Re: [axis2] Custom security context token
Hi, So what would be the simplest way to implement this using Axis2? I need WS-Addressing, and i'm not confident in Axis1's addressing support. Could i use an OperationClient to sign and encrypt the SOAP DOM using WSS4J? (I'm not clear how this might work.) Or do i need to create my own module? Or should i go with the code in SVN HEAD? You can go ahead and use the "rahas-SNASHOT.mar" (available in the modules/security/target/ dir after the build) and try it out right now. Even though code in wss4j supports both sign and encrypt using SCT and derived keys as of now you can only configure rahas to encrypt the body of the soap messages using SCT/derived key. Please have a look at the follwing this [1] (line 87) to see how one can set the configuration in the ServiceClient's options using the RahasConfiguration class. You must look at the implementation of getClientRahasConfiguration() in the RahasScenario3Test [2] class to see the how a RahasConfiguration instance is used to obtain the parameter to be set in the options in [1]. RahasScenario3Test is a test case similar to your case where the client creates its own SCT and propergates it to the service and uses it to encrypt the soap body. Having said the above please understand that we _will_ be moving all these features (and more) to "rampart" :-) and there will be no "rahas" module in a few days. :-) Thanks, Ruchith [1] http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/TestClient.java [2] http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/RahasScenario3Test.java - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [axis2] Custom security context token
Thanks again, Ruchith. Your help is very much appreciated. It turns out that the UsernameToken was completely superfluous, since the key was being set directly on the SecurityContextToken after the UsernameToken was. No RST request was actually being sent. So what would be the simplest way to implement this using Axis2? I need WS-Addressing, and i'm not confident in Axis1's addressing support. Could i use an OperationClient to sign and encrypt the SOAP DOM using WSS4J? (I'm not clear how this might work.) Or do i need to create my own module? Or should i go with the code in SVN HEAD? Thanks! On Tue, 2006-05-30 at 13:30 +0530, Ruchith Fernando wrote: > Let me answer your second question first: > > > constructor > > says "Initializes a new instance of the SecurityContextToken class using the > > security token used to sign the Request Security Token (RST), the security > > token shared by the security token service and the target Web service, and > > the specified identifier." I'm not quite sure that means. > > This means that the client will make a request to a > SecurityTokenService (STS) (defined in the WS-Trust specification) to > establish the security context. > This request is a RequestSecurityToken (RST) request where it will be > signed by the token given as the first argument into the constructor. > In the case where you pass a UsernameToken the RST will be signed > using the UT. The response to RST, RequestSecurityTokenResponse (RSTR) > message will contain the SecurityContextToken that will be used to > derive keys, which will eventually sign/encrypt the actual request > messages to the service. The service will also use the same security > context token to derive keys to verify/ decrypt requests from the > client and sign/encrypt its responses. > > > There's one issue though: The .NET code is creating a SecurityContextToken > > with a UsernameToken as its base. Is there any way to do this with WSS4J? > > This is possible with WSS4J 1.5 and Axis2 (svn head). > > Right now we have an Axis2 module called "rahas" in Axis2 which > supports WS-SecureConversation only. We can use this to carryout the > handshake with the STS and obtain an SCT which can be used to derive > keys to sign and encrypt messages. > Use of the UsernameToken in signing is only in the case of the initial > RST message to the STS and this is supported by "rahas" right now > using the "rampart" handlers internally in "rahas". > > Here [1] you can find some test cases that tests "rahas" > > A word of caution : In a few days the WS-SecureConversation support > will be merged into "rampart" and "rahas" will disappear, which will > allow you to setup your scenario simply with "rampart". > > Thanks, > Ruchith > > [1] > http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/ > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [axis2] Custom security context token
Let me answer your second question first: constructor says "Initializes a new instance of the SecurityContextToken class using the security token used to sign the Request Security Token (RST), the security token shared by the security token service and the target Web service, and the specified identifier." I'm not quite sure that means. This means that the client will make a request to a SecurityTokenService (STS) (defined in the WS-Trust specification) to establish the security context. This request is a RequestSecurityToken (RST) request where it will be signed by the token given as the first argument into the constructor. In the case where you pass a UsernameToken the RST will be signed using the UT. The response to RST, RequestSecurityTokenResponse (RSTR) message will contain the SecurityContextToken that will be used to derive keys, which will eventually sign/encrypt the actual request messages to the service. The service will also use the same security context token to derive keys to verify/ decrypt requests from the client and sign/encrypt its responses. There's one issue though: The .NET code is creating a SecurityContextToken with a UsernameToken as its base. Is there any way to do this with WSS4J? This is possible with WSS4J 1.5 and Axis2 (svn head). Right now we have an Axis2 module called "rahas" in Axis2 which supports WS-SecureConversation only. We can use this to carryout the handshake with the STS and obtain an SCT which can be used to derive keys to sign and encrypt messages. Use of the UsernameToken in signing is only in the case of the initial RST message to the STS and this is supported by "rahas" right now using the "rampart" handlers internally in "rahas". Here [1] you can find some test cases that tests "rahas" A word of caution : In a few days the WS-SecureConversation support will be merged into "rampart" and "rahas" will disappear, which will allow you to setup your scenario simply with "rampart". Thanks, Ruchith [1] http://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/rahas/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [axis2] Custom security context token
