Hi, I had a look at the code. Yes you are correct. Bob never send a UT to Alice, because before including the SignedSupportingTokens it always checks whether itself is the initiator.
Thanks you, Dimuthu. On Thu, 2007-07-26 at 14:16 +0530, Kaushalye Kapuruge wrote: > Dimuthu wrote: > > Hi Andrew, > > > > Say the message sender is Alice. Server is Bob. > > > > When Alice sends a SOAP message, Alice will expect the response. Alice > > cannot change into "Kate" within the message receiving time. Therefore > > Alice is the same for message inflow/outflow at the client side. > > > > At the server side Bob is Bob for inflow/outflow. > > > > But if Bob wants to send Alice a UsernameToken then at the services.xml, > > inside <RampartConfig> he should say <ramp:user> is Bob and specify the > > correct policy. > > > > When message with the UT is received by Alice, on the message inflow of > > the client side Rampart will be invoked. UsernameToken will be validated > > using the password callback handler. If the password callback handler > > put the correct password it should work. > > > Hmm... is it? In my understanding, there is no such case where the > server(bob the recipient) can send a username token back. Unless the > service loads a different policy as an initiator. Correct me if I'm > wrong. The assertion <sp:UsernameToken> under > <sp:SignedSupportingTokens> in the service policy means it expects a UT. > Not that it has to send a UT. > > Rampart can load only one policy for message inflow/outflow at client > > side. Same goes for server side. You cannot load different policies for > > message inflow and outflow in a straight forward manner. > > > > Cheers, > > Dimuthu > > > > > > > > On Wed, 2007-07-25 at 01:28 -0700, Andrew Fielden wrote: > > > >> Thanks Dimuthu. My question was about UsernameToken, not Basic > >> Authentication, but specifically its use with a WS Policy. > >> I've looked at the samples/policy/sample01/policy.xml file (below), and > >> have a question about this: The 'RampartConfig' section of the policy > >> specifies only one user. What happens if the inflow/outflow users are > >> different? Does the ramp:user refer to the inflow user or the outflow > >> user? > >> > >> > >> <wsp:Policy wsu:Id="UTOverTransport" > >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec > >> urity-utility-1.0.xsd" > >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > >> <wsp:ExactlyOne> > >> <wsp:All> > >> <sp:TransportBinding > >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > >> <wsp:Policy> > >> <sp:TransportToken> > >> <wsp:Policy> > >> <sp:HttpsToken > >> RequireClientCertificate="false"/> > >> </wsp:Policy> > >> </sp:TransportToken> > >> <sp:AlgorithmSuite> > >> <wsp:Policy> > >> <sp:Basic256/> > >> </wsp:Policy> > >> </sp:AlgorithmSuite> > >> <sp:Layout> > >> <wsp:Policy> > >> <sp:Lax/> > >> </wsp:Policy> > >> </sp:Layout> > >> <sp:IncludeTimestamp/> > >> </wsp:Policy> > >> </sp:TransportBinding> > >> <sp:SignedSupportingTokens > >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > >> <wsp:Policy> > >> <sp:UsernameToken > >> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/In > >> cludeToken/AlwaysToRecipient" /> > >> </wsp:Policy> > >> </sp:SignedSupportingTokens> > >> > >> <ramp:RampartConfig > >> xmlns:ramp="http://ws.apache.org/rampart/policy";> > >> <ramp:user>alice</ramp:user> > >> > >> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample01.P > >> WCBHandler</ramp:passwordCallbackClass> > >> </ramp:RampartConfig> > >> > >> </wsp:All> > >> </wsp:ExactlyOne> > >> </wsp:Policy> > >> > >> > >> > >> > >>> -----Original Message----- > >>> From: Dimuthu [mailto:[EMAIL PROTECTED] > >>> Sent: 25 July 2007 04:13 > >>> To: [email protected] > >>> Subject: Re: Using a different user for inflow/outflow basic > >>> authenticationin ws-policy > >>> > >>> > >>> Hi Andrew, > >>> > >>> HTTP Basic Auth is different from UsernameToken. > >>> > >>> This is how you handle HTTP Basic Auth [1] > >>> > >>> UsernameToken can be added in two ways, i.e. by using policy or > >>> inflow/outflow configs. > >>> > >>> If you want to use policy please refer > >>> samples/policy/sample01/policy.xml. > >>> > >>> If you want to use inflow/outflow config please refer > >>> samples/basic/sample02. Here is a good article about it[2] > >>> > >>> > >>> Regards, > >>> Dimuthu > >>> > >>> > >>> [1] > >>> HttpTransportProperties.Authenticator auth = new > >>> HttpTransportProperties.Authenticator(); > >>> auth.setPreemptiveAuthentication(true); > >>> auth.setAuthSchemes(authSchemes); > >>> auth.setUsername("username"); > >>> auth.setPassword("password"); > >>> Options options = serviceClient.getOptions(); > >>> options.setProperty(HTTPConstants.AUTHENTICATE, auth); > >>> serviceClient.setOptions(options); > >>> > >>> [2]http://wso2.org/library/240 > >>> > >>> > >>> On Tue, 2007-07-24 at 06:01 -0700, Andrew Fielden wrote: > >>> > >>>> Hi, > >>>> > >>>> I'm trying to use a WS Policy file with Rampart. If I wish to enable > >>>> basic authentication for outflow, the RampartConfig section of the > >>>> ws-policy will look like this: > >>>> > >>>> <?xml version="1.0" encoding="UTF-8"?> > >>>> <wsp:Policy > >>>> > >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > >> > >>>> <wsp:ExactlyOne> > >>>> <wsp:All> > >>>> <ramp:RampartConfig > >>>> > >>>> xmlns:ramp="http://ws.apache.org/rampart/policy";> > >>>> <ramp:user>alice</ramp:user> > >>>> <ramp:passwordCallbackClass>InboundPWCallbackHandler > >>>> </ramp:passwordCallbackClass> > >>>> </ramp:RampartConfig> > >>>> </wsp:All> > >>>> </wsp:ExactlyOne> > >>>> </wsp:Policy> > >>>> > >>>> > >>>> My question is, suppose I wish to specify a user for basic > >>>> authentication Inflow. How do I differentiate between usernames for > >>>> basic authentication in both directions (inflow and outflow)? > >>>> There is only one ramp:user element. > >>>> > >>>> Thanks. > >>>> Andrew. > >>>> > >>>> > >>>> > > > > > > > > -- http://wso2.org
