to tackle the receiving of a local message. I see there is a local trasport in org.apache.axis2.transport.local but I was unable to find examples for it. Do you think this is what I need? Any advise/suggestions on how to tackle this problem would be appreciated. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [axis2] Axis2 filling my /var/tmp with axissomenumbermyjarname.jar
I have observed it too. I am running XP, latest SP. My temp folder gets full with files in the format axis2#dep-jar.jar where is a number. I am building axis2 trunk and 1.1.1 branch regularly (2-3 times a week). Its annoying to have to clean it up regularly. If the OP had crated a JIRA, post the JIRA ID number here so I can add my configuration to it. George Stanchev -Original Message- From: Thilina Gunarathne [mailto:[EMAIL PROTECTED] Sent: Friday, December 15, 2006 8:55 PM To: axis-user@ws.apache.org Subject: Re: [axis2] Axis2 filling my /var/tmp with axissomenumbermyjarname.jar Please log a Jira with details about your environment.. ~Thilina On 12/16/06, sean curtis [EMAIL PROTECTED] wrote: After searching the docs and mailing list, I was unable to come up with a way to get Axis2 to stop making what looks like tmp versions of all my jars (i.e. axissomenumbermyjar.jar) in /var/tmp, each time I deploy a new version of my .aar files. This problem is being multiplied exponentially by multiple developers working on the same host, so if anyone has come up with a handy way of either having axis2 write to, perhaps, /dev/null, or cleaning itself up, or not doing it all, it would be appreciated. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Thilina Gunarathne WSO2, Inc.; http://www.wso2.com/ Home page: http://webservices.apache.org/~thilina/ Blog: http://thilinag.blogspot.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
setting actor in the outgoing wsse headers
Hi, Is there a way to set the actor of the outgoing security headers using rampart? I would like to create 2 security headers on an outgoing message - one with the default actor and another targeting a specific actor name. I am not able to find a way to do it via the (now deprecated) configuration methods using OutflowConfiguration() objects. Any suggestions? Thanks George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: setting actor in the outgoing wsse headers
Hi Ruchith, After peeking at the wss4j source code, I found a way to set it for the defaule wsse header: options.setProperty(WSHandlerConstants.ACTOR, uri:my.actor); But I need to be able to generate 2 wsse headers, so that doesn't cut it for me. http://issues.apache.org/jira/browse/AXIS2-1876 Thanks! George From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Thu 12/14/2006 4:49 PM To: axis-user@ws.apache.org Subject: Re: setting actor in the outgoing wsse headers This is not supported in Rampart right now... Please file a JIRA. The new configuration is based on WS-SecurityPolicy and I'm not sure how we can achieve this with policy. Maybe we should ask the WS-SX folks about it. Thanks, Ruchith On 12/15/06, George Stanchev [EMAIL PROTECTED] wrote: Hi, Is there a way to set the actor of the outgoing security headers using rampart? I would like to create 2 security headers on an outgoing message - one with the default actor and another targeting a specific actor name. I am not able to find a way to do it via the (now deprecated) configuration methods using OutflowConfiguration() objects. Any suggestions? Thanks George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- www.ruchith.org www.wso2.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
InflowConfiguration OutflowConfiguration deprecated
What is the best way to configure rampart programatically now? It seems that the previous configuration classes have been deprecated. The samples are still using those 2 classes thought... Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: WS debugging in Eclipse
Another suggestion is to use Tomcat for Eclipse plugin from Sysdeo. It integrates pretty well with eclipse and allows you to start/stop/restart tomcat from the eclipse toolbar and saves you the step to attach the debugger. It gives you also some additional control as you can add projects to the tomcat classpath, jvm paramaters, etc. http://www.sysdeo.com/eclipse/tomcatplugin George Stanchev From: Betsy Frey [mailto:[EMAIL PROTECTED] Sent: Thu 12/7/2006 5:57 AM To: axis-user@ws.apache.org Subject: RE: WS debugging in Eclipse To use eclipse to debug a tomcat servlet: 1. Be sure that tomcat is started with the below. One way to do that is to edit tomcat/bin/catalina.bat, where JAVA_OPTS is defined. -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,address=8000,suspend=n 2. Set a breakpoint in the servlet code. Note that servlet timeouts may start to occur when you debug, so you want the breakpoint close to the code being debugged. 3. Start the eclipse debugger. Open Run | Debug... Select the section for remote java application. Select the project. Connection type is socket. Set host and address (8000 in the above case). 