---------- Forwarded message ----------
From: Håkon Sagehaug <[email protected]>
Date: 2009/3/12
Subject: Re: Adding security header to STSClient in rahas
To: [email protected]
Hi
what I read out of the code is that if username and password is set in
options it should be picked up, but I set it in option and still no
unsername token header.
Here is my policy, if anyone sees something wrong it's highly appreciated
<wsp:Policy wsu:Id="SigOnly"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:All>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
/>
</wsp:Policy>
</sp:SupportingTokens>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:Wss11 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy
">
<ramp:user>client</ramp:user>
<ramp:encryptionUser>service
</ramp:encryptionUser>
<ramp:passwordCallbackClass>PWCBHandler
</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">
clientTrustStore.jks
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">pass</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:Policy>
2009/3/11 Martin Gainty <[email protected]>
> /**
> * Sets the crypto information required to process the RSTR.
> *
> * @param crypto Crypto information
> * @param cbHandler Callback handler to provide the private key password
> to
> * decrypt
> */
> public void setCryptoInfo(Crypto crypto, CallbackHandler cbHandler) {
> this.crypto = crypto;
> this.cbHandler = cbHandler;
> }
>
> Test Harness from RampartUtil:
> public static String getToken(RampartMessageData rmd, OMElement
> rstTemplate,
> String issuerEpr, String action, Policy issuerPolicy) throws
> RampartException {
>
> try {
> //First check whether the user has provided the token
> MessageContext msgContext = rmd.getMsgContext();
> String customTokeId = (String) msgContext
>
> .getProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN);
> if(customTokeId != null) {
> return customTokeId;
> } else {
>
> Axis2Util.useDOOM(false);
>
> STSClient client = new STSClient(rmd.getMsgContext()
> .getConfigurationContext());
> // Set request action
> client.setAction(action);
>
> client.setRstTemplate(rstTemplate);
>
> // Set crypto information
> Crypto crypto =
> RampartUtil.getSignatureCrypto(rmd.getPolicyData().getRampartConfig(),
>
> rmd.getMsgContext().getAxisService().getClassLoader());
> CallbackHandler cbh = RampartUtil.getPasswordCB(rmd);
> client.setCryptoInfo(crypto, cbh);
>
> which is called from BindingBuilder:
> protected WSSecUsernameToken addUsernameToken(RampartMessageData rmd)
> throws RampartException {
>
> log.debug("Adding a UsernameToken");
>
> RampartPolicyData rpd = rmd.getPolicyData();
>
> //Get the user
> //First try options
> Options options = rmd.getMsgContext().getOptions();
> String user = options.getUserName();
> if(user == null || user.length() == 0) {
> //Then try RampartConfig
> if(rpd.getRampartConfig() != null) {
> user = rpd.getRampartConfig().getUser();
> }
> }
>
> if(user != null && !"".equals(user)) {
> log.debug("User : " + user);
>
> //Get the password
>
> //First check options object for a password
> String password = options.getPassword();
>
> if((password == null || password.length() == 0) &&
> rpd.getRampartConfig() != null) {
>
> //Then try to get the password from the given callback
> handler
> CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
>
> where RampartPolicyData has mutator method for recipientToken
> /*** @param recipientToken The recipientToken to set. */
> public void setRecipientToken(Token recipientToken) {
> this.recipientToken = recipientToken;
> }
>
> and in the RecipientBuilder.java
> /**
> * Evaluate policy data that is specific to asymmetric binding.
