Thanks a lot Ruchith for the workaround.
I got the Message Context and from the Operation Context the "Out"
Message Context and I set the
org.apache.ws.security.handler.WSHandlerConstants.ENC_CALLBACK_REF
passing the username in the constructor (I got it from security
results). This worked fine in my case.
The only comment that I have on this is that the service
implementation "knows" (has some code) about the security of the
message, while ideally you would like service implementation to know
nothing about message security.
On 6/4/07, Ruchith Fernando <[EMAIL PROTECTED]> wrote:
Hi,
Apologies about the delay in the response.
Please see my comments below:
On 5/28/07, Konstantinos Pateras <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am using Axis2 1.1.1 and Rampart 1.1 and I have implemented the
> symmetric key encryption using a known shared key between the client
> and the server. I use also the Username Token and a timestamp.
> Everything works fine if there is only one shared key between the
> client and the server.
>
> Nevertheless, there is the requirement to set a symmetric key for
> every user known in the server. This means that the server has a
> database with all the valid users and for every user there is a
> password (used in the Username Token) and a symmetric key (that should
> be used in encrypting server's response). The client also has access
> to a registry that stores the same information.
>
> I have managed to use the correct key in the client (for encrypting
> the request) due to dynamic configuration of Axis2 parameters in Stub:
>
> // Start of code
> options.setProperty( WSHandlerConstants.PW_CALLBACK_REF,
> new PWCBHandler(userPassword, userSessionKey) );
>
> options.setProperty( WSHandlerConstants.ENC_CALLBACK_REF,
> new PWCBHandler(userPassword, userSessionKey) );
>
> OutflowConfiguration ofc = new OutflowConfiguration();
> ofc.setActionItems("Timestamp Encrypt UsernameToken");
> ofc.setUser(username);
> ofc.setEncryptionPropFile("crypto.properties");
> ofc.setEncryptionKeyIdentifier("EmbeddedKeyName");
>
> options.setProperty(WSSHandlerConstants.OUTFLOW_SECURITY, ofc.getProperty());
> // End of code
>
> In the above code excerpt I set the PasswordCallbackHandler and
> EncryptionCallbackHandler to the same reference and pass as a
> parameter in the constructor, the user's password and the user's
> session key that should be used. Another way would be to pass the
> username and let the CallbackHandlers to retrieve the password and
> session key from the registry.
>
> In the server though, I cannot configure the security parameters
> dynamically. I cannot get the username of the user who made the
> request in the CallbackHandlers (the MessageContext is also null) in
> the response. So I can only use a single session key that would be
> incorporated in the CallbackHandler or be retrieved by the database
> but will be the same for all requesting users.
There is a workaround for this issue:
At the service impl (or message receiver) you will be able to get hold
of the message contexts. Now you can configure the ourflow security by
setting an instance of the embedded key callback handler dynamically
at the service as a property in the options of the outgoing message
context.
You will have to use the key :
org.apache.ws.security.handler.WSHandlerConstants.ENC_CALLBACK_REF
This callback handler instance can provide the key for the user that
you identify from the incoming request.
Thanks,
Ruchith
>
> If I had used certificates and a keystore the same effect would be
> possible by using the <encryptionUser>useReqSigCert</encryptionUser>
> parameter that identifies the requesting user and passes this
> information to the outflow handlers for retrieving the correct
> certificate (and public key) to encrypt the response.
>
> On 5/28/07, Ruchith Fernando <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > Have you looked at the samples/basic/sample09 of rampart? (This uses
> > the Rampart-1.0 style configuration)
> >
> > This is not supported in the policy based configuration model yet but
> > this will let you use a shared symmetric key. Try it out and let us
> > know your thoughts please.
> >
> > Thanks,
> > Ruchith
> >
> > p.s. Rampart 1.2 artifacts will be available by the end of the day
> > today .. until them please try Rampart-1.1 with Axis2-1.1
> >
> > On 5/26/07, Konstantinos Pateras <[EMAIL PROTECTED]> wrote:
> > > Hi, thanks for the reply
> > >
> > > First of all I cannot use
> > > <encryptionUser>useReqSigCert</encryptionUser> because I do not have
> > > signed messages. In the server there is a database with the users and
> > > their symmetric keys (predefined). I only use the UsernameToken in the
> > > call from client to server and encryption with the symmetric key (that
> > > is know at the client also).
> > >
> > > Now, the server must understand for who user the response is, so that
> > > in CallBack handler retrieve the key from the database (with the
> > > username) and use it for encrypting the response. I tried to get the
> > > message context but the call MessageContext.getCurrentMessageContext()
> > > returns null in the response.
> > >
> > > Thanks in advance,
> > > Konstantinos
> > >
> > > On 5/24/07, Dimuthu Leelaratne <[EMAIL PROTECTED]> wrote:
> > > > Hi
> > > >
> > > > <encryptionUser>useReqSigCert</encryptionUser> is the provided method,
> > > > but if you do not want to use this then there is no straight forward
> > > > way to get this done. You can try the following, but i do not
> > > > recommend it, because it is more of a hack.
> > > >
> > > > MessageContext msgcxt =
MessageContext.getCurrentMessageContext();
> > > > Vector results =
msgContext.getProperty(WSHandlerConstants.RECV_RESULTS);
> > > >
> > > > //Get the user name from the above vector.
> > > >
> > > > //Create the OMElement the way you want to by inserting the user
to
> > > > the policy then create a policy object using it as follows.
> > > > Policy policyObj = PolicyEngine.getPolicy(OMElement);
> > > > String policykey =
RampartMessageData.getServicePolicyKey(msgCtx);
> > > > msgcxt.setProperty(policykey, policyObj);
> > > >
> > > > If you can explain the UseCase more, then you can file a JIRA for a new
feature.
> > > >
> > > > Thank you,
> > > > Dimuthu.
> > > >
> > > > http://wso2.org
> > > >
> > > > On 5/23/07, Konstantinos Pateras <[EMAIL PROTECTED]> wrote:
> > > > > Hi all,
> > > > >
> > > > > I have set up Axis2 1.1.1 and Rampart 1.1 and configure it (I
> > > > > followed the configuration instructions for Rampart 1.0 that are still
> > > > > supported). I use UsernameToken and encryption with a known key to
> > > > > both parts but I want to set the encryption user programmatically in
> > > > > server when it sends a response (OutflowSecurity). This is because
> > > > > each user has its own key stored in a database and is beeing retrieved
> > > > > in the PasswordCallbackHandler.
> > > > >
> > > > > Is there a way to do it like with
> > > > > <encryptionUser>useReqSigCert</encryptionUser> that is used when the
> > > > > incoming message is signed or can I get the calling user in
> > > > > PasswordCallbackHandler when I send the response? (i.e. using some
Context)
> > > > >
> > > >
> > >
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
>
--
www.ruchith.org
www.wso2.org
