Re: [esb-java-user] Authentification for serivces and wso2 esb

[Jens Goldhammer]

Paul,

I am sorry, I have misunderstand the aspect of trust. I thought, the 
trust relationship will only be valid if a service provider in domain2 
ask STS in domain 1 if a valid token is delivered with a message. But I 
see this is not the case if  domain2 will trust STS of domain1.

What about the claims? I see that it is possible to specify claims with 
ws-policy. So I understand that I can made a request to the STS and 
wants to get a token for using a certain operation of a certain service 
in an other domain and the sts validates if I am allowed to do this and 
respond with a token. Is this right?

Do you think Synapse will in future support this kind?
I know that it works to configure Rampart/Rahas to have an STS. Does the 
sts implementation offers extension points?

Thanks,
Jens


Paul Fremantle schrieb:
So generally speaking there is no actual comms between the domains to 
validate the token. What happens is that the token is signed by ESB1 
as being valid for time T. ESB2 simply needs to have the right 
keystore so that it can validate ESB1's signature. That is enough for 
the token to work.

Paul

Jens Goldhammer wrote:
Paul,

it is getting complicated now :-)
thanks for your suggestion, but I see the problem in having always a 
communication back to the other domain.

client-+esb1 = domain 1
esb2+server = domain 2

I want to have authorisation that does not need to have a validation 
request back to the other domain. So I have to duplicate information 
for auth in all domains. Domain 1 has to know if user can access a 
certain service in domain 2 and domain 2 also has to know this. The 
problem is really that the connection can get lost in the next moment 
where domain2 wants to validate the access by requesting the sts on 
esb1. The question now is if the bigger admin effort compensates the 
requirements that the messages passes the domain boundary and will be 
delivered without having a link back.

Any comments?

Thanks,
Jens


Paul Fremantle schrieb:
Jens

Suppose that the ESB acted as the STS. Would that provide the 
separation of concerns you needed? In other words

Client->ESB1->ESB2->Server

ESB1 acts as the STS and is trusted as far as authentication is 
concerned.

Client calls ESB1 with U/P and gets back token. Token is passed to 
ESB1 who passes it on to ESB2. ESB2 trusts it for authentication, 
and then does authz to see if client is permitted access to Server. 
ESB2 may then remove the token or let it pass on to Server.

Paul

Jens Goldhammer wrote:
Hello,

thanks for your answers, Paul and Dimuthu. The problem on my 
questions is sometimes that I don´t know what is possible and what 
is my intention. It is more a search on possible solutions in 
general. As Paul already knows, I am writing my diploma thesis at 
the moment, but he does not know the requirements :-). The topic 
deals with communication between a federation of esb, where 
federation is more a organisational topic than a technical. Besides 
this I should investigate the communications between the domains.

I have certain requirements:
- there are several domains which are connected only via esbs. 
There are service users (bpel and other services) and consumers 
(bpel and application clients) in each domain and they can 
communicate only via esb.
- the communication between the domains can get lost because some 
domains are mobile and have not always an network connection to 
other domains. So there should be only as much conversations as 
really needed.
- messages which could not be sended should be delivered after 
there is a network connection established.
- not every user should be able to request services in an other 
domain. there should be possibilities to make an authentification 
and authorisation.

I want to investigate which possibilities are available in this 
case, to compare them and decide which make sense:
- reliable and secure conversations (WS-Security is a good 
framework, WS-Trust is one possibility, but requires to communicate 
to a STS which has to sit in one domain. This increases the network 
dependcy between the domains; WS-RM is related to that not very 
good because it needs much messages to work; SOAP over JMS is my 
friend in this case, or?
- authorisations and routing users have permissions and should only 
be able to call services for which they are authorized; this is the 
reason why I have developed the role-based routing component which 
sits in synapse, looks at the message and decide on the credentials 
if the message should be delivered to the endpoint or not.

Maybe I have to make more assumptions that I want to. Services and 
BPEL should have the possibility to create secured messages to have 
authorisations on user or role permissions.
If you have any ideas or comments which could help, it would be 
very great!

Thanks.
Jens


Paul Fremantle schrieb:
Jens, Ruchith

It seems to me that what you need is WS-Trust. Basically WS-Trust 
allows the client to get hold of a token and then attach that 
token to all requests. Those tokens can then be accepted by any 
ESB or endpoint that trusts the token server.

Does that sound like it meets your needs Jens?

