Can you post the SOAP message ? In the case of symmetric binding username token header is encrypted.
thanks, nandana On Thu, Mar 12, 2009 at 5:06 PM, Håkon Sagehaug <[email protected]>wrote: > > > ---------- Forwarded message ---------- > From: Håkon Sagehaug <[email protected]> > Date: 2009/3/12 > Subject: Re: Adding security header to STSClient in rahas > To: [email protected] > > > Hi > > what I read out of the code is that if username and password is set in > options it should be picked up, but I set it in option and still no > unsername token header. > > Here is my policy, if anyone sees something wrong it's highly appreciated > > <wsp:Policy wsu:Id="SigOnly" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:All> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > <wsp:Policy> > <sp:RequireDerivedKeys /> > <sp:RequireThumbprintReference /> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:OnlySignEntireHeadersAndBody /> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:SupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy > "> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"; > /> > </wsp:Policy> > </sp:SupportingTokens> > <sp:SignedParts> > <sp:Body /> > </sp:SignedParts> > <sp:Wss11 xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > </wsp:Policy> > </sp:Wss11> > <ramp:RampartConfig xmlns:ramp=" > http://ws.apache.org/rampart/policy";> > <ramp:user>client</ramp:user> > <ramp:encryptionUser>service > </ramp:encryptionUser> > <ramp:passwordCallbackClass>PWCBHandler > </ramp:passwordCallbackClass> > <ramp:signatureCrypto> > <ramp:crypto > provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > <ramp:property > name="org.apache.ws.security.crypto.merlin.file"> > clientTrustStore.jks > </ramp:property> > <ramp:property > > > name="org.apache.ws.security.crypto.merlin.keystore.password">pass</ramp:property> > </ramp:crypto> > </ramp:signatureCrypto> > </ramp:RampartConfig> > </wsp:All> > </wsp:Policy> > > 2009/3/11 Martin Gainty <[email protected]> > > >> /** >> * Sets the crypto information required to process the RSTR. >> * >> * @param crypto Crypto information >> * @param cbHandler Callback handler to provide the private key >> password to >> * decrypt >> */ >> public void setCryptoInfo(Crypto crypto, CallbackHandler cbHandler) { >> this.crypto = crypto; >> this.cbHandler = cbHandler; >> } >> >> Test Harness from RampartUtil: >> public static String getToken(RampartMessageData rmd, OMElement >> rstTemplate, >> String issuerEpr, String action, Policy issuerPolicy) throws >> RampartException { >> >> try { >> //First check whether the user has provided the token >> MessageContext msgContext = rmd.getMsgContext(); >> String customTokeId = (String) msgContext >> >> .getProperty(RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN); >> if(customTokeId != null) { >> return customTokeId; >> } else { >> >> Axis2Util.useDOOM(false); >> >> STSClient client = new STSClient(rmd.getMsgContext() >> .getConfigurationContext()); >> // Set request action >> client.setAction(action); >> >> client.setRstTemplate(rstTemplate); >> >> // Set crypto information >> Crypto crypto = >> RampartUtil.getSignatureCrypto(rmd.getPolicyData().getRampartConfig(), >> >> rmd.getMsgContext().getAxisService().getClassLoader()); >> CallbackHandler cbh = RampartUtil.getPasswordCB(rmd); >> client.setCryptoInfo(crypto, cbh); >> >> which is called from BindingBuilder: >> protected WSSecUsernameToken addUsernameToken(RampartMessageData rmd) >> throws RampartException { >> >> log.debug("Adding a UsernameToken"); >> >> RampartPolicyData rpd = rmd.getPolicyData(); >> >> //Get the user >> //First try options >> Options options = rmd.getMsgContext().getOptions(); >> String user = options.getUserName(); >> if(user == null || user.length() == 0) { >> //Then try RampartConfig >> if(rpd.getRampartConfig() != null) { >> user = rpd.getRampartConfig().getUser(); >> } >> } >> >> if(user != null && !"".equals(user)) { >> log.debug("User : " + user); >> >> //Get the password >> >> //First check options object for a password >> String password = options.getPassword(); >> >> if((password == null || password.length() == 0) && >> rpd.getRampartConfig() != null) { >> >> //Then try to get the password from the given callback >> handler >> CallbackHandler handler = RampartUtil.getPasswordCB(rmd); >> >> where RampartPolicyData has mutator method for recipientToken >> /*** @param recipientToken The recipientToken to set. */ >> public void setRecipientToken(Token recipientToken) { >> this.recipientToken = recipientToken; >> } >> >> and in the RecipientBuilder.java >> /** >> * Evaluate policy data that is specific to asymmetric binding. >> * >> * @param binding >> * The asymmetric binding data >> * @param rpd >> * The WSS4J data to initialize >> */ >> private static void asymmetricBinding(AsymmetricBinding binding, >> RampartPolicyData rpd) throws WSSPolicyException { >> TokenWrapper tokWrapper = binding.getRecipientToken(); >> TokenWrapper tokWrapper1 = binding.getInitiatorToken(); >> if (tokWrapper == null && tokWrapper1 == null) { >> // this is an error - throw something >> } >> rpd.setRecipientToken(((RecipientToken) >> tokWrapper).getReceipientToken()); >> rpd.setInitiatorToken(((InitiatorToken) >> tokWrapper1).getInitiatorToken()); >> } >> >> the key is to make sure Rec<e>ipientToken is included in the binding >> /** in the case of AssymetricBinding ******/ >> public PolicyComponent normalize() { >> >> if (isNormalized()) { >> return this; >> } >> >> AlgorithmSuite algorithmSuite = getAlgorithmSuite(); >> List configs = algorithmSuite.getConfigurations(); >> >> Policy policy = new Policy(); >> ExactlyOne exactlyOne = new ExactlyOne(); >> >> policy.addPolicyComponent(exactlyOne); >> >> All wrapper; >> AsymmetricBinding asymmetricBinding; >> >> for (Iterator iterator = configs.iterator(); iterator.hasNext();) { >> wrapper = new All(); >> asymmetricBinding = new AsymmetricBinding(); >> >> asymmetricBinding.setAlgorithmSuite((AlgorithmSuite) iterator >> .next()); >> asymmetricBinding >> >> .setEntireHeadersAndBodySignatures(isEntireHeadersAndBodySignatures()); >> asymmetricBinding.setIncludeTimestamp(isIncludeTimestamp()); >> asymmetricBinding.setInitiatorToken(getInitiatorToken()); >> asymmetricBinding.setLayout(getLayout()); >> asymmetricBinding.setProtectionOrder(getProtectionOrder()); >> asymmetricBinding.setRecipientToken(getRecipientToken()); >> /********here is where the recipientToken is inserted to the Binding >> *******/ >> Martin >> ______________________________________________ >> Disclaimer and confidentiality note >> Everything in this e-mail and any attachments relates to the official >> business of Sender. This transmission is of a confidential nature and Sender >> does not endorse distribution to any party other than intended recipient. >> Sender does not necessarily endorse content contained within this >> transmission. >> >> >> >> >> > Date: Wed, 11 Mar 2009 08:55:09 +0100 >> > Subject: Re: Adding security header to STSClient in rahas >> > From: [email protected] >> > To: [email protected] >> > >> > Hi >> > >> > Yes, I've got this in the policy >> > >> > <sp:SupportingTokens >> > xmlns:sp=" >> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:Policy> >> > <sp:UsernameToken >> > sp:IncludeToken=" >> > >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient >> " >> > /> >> > </wsp:Policy> >> > </sp:SupportingTokens> >> > >> > After I define the symmetricbinding element. Do you know if what I asked >> > about how to test if the callback handler should provide a password to >> the >> > keystore or actually check username and password was correct? >> > >> > cheers, Håkon >> > >> > >> > 2009/3/10 Massimiliano Masi <[email protected]> >> > >> > > Hi, >> > > >> > > Did you add in your STS policy something like: >> > > >> > > <wsp:Policy> >> > > <sp:UsernameToken sp:IncludeToken=" >> > > http://docs.oasis-open.org/ws-s >> > > x/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> >> > > <wsp:Policy> >> > > <sp:HashPassword /> >> > > </wsp:Policy> >> > > </sp:UsernameToken> >> > > </wsp:Policy> >> > > >> > > >> > > >> > > >> > > Quoting Håkon Sagehaug <[email protected]>: >> > > >> > > Hi all, >> > >> >> > >> I wanted to add username/password token in my request to my sts >> service. >> > >> I'm >> > >> using the STSClient from rahas and tried with this >> > >> >> > >> Options options = new Options(); >> > >> options.setUserName("user"); >> > >> options.setPassword("pass"); >> > >> options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, >> > >> loadPolicy("policy/sts_policy.xml")); >> > >> stsClient.setOptions(options); >> > >> >> > >> But the messages don't have a security header. >> > >> >> > >> Alos how should I configure the callback handler, since it need to >> both >> > >> validate the username password and fetch the certificate for >> validating >> > >> the >> > >> signed message. Should it be something like this >> > >> >> > >> if(pwcb.getUsage() == WSPasswordCallback.USERNAME_TOKEN){ >> > >> /* Do password validation*/ >> > >> } >> > >> >> > >> if(pwcb.getUsage() == WSPasswordCallback.SIGNATURE){ >> > >> /* Do set password for keystore*/ >> > >> } >> > >> >> > >> cheers, Håkon >> > >> -- >> > >> Håkon Sagehaug, Scientific Programmer >> > >> Parallab, Bergen Center for Computational Science (BCCS) >> > >> UNIFOB AS (University of Bergen Research Company) >> > >> >> > >> >> > > >> > > >> > > ---------------------------------------------------------------- >> > > This message was sent using IMP, the Internet Messaging Program. >> > > >> > > >> > > >> > >> > >> > -- >> > Håkon Sagehaug, Scientific Programmer >> > Parallab, Bergen Center for Computational Science (BCCS) >> > UNIFOB AS (University of Bergen Research Company) >> >> _________________________________________________________________ >> Windows Live™: Life without walls. >> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009 > > > > > -- > Håkon Sagehaug, Scientific Programmer > Parallab, Bergen Center for Computational Science (BCCS) > UNIFOB AS (University of Bergen Research Company) > > > > -- > Håkon Sagehaug, Scientific Programmer > Parallab, Bergen Center for Computational Science (BCCS) > UNIFOB AS (University of Bergen Research Company) >
