[CONF] Apache Ode: WS-Security in ODE (page edited)

Tue, 24 Mar 2009 12:00:35 -0700

Page Edited : ODExSITE : WS-Security in ODE

WS-Security in ODE has been edited by Alexis Midon (Mar 24, 2009).

(View changes)

Content:

How to use WS-Security in ODE?

ODE 1.3.1 (yet to be released) introduces support for WS-Security: secure services can now be invoked from a process, and the process service itself might be secured. A first part will explain how to invoke a secured service, a second part how to secure the process service.

ODE has an Integration Layer based on Axis2 so using Rampart, the Axis2 security modules, goes without saying. As a result this section will only focus on Rampart integration. Rampart and WS-Security specifications won't be detailed here. Please refer to their ad-hoc documentations for further details.

Quick Rampart introduction

As any other Axis2 module, Rampart is configurable with Axis2 Service configuration files. For instance a service.xml document, using the parameter based configuration model, might be:

<service>

    <module ref="rampart" />
    
    <parameter name="OutflowSecurity">
      <action>
        <items>Timestamp Signature</items>
        <user>client</user>
        <signaturePropFile>TestRampartBasic/secured-services/client.properties</signaturePropFile>
        <passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass>
        <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
      </action>
    </parameter>

    <parameter name="InflowSecurity">
      <action>
        <items>Timestamp Signature</items>
        <signaturePropFile>TestRampartBasic/secured-services/client.properties</signaturePropFile>
      </action>
    </parameter>
    
 </service>

Another example using WS-Security Policy based configuration model is listed below. See the full document here.

<service>

    <module ref="rampart"/>

    <wsp:Policy wsu:Id="SecConvPolicy2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <wsp:Policy>
                             <!-- truncated -->
                    </wsp:Policy>
                </sp:SymmetricBinding>
                <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <wsp:Policy>
                        <sp:MustSupportRefKeyIdentifier/>
                        <sp:MustSupportRefIssuerSerial/>
                        <sp:MustSupportRefThumbprint/>
                        <sp:MustSupportRefEncryptedKey/>
                    </wsp:Policy>
                </sp:Wss11>
                <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <wsp:Policy>
                        <sp:MustSupportIssuedTokens/>
                        <sp:RequireClientEntropy/>
                        <sp:RequireServerEntropy/>
                    </wsp:Policy>
                </sp:Trust10>
                <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <sp:Body/>
                </sp:EncryptedParts>
                <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
                    <ramp:user>client</ramp:user>
                    <ramp:encryptionUser>service</ramp:encryptionUser>
                    <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample04.PWCBHandler</ramp:passwordCallbackClass>
                
                    <ramp:signatureCrypto>
                        <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                            <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                            <ramp:property name="org.apache.ws.security.crypto.merlin.file">TestRampartPolicy/secured-services/client.jks</ramp:property>
                            <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
                        </ramp:crypto>
                    </ramp:signatureCrypto>
                    <ramp:encryptionCypto>
                        <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                            <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                            <ramp:property name="org.apache.ws.security.crypto.merlin.file">TestRampartPolicy/secured-services/client.jks</ramp:property>
                            <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
                        </ramp:crypto>
                    </ramp:encryptionCypto>
                
                </ramp:RampartConfig>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

</service>

The important thing to notice is that these documents are plain Axis2 Service configuration files. And as explained in the ODE User Guide, a mechanism to handle these files already exists. So all we have to do is reuse this mechanism, the rest is pure Rampart configuration.

Let's take an example and see the actual required steps.

How to invoke a secure web service?

Prepare your service document

Assuming your process needs to invoke the secure service {http://sample03.policy.samples.rampart.apache.org}Sample03, the first step is to prepare a service document named ${process_bundle_dir}/Sample03.axis2 and containing your desired Rampart configuration.
The second step is to to make sure the resources needed to invoke the services are available to Rampart through ODE webapp classpath. Typical resources are :

  • password callback handler classes
  • Java keystores
  • property files containing keystore information

Add resources to ODE webapp classpath

How you add these resources to ODE classpath might vary depending on your application server, your global architecture or other criteria. So it's up to you to figure this out. However typical locations are:

  • ode/WEB-INF/classes
  • ode/WEB-INF/lib

An alternative

If you're using the policy base configuration model, an alternative is available to you: use the endpoint property mechanism to attach the policy to the service.
Here is how:

  1. save the Policy document (not the service document) in the file of your choice. For instance mypolicy.xml
  2. create an endpoint file linking the service and the policy file. Basically with the two properties listed below. Note that if the path assigned to the "security.policy" property is relative it will be resolved against the process bundle directory. Of course if the path is absolute, it will be used as is.
alias.sample03-ns=http://sample03.policy.samples.rampart.apache.org
sample03-ns.sample03-policy.ode.security.policy=mypolicy.xml

How to secure the web service exposed by a process?

Applying security to a process service is no different from invoking a secured service. If the process service you're exposing is {http://mycompany.com}AbscenceRequest. All you have to do is prepare a service document named ${process_bundle_dir}/AbscenceRequest.axis2 and containing your Rampart configuration. Once again, it's up to you to add needed resources in ODE webapp classpath.

Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences

Reply via email to