Paul

On Fri, Mar 7, 2008 at 2:46 AM, Dimuthu Leelarathne 
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:

    Hi Jens,


    On Thu, 2008-03-06 at 19:33 +0100, Jens Goldhammer wrote:
    > Hello together,
    >
    > I have thought about this scenario and I am having some 
problems
    in my mind.
    >
    > client <-> esb 1<-> esb 2<-> service
    >
    > In terms of security aims I want to have autorisations 
mechanism
    which I
    > will get with this scenario. The esb 1 calls esb 2 and 
passes its
    > credentials. So esb2 knows which esb will call the service and
    can made
    > an authorisation. The esbs encapsulate the real users which is
    usefull
    > in some cases. In my concrete scenario I want to have a tracing
    > mechanism who (not only on esb level) was calling which 
service.
    > How can I achieve this? If the client does not have the
    possibility to
    > include ws-security information in the message, I have no 
chance for
    > doing this, right? How should esb 1 know which user calls it?
    Maybe I
    > can make a ssl connection and pass the credentials in it, take
    them at
    > the esb1 and inject security credentials?

    You can do this.

    > If the client is a bpel-process, I cannot determine a real 
user.
    In this
    > case it is the bpel-engine?
    > If the client is an web-application, I can use the
    login-crediantials of
    > the user to pass them to the esb 1. If I have the chance to do
    that, I
    > also can implement ws-security in the service itself.

    Yes you can use web service client to pass login-credentials 
of the
    user. Maybe you an use UsernameToken Authentication. As you
    requested in
    the previous mail, we can add methods to usermanager API to 
retrieve
    password from the underlying user store. But taking the overall
    picture,
    I deducted that your clients can be bpel or a web service client.
    But I
    do not know much about bpen-engine to comment on that.

    > Can you tell me the scenarios for switching security on and 
off?

    Security cannot be switched on and off at the same service. If 
it is
    absolutely required, what I would do is duplicate the service 
in two
    places, one of them will be secured with WS-Security and the 
other
    will
    be without security.

    Thank you,
    Dimuthu

    > Thanks,
    > Jens
    >
    > Ruchith Fernando schrieb:
    > > Let me try to answer your question with my understanding your
    scenario.
    > >
    > > You have a set of ESBs and you can authenticate users at 
those
    EBSs
    > > using any of the mechanisms Dimuthu explained. Now in
    situations where
    > > one ESB has to talk to another *on behalf of* one of its 
users
    that
    > > ESB can authenticate itself to the other ESB and carry out 
the
    work.
    > > In this case each ESB will have their own credentials in the
    form of
    > > username/password pairs or certificates. And the 
communicating
    ESBs
    > > will have to trust each other by recognizing those 
credentials.
    > >
    > > HTH
    > >
    > > Thanks,
    > > Ruchith
    > >
    > > Jens Goldhammer wrote:
    > >> Hello Dimuthu,
    > >>
    > >> thanks for your good explanations!
    > >> Which of these possibilities are valuable to have a
    > >> cross-domain-authentification? With rampart I always have to
    > >> distribute new certificates to all participating domains, 
or I am
    > >> completly wrong?
    > >> Do you think the third possiblity works with wso2 esb? 
Should
    I give
    > >> it a try?
    > >> Is there a running bigger example for using rahas except
    sample05 in
    > >> rampart-distribution or any documentation for it?
    > >>
    > >> Thanks,
    > >> Jens
    > >>
    > >>
    > >> Dimuthu Leelarathne schrieb:
    > >>> Hi Jens,
    > >>>
    > >>> On Mon, 2008-02-04 at 18:42 +0530, Asankha C. Perera wrote:
    > >>>
    > >>>> Hi Jens
    > >>>>
    > >>>>> My ideas are to inject some user values in the 
soap-message
    > >>>>> (username and password) and encrypt the soap-message. The
    esb will
    > >>>>> take these values and proofs it by using the wso2 
usermanager.
    > >>>>>
    > >>>
    > >>>
    > >>> As I understand you need to authenticate users using
    username/password.
    > >>>
    > >>> This can be done in several ways as follows.
    > >>>
    > >>> 1) Using http basic authentication over SSL
    > >>> 2) Using Username Token over SSL
    > >>> 3) Using an encrypted Username Token.
    > >>> Implementation details of the above techniques can be
    described as
    > >>> follows.
    > >>>
    > >>> First method
    > >>> ============
    > >>> First approach is the easiest to implement and sufficient
    for most
    > >>> situations. You can write a simple Java POJO class at the
    service to
    > >>> authenticate users by calling usermanager. If you want a
    more efficient
    > >>> approach you can implement a custom mediator with a caching
    technique
    > >>> which uses usermanager to perform authentication.
    > >>>
    > >>> This is how you write a custom mediator [1]
    > >>>
    > >>> This is how you read the http authentication headers [2]
    > >>>
    > >>>
    > >>> Second method
    > >>> =============
    > >>> This is a WS-Security policy based approach. Rampart is 
used for
    > >>> injecting and authenticating the Username Token. The
    security policy
    > >>> needed for this is available in the Rampart 
distribution[3].
    The sample
    > >>> is samples/policy/sample01 in the Rampart distribution.
    > >>>
    > >>>
    > >>>
    > >>> Third method
    > >>> ============
    > >>> This is a WS-Security policy based approach. Here you have
    to use
    > >>> Asymmetric Binding and use UsernameToken as a supporting
    token. We
    > >>> don't
    > >>> have a sample for this yet. But you can look at the Rampart
    samples and
    > >>> read the WS policy specification for this.
    > >>>
    > >>>
    > >>> Links
    > >>> [1]http://wso2.org/library/2898
    > >>>
    