4. Run the test that invokes the server. The breakpoint should show up in the Eclipse debugger. Betsy From: VF [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 12:24 AM To: axis-user@ws.apache.org Subject: RE: WS debugging in Eclipse Hi Rajith, Im using tcp monitor,but sometimes I need to step into code. Now I make it so,that i construct skeleton class direct and run my web service as local application. But sometimes I need to debbug it on Tomcat as it would run in bussiness with all settings. Regards Vladi From: Rajith Attapattu [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:36 PM To: axis-user@ws.apache.org Subject: Re: WS debugging in Eclipse Vladi, Another more easy option would be for you to deploy your services on axis2 and then remote debug using eclipse. You can also use tcpmon http://ws.apache.org/commons/tcpmon/ to check the SOAP messages that are exchanged between the service and the client. Regards, Rajith On 12/6/06, VF [EMAIL PROTECTED] wrote: Hi all, Is it possible to debug web services in Eclipse? Vladi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: WS debugging in Eclipse
No, its all automated. From: Danny Lin [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:02 AM To: axis-user@ws.apache.org Subject: RE: WS debugging in Eclipse George, thank you for the info. Do I still need to set the JAVA_OPTS environment variable if I use this Eclipse plugin? From: George Stanchev [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 9:50 AM To: axis-user@ws.apache.org Subject: RE: WS debugging in Eclipse Another suggestion is to use Tomcat for Eclipse plugin from Sysdeo. It integrates pretty well with eclipse and allows you to start/stop/restart tomcat from the eclipse toolbar and saves you the step to attach the debugger. It gives you also some additional control as you can add projects to the tomcat classpath, jvm paramaters, etc. http://www.sysdeo.com/eclipse/tomcatplugin George Stanchev From: Betsy Frey [mailto:[EMAIL PROTECTED] Sent: Thu 12/7/2006 5:57 AM To: axis-user@ws.apache.org Subject: RE: WS debugging in Eclipse To use eclipse to debug a tomcat servlet: 1. Be sure that tomcat is started with the below. One way to do that is to edit tomcat/bin/catalina.bat, where JAVA_OPTS is defined. -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,address=8000,suspend=n 2. Set a breakpoint in the servlet code. Note that servlet timeouts may start to occur when you debug, so you want the breakpoint close to the code being debugged. 3. Start the eclipse debugger. Open Run | Debug... Select the section for remote java application. Select the project. Connection type is socket. Set host and address (8000 in the above case). 4. Run the test that invokes the server. The breakpoint should show up in the Eclipse debugger. Betsy From: VF [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 12:24 AM To: axis-user@ws.apache.org Subject: RE: WS debugging in Eclipse Hi Rajith, Im using tcp monitor,but sometimes I need to step into code. Now I make it so,that i construct skeleton class direct and run my web service as local application. But sometimes I need to debbug it on Tomcat as it would run in bussiness with all settings. Regards Vladi From: Rajith Attapattu [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:36 PM To: axis-user@ws.apache.org Subject: Re: WS debugging in Eclipse Vladi, Another more easy option would be for you to deploy your services on axis2 and then remote debug using eclipse. You can also use tcpmon http://ws.apache.org/commons/tcpmon/ to check the SOAP messages that are exchanged between the service and the client. Regards, Rajith On 12/6/06, VF [EMAIL PROTECTED] wrote: Hi all, Is it possible to debug web services in Eclipse? Vladi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: rahas
Hi Ruchith, I see. My comments below. George -Original Message- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 1:22 AM To: axis-user@ws.apache.org Subject: Re: rahas On 12/7/06, George Stanchev [EMAIL PROTECTED] wrote: Is there a reason rahas is a module at all? In previous builds rahas was a service (aar), which i thought makes more sense - after all, it has a service functionality in it, and if someone wants to extend it, why do they have to define a dummy service (as in the test cases) just to serve a RST. The main purpose of the rahas.mar is to enable STS functionality on a service to support WS-SecureConversation scenarios. In these scenario's the service is expected to issue and cancel SecurityContextTokens. I see. But is there any reason the aar was removed from the build? And speaking of the aar, I could not make it run under tomcat. It kept bombing out when trying to load its configuration settings. I might try to play with it again later on, but meanwhile, have you been successfully able to drop the aar in tomcat and get a RSTR? Speaking of the test cases in integration, they only run under the simple HTTP