> *
> * @param binding
> * The asymmetric binding data
> * @param rpd
> * The WSS4J data to initialize
> */
> private static void asymmetricBinding(AsymmetricBinding binding,
> RampartPolicyData rpd) throws WSSPolicyException {
> TokenWrapper tokWrapper = binding.getRecipientToken();
> TokenWrapper tokWrapper1 = binding.getInitiatorToken();
> if (tokWrapper == null && tokWrapper1 == null) {
> // this is an error - throw something
> }
> rpd.setRecipientToken(((RecipientToken)
> tokWrapper).getReceipientToken());
> rpd.setInitiatorToken(((InitiatorToken)
> tokWrapper1).getInitiatorToken());
> }
>
> the key is to make sure Rec<e>ipientToken is included in the binding
> /** in the case of AssymetricBinding ******/
> public PolicyComponent normalize() {
>
> if (isNormalized()) {
> return this;
> }
>
> AlgorithmSuite algorithmSuite = getAlgorithmSuite();
> List configs = algorithmSuite.getConfigurations();
>
> Policy policy = new Policy();
> ExactlyOne exactlyOne = new ExactlyOne();
>
> policy.addPolicyComponent(exactlyOne);
>
> All wrapper;
> AsymmetricBinding asymmetricBinding;
>
> for (Iterator iterator = configs.iterator(); iterator.hasNext();) {
> wrapper = new All();
> asymmetricBinding = new AsymmetricBinding();
>
> asymmetricBinding.setAlgorithmSuite((AlgorithmSuite) iterator
> .next());
> asymmetricBinding
>
> .setEntireHeadersAndBodySignatures(isEntireHeadersAndBodySignatures());
> asymmetricBinding.setIncludeTimestamp(isIncludeTimestamp());
> asymmetricBinding.setInitiatorToken(getInitiatorToken());
> asymmetricBinding.setLayout(getLayout());
> asymmetricBinding.setProtectionOrder(getProtectionOrder());
> asymmetricBinding.setRecipientToken(getRecipientToken());
> /********here is where the recipientToken is inserted to the Binding
> *******/
> Martin
> ______________________________________________
> Disclaimer and confidentiality note
> Everything in this e-mail and any attachments relates to the official
> business of Sender. This transmission is of a confidential nature and Sender
> does not endorse distribution to any party other than intended recipient.
> Sender does not necessarily endorse content contained within this
> transmission.
>
>
>
>
> > Date: Wed, 11 Mar 2009 08:55:09 +0100
> > Subject: Re: Adding security header to STSClient in rahas
> > From: [email protected]
> > To: [email protected]
> >
> > Hi
> >
> > Yes, I've got this in the policy
> >
> > <sp:SupportingTokens
> > xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > <wsp:Policy>
> > <sp:UsernameToken
> > sp:IncludeToken="
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> "
> > />
> > </wsp:Policy>
> > </sp:SupportingTokens>
> >
> > After I define the symmetricbinding element. Do you know if what I asked
> > about how to test if the callback handler should provide a password to
> the
> > keystore or actually check username and password was correct?
> >
> > cheers, Håkon
> >
> >
> > 2009/3/10 Massimiliano Masi <[email protected]>
> >
> > > Hi,
> > >
> > > Did you add in your STS policy something like:
> > >
> > > <wsp:Policy>
> > > <sp:UsernameToken sp:IncludeToken="
> > > http://docs.oasis-open.org/ws-s
> > > x/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> > > <wsp:Policy>
> > > <sp:HashPassword />
> > > </wsp:Policy>
> > > </sp:UsernameToken>
> > > </wsp:Policy>
> > >
> > >
> > >
> > >
> > > Quoting Håkon Sagehaug <[email protected]>:
> > >
> > > Hi all,
> > >>
> > >> I wanted to add username/password token in my request to my sts
> service.
> > >> I'm
> > >> using the STSClient from rahas and tried with this
> > >>
> > >> Options options = new Options();
> > >> options.setUserName("user");
> > >> options.setPassword("pass");
> > >> options.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
> > >> loadPolicy("policy/sts_policy.xml"));
> > >> stsClient.setOptions(options);
> > >>
> > >> But the messages don't have a security header.
> > >>
> > >> Alos how should I configure the callback handler, since it need to
> both
> > >> validate the username password and fetch the certificate for
> validating
> > >> the
> > >> signed message. Should it be something like this
> > >>
> > >> if(pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN){
> > >> /* Do password validation*/
> > >> }
> > >>
> > >> if(pwcb.getUsage() == WSPasswordCallback.SIGNATURE){
> > >> /* Do set password for keystore*/
> > >> }
> > >>
> > >> cheers, Håkon
> > >> --
> > >> Håkon Sagehaug, Scientific Programmer
> > >> Parallab, Bergen Center for Computational Science (BCCS)
> > >> UNIFOB AS (University of Bergen Research Company)
> > >>
> > >>
> > >
> > >
> > > ----------------------------------------------------------------
> > > This message was sent using IMP, the Internet Messaging Program.
> > >
> > >
> > >
> >
> >
> > --
> > Håkon Sagehaug, Scientific Programmer
> > Parallab, Bergen Center for Computational Science (BCCS)
> > UNIFOB AS (University of Bergen Research Company)
>
> _________________________________________________________________
> Windows Live™: Life without walls.
> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