[2]http://www.mail-archive.com/[EMAIL PROTECTED]/msg00065.html 

    <http://archive.com/[EMAIL PROTECTED]/msg00065.html>
    > >>>
    
[3]http://www.apache.org/dyn/mirrors/mirrors.cgi/ws/rampart/1_3/rampart-1.3.zip 

    > >>>
    > >>>
    > >>> Thank you,
    > >>> Dimuthu
    > >>>
    > >>>
    > >>>
    > >>>
    > >>>
    > >>>> Sure, this is possible with a custom mediator or a simple
    Java POJO
    > >>>> class that calls into the usermanager library. You could
    also use
    > >>>> WS-Security without coding using a WS-Security policy. 
I am
    copying
    > >>>> Dimuthu from the usermanager/Rampart team so she could
    point you in
    > >>>> the correct direction. We have some samples that shows how
    WS-Sec can
    > >>>> be used with policies
    > >>>> 
(http://wso2.org/project/esb/java/1.6/docs/ESB_Samples.html)
    > >>>>
    > >>>>> After a successfull authentification I have to indicate
    that they
    > >>>>> other esbs and services itself don´t need to proof it
    again. I don´t
    > >>>>> want to make a new authentification at all intermediate
    stations, so
    > >>>>> in my eyes a flag in the soap message to say "Already
    authenticated"
    > >>>>> is enough, or?
    > >>>> If this is totally within your intranet, I guess this 
should be
    > >>>> enough. You could also use https to secure the messages
    over the wire
    > >>>>
    > >>>>> I have to write an own mediation than, right? Or is there
    a solution
    > >>>>> out of the box?
    > >>>>>
    > >>>> Well you could use the Header mediator to add a custom 
SOAP
    header to
    > >>>> a message
    > >>>>
    
(http://wso2.org/project/esb/java/1.6/docs/ESB_Configuration_Language.html) 

    > >>>> You could also use a custom extension mediator if you 
like, but
    > >>>> this doesn't seem necessary
    > >>>>
    > >>>>> What´s about the identity solution? Does  it fit to my
    > >>>>> requirements? Any other ideas in general for doing that?
    > >>>> If you want to call into the user manager library and add
    the custom
    > >>>> header both at once etc. writing a custom mediator may 
be ok
    > >>>>
    > >>>> asankha
    > >>>>
    > >>>
    > >>>
    > >>> _______________________________________________
    > >>> Esb-java-user mailing list
    > >>> Esb-java-user@wso2.org <mailto:Esb-java-user@wso2.org>
    > >>> http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
    > >>>
    > >>
    > >> _______________________________________________
    > >> Esb-java-user mailing list
    > >> Esb-java-user@wso2.org <mailto:Esb-java-user@wso2.org>
    > >> http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
    > >>
    > >
    > >
    > >
    > >


    _______________________________________________
    Esb-java-user mailing list
    Esb-java-user@wso2.org <mailto:Esb-java-user@wso2.org>
    http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user







_______________________________________________
Esb-java-user mailing list
Esb-java-user@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user