server that comes with axis2. In order to run them under tomcat for example, several changes need to be applied-the TestClient.java needs to be modified to put proper addressing namespace in the RST mssage - it uses AddressingConstants.Submission.WSA_NAMESPACE when it should use AddressingConstants.Final.WSA_NAMESPACE. Unless there is a way to configure axis2 servlet which namespace to recognize. hmm ... I thought axis2 addressing module can handle any addressing version in incoming messages. May be there is some option I am missing. In the RahasData constructor the addressing namespace is pulled from the message context: this.addressingNs = (String) this.inMessageContext .getProperty(AddressingConstants.WS_ADDRESSING_VERSION); and that is later used in RahasData.processAppliesTo() to extract the address element from the epr element. If the message context doesn't have addressing headers in it, then it uses the epr to determine addressing version (as a comment in RahasData, line 174-175 suggests). In the tests, addressing is not used and therefore addressing is only present in epr element and things work. But with addressing enabled, it uses headers with different version and due to the namespace mismatch rahas cannot extract the epr element. The epr addressing namespace doesn't have to match the message namespace does it? Is there any plan to finish the trust2 model in wss4j sandbox? It would be nice to have some real api for wst ;-) I'm not sure about the trust2 stuff in wss4j ... but you are welcome to suggest any improvements/patches to rahas ... I'll be glad to try to implement/apply them. Googling around, I found an old thread, where you say that the sandbox folder in wss4j contains DOM-based trust implementation and trust2 is a rework but hasn't been finished yet. It looks like it was a good start. For example: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/s andbox/security/trust/message/token/ In the long run I like having separate (reworked) trust client API and STS provider. Speaking of which, how about splitting the issuers in 2 parts - issuer and identity provider. The issuer knows how to issue different tokens as it is now - SAML issuer, UsernameToken issuer, etc. The IdP provides the subjects identity information which the issuer then packages into a token. This way, if users want to extend the STS (to extract subject attributes from LDAP for example) all they have to do is hook their own IdP. George ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
rampart question
Hi, I know this has been covered in the past, but i have a service that engages rahas and rampart running under Tomcat 5.5. It has a PWCallback class to check and validate passwords and other stuff. I get NoClassDefFoundError when I hit the service with WSPasswordCallback missing (it is used inside my PWCallback class. If I add the wss4j to the service.aar/lib folder, then the PWCallback stops working - the if (callbacks[i] instance of WSPasswordCallback) is alsways false even though the eclipse debugger is showing they are the same class. The only way to get this working is by copying all the wss4j related jars into the axis2/WEB-INF/lib directory. It feels like axis2 is having some classloader issues. Is the classloader used to load the service different than the one used to load the modules? Is there any way to solve this without copying libraries that are already available in the engaged modules into the master library repository? Am I missing something? I am using self-built 1.1 tag bits. Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
rahas
Hi, Is there a reason rahas is a module at all? In previous builds rahas was a service (aar), which i thought makes more sense - after all, it has a service functionality in it, and if someone wants to extend it, why do they have to define a dummy service (as in the test cases) just to serve a RST. Speaking of the test cases in integration, they only run under the simple HTTP server that comes with axis2. In order to run them under tomcat for example, several changes need to be applied-the TestClient.java needs to be modified to put proper addressing namespace in the RST mssage - it uses AddressingConstants.Submission.WSA_NAMESPACE when it should use AddressingConstants.Final.WSA_NAMESPACE. Unless there is a way to configure axis2 servlet which namespace to recognize. In addition, opensaml1.1b has a dependency on log4j which is missing from both axis2 1.1 distro and rahas. Adding it to the repo lib dir solves the problem. Is there any plan to finish the trust2 model in wss4j sandbox? It would be nice to have some real api for wst ;-) Thanks ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Axis2 in a filter
Hi, What would be the best way to use axis2 in a filter? Basically I need Rampart to process the message and do security processing in a filter. Is this possible and whats the best approach to tackle the problem? George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: Axis2 in a filter
