Rampart/Rahas problems
So I've essentially taken Rampart sample6 and split it across three machines with my own web service instead of SimpleService. Here's what happens: 1) client makes Mex request to Service : Service responds. 2) Client makes token request to STS - STS responds 3) Client attempts to make the actual call the Service. Service then responds with axisFault: Missing wsse:Security header in request The server logs show something different: ERROR org.apache.ws.security.components.crypto.CryptoFactory - Unable to instantiate (1): org.apache.ws.security.components.crypto.Merlin java.lang.reflect.InvocationTargetException So, I checked and made sure I had BouncyCastle jar in lib directory. I check that security provider is updated (though I haven't a clue why i'm doing this). And, now, I've run out of things to check. i'd appreciate any help. Thanks, --tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Rampart interaction with client/provider/STS
So far the samples seem to explicitly (through API) retrieve a token from the STS. I'm wondering whether this can be done declaratively only by way of the policy. It seems that if I have a policy file exposed within a service's WSDL that states what STS that is acceptable, then the client shouldn't need to get a token through the API? In other words, in code I would expect something like: - setup a ServiceClient for the service provider endpoint - engage Rampart - load the service's policy document - call service and I would expect that based on Rampart's understanding of the policy it would know to retrieve a token from the STS prior to actually making the call to the service provider. If my expectation is wrong, then once I get a token from the STS programmatically, how do i attach it to the actual service call? Thanks, --tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart interaction with client/provider/STS
On Thu, Jun 26, 2008 at 8:35 AM, Tim Williams [EMAIL PROTECTED] wrote: So far the samples seem to explicitly (through API) retrieve a token from the STS. I'm wondering whether this can be done declaratively only by way of the policy. It seems that if I have a policy file exposed within a service's WSDL that states what STS that is acceptable, then the client shouldn't need to get a token through the API? In other words, in code I would expect something like: - setup a ServiceClient for the service provider endpoint - engage Rampart - load the service's policy document - call service and I would expect that based on Rampart's understanding of the policy it would know to retrieve a token from the STS prior to actually making the call to the service provider. If my expectation is wrong, then once I get a token from the STS programmatically, how do i attach it to the actual service call? It seems my expectation was reasonable, I just tried Rampart 1.4 sample 06 and essentially does what i wanted. On a side note, sample05 only seems to work *after* I successfully run sample06. If I type ant clean in the sample/policy directory then try sample05 it's broken with something about a missing WSSE:Security header. Sorry for the noise... --tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: locating rampart-trust.mar
On Fri, Jun 20, 2008 at 5:33 AM, Nandana Mihindukulasooriya [EMAIL PROTECTED] wrote: Hi Tim, I'm unable to find rampart-trust.mar and obviously don't have the necessary maven-fu to build it myself. Name of the trust module in Apache Rampart is Rahas. So what you need is rahas-x.x.mar . If you download the Rampart distribution [1] you can find it under modules. Thanks Nandana, i do have rahas. The guide only describes how to deploy it while overriding the Issuer. To deploy it without overriding the issuer, do I just create a service archive that only contains a services.xml file referencing rahas and rampart? --tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Exposing STS (Rahas) [was: locating rampart-trust.mar]
On Fri, Jun 20, 2008 at 6:51 AM, Tim Williams [EMAIL PROTECTED] wrote: On Fri, Jun 20, 2008 at 5:33 AM, Nandana Mihindukulasooriya [EMAIL PROTECTED] wrote: Hi Tim, I'm unable to find rampart-trust.mar and obviously don't have the necessary maven-fu to build it myself. Name of the trust module in Apache Rampart is Rahas. So what you need is rahas-x.x.mar . If you download the Rampart distribution [1] you can find it under modules. Thanks Nandana, i do have rahas. The guide only describes how to deploy it while overriding the Issuer. To deploy it without overriding the issuer, do I just create a service archive that only contains a services.xml file referencing rahas and rampart? So i think I've figured out that one needs to globally engage the module to have the RequestSecurityToken operation globally exposed but I'm clearly missing something. I simply want a standalone STS. So, when i globally engage the rahas module where might I find the WSDL for the RequestSecurityToken operation? I've tried the following with no luck: /axis2/services/RequestSecurityToken?wsdl Thanks, --tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
locating rampart-trust.mar
I gather that rampart-trust.mar contains the STS functionality. I'm looking to deploy, for now, a simple STS which I will eventually implement a custom Issuer. From the bottom of the quickstart doc[1], Security Token Service can be set up as per WS-Trust specification using Rampart. The default security token service shipped with the rampart distribution is contained in the rampart-trust.mar module. It can issue SCT tokens and SAML tokens. Sample05 contains a client that connects to the default STS and obtain a SAML token. The services.xml in the sample contains saml-issuer-config parameter that is used to configure the default SAML issuer. I'm unable to find rampart-trust.mar and obviously don't have the necessary maven-fu to build it myself. So, what's the best/easiest way to stand up a standalone STS server? thanks, --tim [1] - http://ws.apache.org/rampart/quick-start.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]