Dimuthu wrote:
Hi Andrew,
Say the message sender is Alice. Server is Bob.
When Alice sends a SOAP message, Alice will expect the response. Alice
cannot change into "Kate" within the message receiving time. Therefore
Alice is the same for message inflow/outflow at the client side.
At the server side Bob is Bob for inflow/outflow.
But if Bob wants to send Alice a UsernameToken then at the services.xml,
inside <RampartConfig> he should say <ramp:user> is Bob and specify the
correct policy.
When message with the UT is received by Alice, on the message inflow of
the client side Rampart will be invoked. UsernameToken will be validated
using the password callback handler. If the password callback handler
put the correct password it should work.
Hmm... is it? In my understanding, there is no such case where the
server(bob the recipient) can send a username token back. Unless the
service loads a different policy as an initiator. Correct me if I'm
wrong. The assertion <sp:UsernameToken> under
<sp:SignedSupportingTokens> in the service policy means it expects a UT.
Not that it has to send a UT.
Rampart can load only one policy for message inflow/outflow at client
side. Same goes for server side. You cannot load different policies for
message inflow and outflow in a straight forward manner.
Cheers,
Dimuthu
On Wed, 2007-07-25 at 01:28 -0700, Andrew Fielden wrote:
Thanks Dimuthu. My question was about UsernameToken, not Basic
Authentication, but specifically its use with a WS Policy.
I've looked at the samples/policy/sample01/policy.xml file (below), and
have a question about this: The 'RampartConfig' section of the policy
specifies only one user. What happens if the inflow/outflow users are
different? Does the ramp:user refer to the inflow user or the outflow
user?
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/In
cludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>alice</ramp:user>
<ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample01.P
WCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
-----Original Message-----
From: Dimuthu [mailto:[EMAIL PROTECTED]
Sent: 25 July 2007 04:13
To: [email protected]
Subject: Re: Using a different user for inflow/outflow basic
authenticationin ws-policy
Hi Andrew,
HTTP Basic Auth is different from UsernameToken.
This is how you handle HTTP Basic Auth [1]
UsernameToken can be added in two ways, i.e. by using policy or
inflow/outflow configs.
If you want to use policy please refer
samples/policy/sample01/policy.xml.
If you want to use inflow/outflow config please refer
samples/basic/sample02. Here is a good article about it[2]
Regards,
Dimuthu
[1]
HttpTransportProperties.Authenticator auth = new
HttpTransportProperties.Authenticator();
auth.setPreemptiveAuthentication(true);
auth.setAuthSchemes(authSchemes);
auth.setUsername("username");
auth.setPassword("password");
Options options = serviceClient.getOptions();
options.setProperty(HTTPConstants.AUTHENTICATE, auth);
serviceClient.setOptions(options);
[2]http://wso2.org/library/240
On Tue, 2007-07-24 at 06:01 -0700, Andrew Fielden wrote:
Hi,
I'm trying to use a WS Policy file with Rampart. If I wish to enable
basic authentication for outflow, the RampartConfig section of the
ws-policy will look like this:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>alice</ramp:user>
<ramp:passwordCallbackClass>InboundPWCallbackHandler
</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
My question is, suppose I wish to specify a user for basic
authentication Inflow. How do I differentiate between usernames for
basic authentication in both directions (inflow and outflow)?
There is only one ramp:user element.
Thanks.
Andrew.
--
http://kaushalye.blogspot.com/
http://wso2.org/