Yes, sorry. Servlet filter. -Original Message- From: Davanum Srinivas [mailto:[EMAIL PROTECTED] Sent: Thursday, November 16, 2006 1:37 PM To: axis-user@ws.apache.org Subject: Re: Axis2 in a filter ServletFilter? -- dims On 11/16/06, George Stanchev [EMAIL PROTECTED] wrote: Hi, What would be the best way to use axis2 in a filter? Basically I need Rampart to process the message and do security processing in a filter. Is this possible and whats the best approach to tackle the problem? George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- Davanum Srinivas : http://www.wso2.net (Oxygen for Web Service Developers) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: single sign on with axis2
Hi Rishi, How is your user authenticating against the LDAP? Simple password based authentication or some kind of certificate based authentication? You will need to establish trust between your Server A and Server B somehow. You can use an X509 certificate or simple public/private key pair which you need to exchange. Once Server B knows and trusts Server A, then you can issue your ServerA-ServerB request with either UsernameToken or SAMLTokenSigned action. In the first case you can sign the message or portion of your message including the token with ServerA's certificate that was used to establish the trust. In second case, you can just sign the SAML token with that certificate (or public key). The ServerB then would have to check if the certificate is trusted and trust the Principle relayed via the token. As far as what token type to use - depends what Principle claims you have to supply. UsernameToken is good about relying usernames but thats about it. With SAML you can add additional claims in the token. Both those scenarios are supported by Axis2/rampart, however you still have to do the handling on your ServerB to determine if the incoming message was issued by trusted authority. Axis2/rampart allows dynamic configurations - look at the user's manual to see how you can do it. George From: Rishi krish [mailto:[EMAIL PROTECTED] Sent: Thursday, November 16, 2006 2:53 PM To: axis-user@ws.apache.org Subject: single sign on with axis2 Hi I am new to axis2 and am trying to figure out whats the best approach for this scenario: The user logs in to a j2ee application running in a j2ee server [say Weblogic/Websphere]. The user is validated using a LDAP server [the j2ee server handles that part] and after the authentication we have a user Principal. Now the user need to invoke a Web service hosted by another server [j2ee or .net] which uses the same LDAP repository for authentication. I am developing the web service client using the ServiceClient class in axis2 and the code is sitting in the first server. I am at loss as to what kind of security token should I use to communicate with the Web service. I have to pass the Principal information to the other side and not sure whether to use the UserNameToken. The problem here is I dont beleive the Principal has any info abt the password and that makes me beleive that I cannot use UserNameToken. OR should I use SAML token and if thats the case I have no idea where to get info to set up a SAML token using the ServiceClient api. OR Axis2 ServiceClient api does not support this scenario. Also along side I had another question - All the samples for UserNameToken shows the userid preconfigured in the clients axis2.xml. Can the userid be fed to the ServiceClient api programmatically. What I am trying to acheive is dynamic userid [which might change per invocation] and not a static preconfigured one. Though this will not help me in the above singlesign on scenario OR may be it will - pls suggest. -- thanks Rishi ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: single sign on with axis2
to be great source of how things are done. I've learned alot from them and by looking at the rahas source. Is there any article [ws02??] for axis2 client/service setup for SAML where I can refer and get a hold on how to use/configure SAML+Axis2 or if anyone in this grp has successfully used SAML with Axis2 and can share some sample configurations [client and server] - it would be of great help to me. I dont know but may be others know? Google around for WS-Trust, WS-Federation Active Requestor Profile, STS, IdP, Identity Provider. This should get you started on theory. However be aware that what the standards call for could be a little bit on the heavy side for your particular example. If you want to cut corners, you can just issue a self-signed SAML token from Service A which you sign with ServiceA's certificate and have ServiceB trust tokens signed by ServiceA. This can definetly can be done by rampart with configuration only or minimal effort. thanks Rishi On 11/16/06, George Stanchev [EMAIL PROTECTED] wrote: Hi Rishi, How is your user authenticating against the LDAP? Simple password based authentication or some kind of certificate based authentication? You will need to establish trust between your