Hi,
I am using Axis2 1.1.1 and Rampart 1.1 and I have implemented the
symmetric key encryption using a known shared key between the client
and the server. I use also the Username Token and a timestamp.
Everything works fine if there is only one shared key between the
client and the server.
Nevertheless, there is the requirement to set a symmetric key for
every user known in the server. This means that the server has a
database with all the valid users and for every user there is a
password (used in the Username Token) and a symmetric key (that should
be used in encrypting server's response). The client also has access
to a registry that stores the same information.
I have managed to use the correct key in the client (for encrypting
the request) due to dynamic configuration of Axis2 parameters in Stub:
// Start of code
options.setProperty( WSHandlerConstants.PW_CALLBACK_REF,
new PWCBHandler(userPassword, userSessionKey) );
options.setProperty( WSHandlerConstants.ENC_CALLBACK_REF,
new PWCBHandler(userPassword, userSessionKey) );
OutflowConfiguration ofc = new OutflowConfiguration();
ofc.setActionItems("Timestamp Encrypt UsernameToken");
ofc.setUser(username);
ofc.setEncryptionPropFile("crypto.properties");
ofc.setEncryptionKeyIdentifier("EmbeddedKeyName");
options.setProperty(WSSHandlerConstants.OUTFLOW_SECURITY, ofc.getProperty());
// End of code
In the above code excerpt I set the PasswordCallbackHandler and
EncryptionCallbackHandler to the same reference and pass as a
parameter in the constructor, the user's password and the user's
session key that should be used. Another way would be to pass the
username and let the CallbackHandlers to retrieve the password and
session key from the registry.
In the server though, I cannot configure the security parameters
dynamically. I cannot get the username of the user who made the
request in the CallbackHandlers (the MessageContext is also null) in
the response. So I can only use a single session key that would be
incorporated in the CallbackHandler or be retrieved by the database
but will be the same for all requesting users.
If I had used certificates and a keystore the same effect would be
possible by using the <encryptionUser>useReqSigCert</encryptionUser>
parameter that identifies the requesting user and passes this
information to the outflow handlers for retrieving the correct
certificate (and public key) to encrypt the response.
On 5/28/07, Ruchith Fernando <[EMAIL PROTECTED]> wrote:
Hi,
Have you looked at the samples/basic/sample09 of rampart? (This uses
the Rampart-1.0 style configuration)
This is not supported in the policy based configuration model yet but
this will let you use a shared symmetric key. Try it out and let us
know your thoughts please.
Thanks,
Ruchith
p.s. Rampart 1.2 artifacts will be available by the end of the day
today .. until them please try Rampart-1.1 with Axis2-1.1
On 5/26/07, Konstantinos Pateras <[EMAIL PROTECTED]> wrote:
> Hi, thanks for the reply
>
> First of all I cannot use
> <encryptionUser>useReqSigCert</encryptionUser> because I do not have
> signed messages. In the server there is a database with the users and
> their symmetric keys (predefined). I only use the UsernameToken in the
> call from client to server and encryption with the symmetric key (that
> is know at the client also).
>
> Now, the server must understand for who user the response is, so that
> in CallBack handler retrieve the key from the database (with the
> username) and use it for encrypting the response. I tried to get the
> message context but the call MessageContext.getCurrentMessageContext()
> returns null in the response.
>
> Thanks in advance,
> Konstantinos
>
> On 5/24/07, Dimuthu Leelaratne <[EMAIL PROTECTED]> wrote:
> > Hi
> >
> > <encryptionUser>useReqSigCert</encryptionUser> is the provided method,
> > but if you do not want to use this then there is no straight forward
> > way to get this done. You can try the following, but i do not
> > recommend it, because it is more of a hack.
> >
> > MessageContext msgcxt = MessageContext.getCurrentMessageContext();
> > Vector results =
msgContext.getProperty(WSHandlerConstants.RECV_RESULTS);
> >
> > //Get the user name from the above vector.
> >
> > //Create the OMElement the way you want to by inserting the user to
> > the policy then create a policy object using it as follows.
> > Policy policyObj = PolicyEngine.getPolicy(OMElement);
> > String policykey = RampartMessageData.getServicePolicyKey(msgCtx);
> > msgcxt.setProperty(policykey, policyObj);
> >
> > If you can explain the UseCase more, then you can file a JIRA for a new
feature.
> >
> > Thank you,
> > Dimuthu.
> >
> > http://wso2.org
> >
> > On 5/23/07, Konstantinos Pateras <[EMAIL PROTECTED]> wrote:
> > > Hi all,
> > >
> > > I have set up Axis2 1.1.1 and Rampart 1.1 and configure it (I
> > > followed the configuration instructions for Rampart 1.0 that are still
> > > supported). I use UsernameToken and encryption with a known key to
> > > both parts but I want to set the encryption user programmatically in
> > > server when it sends a response (OutflowSecurity). This is because
> > > each user has its own key stored in a database and is beeing retrieved
> > > in the PasswordCallbackHandler.
> > >
> > > Is there a way to do it like with
> > > <encryptionUser>useReqSigCert</encryptionUser> that is used when the
> > > incoming message is signed or can I get the calling user in
> > > PasswordCallbackHandler when I send the response? (i.e. using some
Context)
> > >
> >
>
--
www.ruchith.org
www.wso2.org