Title: RE: [axis2] Custom security context token Thanks, Ruchith. There's one issue though: The .NET code is creating a SecurityContextToken with a UsernameToken as its base. Is there any way to do this with WSS4J? (Or is it maybe unnecessary?) The MSDN documentation for this constructor says "Initializes a new instance of the SecurityContextToken class using the security token used to sign the Request Security Token (RST), the security token shared by the security token service and the target Web service, and the specified identifier." I'm not quite sure that means. Also, how hard would it be to use this code with Axis2? Thanks again -Original Message- From: Ruchith Fernando [mailto:[EMAIL PROTECTED]] Sent: Mon 5/29/2006 2:19 AM To: axis-user@ws.apache.org Subject: Re: [axis2] Custom security context token Hi, Encryption and signature based on a SecurityContextToken is being implemented as a part of the WS-Secconv impl. WSS4J already has support for creation sig and encr using a SecurityContextToken (SCT). Have a look at the following test cases [1]. If you follow the above test cases you can see how to build a message to with an SCT and to sign/encr with keys derived from it. Right now the rampart Axis2 module only support features of the WS-Security but next rampart release will come with WS-SecureConversation support. Thanks, Ruchith [1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/test/wssec/TestWSSecurityNewDK.java [2] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/test/wssec/TestWSSecurityNewSCT.java On 5/29/06, Shepherd McIlroy <[EMAIL PROTECTED]> wrote: > > > > > Hello, > > I'm trying to talk to a .NET service that requires messages to be signed > and encrypted (using a symetric key created by a custom algorithm). I have > .NET client code for this that I would like to duplicate under Java using > Axis2 and WSS4J. The .NET client does the following to create a > SecurityContextToken: > > UsernameToken unt = new UsernameToken(user, user); > > unt.Id = UTID; > > sct = new SecurityContextToken(unt, SCTIdentifier); > > sct.KeyBytes = sKey; > > sct.LifeTime = new > Microsoft.Web.Services2.Security.LifeTime(SCTExpires.ToLocalTime()); > > and then signs and encrypts the message using: > > service.RequestSoapContext.Security.Tokens.Clear(); > > service.RequestSoapContext.Security.Elements.Clear(); > > service.RequestSoapContext.Security.Tokens.Add(sct); > > service.RequestSoapContext.Security.Elements.Add(new > EncryptedData(sct)); > > service.RequestSoapContext.Security.Elements.Add(new > MessageSignature(sct)); > > > Creating the key is not a problem. A method of signing and encrypting SOAP > messages in a similar manner using Axis2 and WSS4J is not obvious. How can > i create a custom security context token using WSS4J? How can i apply that > token to a message sent using Axis2? > > Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [axis2] Custom security context token
Hi, Encryption and signature based on a SecurityContextToken is being implemented as a part of the WS-Secconv impl. WSS4J already has support for creation sig and encr using a SecurityContextToken (SCT). Have a look at the following test cases [1]. If you follow the above test cases you can see how to build a message to with an SCT and to sign/encr with keys derived from it. Right now the rampart Axis2 module only support features of the WS-Security but next rampart release will come with WS-SecureConversation support. Thanks, Ruchith [1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/test/wssec/TestWSSecurityNewDK.java [2] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/test/wssec/TestWSSecurityNewSCT.java On 5/29/06, Shepherd McIlroy <[EMAIL PROTECTED]> wrote: Hello, I'm trying to talk to a .NET service that requires messages to be signed and encrypted (using a symetric key created by a custom algorithm). I have .NET client code for this that I would like to duplicate under Java using Axis2 and WSS4J. The .NET client does the following to create a SecurityContextToken: UsernameToken unt = new UsernameToken(user, user); unt.Id = UTID; sct = new SecurityContextToken(unt, SCTIdentifier); sct.KeyBytes = sKey; sct.LifeTime = new Microsoft.Web.Services2.Security.LifeTime(SCTExpires.ToLocalTime()); and then signs and encrypts the message using: service.RequestSoapContext.Security.Tokens.Clear(); service.RequestSoapContext.Security.Elements.Clear(); service.RequestSoapContext.Security.Tokens.Add(sct); service.RequestSoapContext.Security.Elements.Add(new EncryptedData(sct)); service.RequestSoapContext.Security.Elements.Add(new MessageSignature(sct)); Creating the key is not a problem. A method of signing and encrypting SOAP messages in a similar manner using Axis2 and WSS4J is not obvious. How can i create a custom security context token using WSS4J? How can i apply that token to a message sent using Axis2? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[axis2] Custom security context token
Title: [axis2] Custom security context token Hello, I'm trying to talk to a .NET service that requires messages to be signed and encrypted (using a symetric key created by a custom algorithm). I have .NET client code for this that I would like to duplicate under Java using Axis2 and WSS4J. The .NET client does the following to create a SecurityContextToken: UsernameToken unt = new UsernameToken(user, user); unt.Id = UTID; sct = new SecurityContextToken(unt, SCTIdentifier); sct.KeyBytes = sKey; sct.LifeTime = new Microsoft.Web.Services2.Security.LifeTime(SCTExpires.ToLocalTime()); and then signs and encrypts the message using: service.RequestSoapContext.Security.Tokens.Clear(); service.RequestSoapContext.Security.Elements.Clear(); service.RequestSoapContext.Security.Tokens.Add(sct); service.RequestSoapContext.Security.Elements.Add(new EncryptedData(sct)); service.RequestSoapContext.Security.Elements.Add(new MessageSignature(sct)); Creating the key is not a problem. A method of signing and encrypting SOAP messages in a similar manner using Axis2 and WSS4J is not obvious. How can i create a custom security context token using WSS4J? How can i apply that token to a message sent using Axis2? Thanks