Server A and Server B somehow. You can use an X509 certificate or simple public/private key pair which you need to exchange. Once Server B knows and trusts Server A, then you can issue your ServerA-ServerB request with either UsernameToken or SAMLTokenSigned action. In the first case you can sign the message or portion of your message including the token with ServerA's certificate that was used to establish the trust. In second case, you can just sign the SAML token with that certificate (or public key). The ServerB then would have to check if the certificate is trusted and trust the Principle relayed via the token. As far as what token type to use - depends what Principle claims you have to supply. UsernameToken is good about relying usernames but thats about it. With SAML you can add additional claims in the token. Both those scenarios are supported by Axis2/rampart, however you still have to do the handling on your ServerB to determine if the incoming message was issued by trusted authority. Axis2/rampart allows dynamic configurations - look at the user's manual to see how you can do it. George From: Rishi krish [mailto:[EMAIL PROTECTED] Sent: Thursday, November 16, 2006 2:53 PM To: axis-user@ws.apache.org Subject: single sign on with axis2 Hi I am new to axis2 and am trying to figure out whats the best approach for this scenario: The user logs in to a j2ee application running in a j2ee server [say Weblogic/Websphere]. The user is validated using a LDAP server [the j2ee server handles that part] and after the authentication we have a user Principal. Now the user need to invoke a Web service hosted by another server [j2ee or .net] which uses the same LDAP repository for authentication. I am developing the web service client using the ServiceClient class in axis2 and the code is sitting in the first server. I am at loss as to what kind of security token should I use to communicate with the Web service. I have to pass the Principal information to the other side and not sure whether to use the UserNameToken. The problem here is I dont beleive the Principal has any info abt the password and that makes me beleive that I cannot use UserNameToken. OR should I use SAML token and if thats the case I have no idea where to get info to set up a SAML token using the ServiceClient api. OR Axis2 ServiceClient api does not support this scenario. Also along side I had another question - All the samples for UserNameToken shows the userid preconfigured in the clients axis2.xml. Can the userid be fed to the ServiceClient api programmatically. What I am trying to acheive is dynamic userid [which might change per invocation] and not a static preconfigured one. Though this will not help me in the above singlesign on scenario OR may be it will - pls suggest. -- thanks Rishi ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- thanks Rishi
RE: [Axis2][Fwd: rahas question]
Thanks Ruchith, Thanks for the response! I have couple of follow-up questions though. * Is some enhancement of the client interface planned? Right now things are a bit clunky and not very flexible implemented via the STSClient and TrustUtils. Some type of client interface refactor I think would be beneficial. * Any idea weather Validate and Renew actions will be supported for the 1.1 release? * Is there plan for other token suppport out of the box? Right now Rahas seem to support SAML 1.1 tokens. How about Username, X509, Kerberos, REL and other WS-S supported profiles? * I see you are using opensaml 1.1 for the SAML token issuer. Any plans to switch to opensaml 2.0 soon and thus provide SAML 1.1 and 2.0 support? I know opensaml 2.0 is not yet released, and will not be released for another few months so this might be a mute point. Thanks! Best Regards, George -Original Message- From: Ruchith Fernando [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 25, 2006 9:06 PM To: axis-user@ws.apache.org Subject: Re: [Axis2][Fwd: rahas question] Rahas (WS-Trust impl) will be released as a component of the Apache Rampart distribution immediately (one or two weeks) after axis2-1.1 release and yes, this will be targeted towards axis2-1.1. Right now you can try the nightly builds of rampart [1] with axis2 nightly builds [2]. Thanks, Ruchith [1] http://ws.zones.apache.org/dist/rampart/nightly/ [2] http://ws.zones.apache.org/dist/axis2/nightly/ On 10/25/06, Eran Chinthaka [EMAIL PROTECTED] wrote: Forwarding with correct prefix. Ruchith, over to you :) Original Message Subject:rahas question Date: Tue, 24 Oct 2006 16:21:41 -0700 From: George Stanchev [EMAIL PROTECTED] Reply-To: axis-user@ws.apache.org To: axis-user@ws.apache.org Hi, When is rahas officially going to be released? Is it targeted for the 1.1 release? Thanks! George Stanchev -- www.ruchith.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
rahas question
Hi, When is rahas officially going to be released? Is it targeted for the 1.1 release? Thanks! George Stanchev ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.