To provide some more info... I'm using the attached policy.xml file. The soap request and the response are also attached. Other questions I have are:
1. Am I correct in using the keytype as 'bearer' when using UT? 2. The server pwcbhandler is not getting called to authenticate the user and then generate the assertion response (I'm not seeing a sysout that I had put) - is this correct? Thanks, Murali ----- Original Message ---- From: Murali Krishnan <[EMAIL PROTECTED]> To: [email protected] Sent: Tuesday, October 2, 2007 1:54:26 PM Subject: How to send Ws-trust request with UT (policy/sample05 related)? I have a question regarding sample 05 under 'policy' - WST request and Saml assertion response. I notice that in this case both the client and server are configured to use X509 certs - i.e the client sends a RST request which is signed by its pvt key and the server sends the response with saml asssertion which is signed by its pvt key and both the client and server are configured to use signatureCrypto. I'm trying to implement the same scenario where the user (client) does not have a X509 cert, but instead only wants to send a UsernameToken and receive a RST response with a Saml assertion after the server has verified the password in the UT (this communication will be done via Https / if not TSL is used, then the message should be encrypted using the public key of the server) How do I do this? What type of binding should I use in the policy file? (i'm guessing not asymmetric binding?) Is this doable? and if so can you provide some guidance? Thanks, Murali Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
HTTP/1.1 200 OK Date: Tue, 02 Oct 2007 18:18:27 GMT Server: Simple-Server/1.1 Transfer-Encoding: chunked Content-Type: text/xml; charset=UTF-8 f9c <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="http://www.w3.org/2005/08/addressing";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-29212573"> <wsu:Created>2007-10-02T18:18:27.942Z</wsu:Created> <wsu:Expires>2007-10-02T18:23:27.942Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</wsa:Action> <wsa:RelatesTo>urn:uuid:1A6694C2348759F1B81191349106041</wsa:RelatesTo> </soapenv:Header> <soapenv:Body> <wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType> <wst:RequestedAttachedReference> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:Reference URI="#_5f3349284f3c4a2752d61d78feb6e92a" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"; /> </wsse:SecurityTokenReference> </wst:RequestedAttachedReference> <wst:RequestedUnattachedReference> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:Reference URI="_5f3349284f3c4a2752d61d78feb6e92a" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"; /> </wsse:SecurityTokenReference> </wst:RequestedUnattachedReference> <wst:Lifetime> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2007-10-02T18:18:27.145Z</wsu:Created> <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2007-10-02T18:23:27.145Z</wsu:Expires> </wst:Lifetime> <wst:RequestedSecurityToken> <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:axis2ns8="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:axis2ns1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5f3349284f3c4a2752d61d78feb6e92a" IssueInstant="2007-10-02T18:18:27.645Z" Issuer="SAMPLE_STS" MajorVersion="1" MinorVersion="1"> <Conditions xmlns:axis2ns2="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:axis2ns9="urn:oasis:names:tc:SAML:1.0:assertion" NotBefore="2007-10-02T18:18:27.145Z" NotOnOrAfter="2007-10-02T18:23:27.145Z" /> <AuthenticationStatement xmlns:axis2ns10="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:axis2ns3="urn:oasis:names:tc:SAML:1.0:assertion" AuthenticationInstant="2007-10-02T18:18:27.145Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <Subject xmlns:axis2ns4="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:axis2ns11="urn:oasis:names:tc:SAML:1.0:assertion"> <NameIdentifier xmlns:axis2ns12="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:axis2ns5="urn:oasis:names:tc:SAML:1.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier> <SubjectConfirmation xmlns:axis2ns13="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:axis2ns6="urn:oasis:names:tc:SAML:1.0:assertion"> <ConfirmationMethod xmlns:axis2ns7="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:axis2ns14="urn:oasis:names:tc:SAML:1.0:assertion">urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod> </SubjectConfirmation> </Subject> </AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <ds:Reference URI="#_5f3349284f3c4a2752d61d78f 6dd eb6e92a"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="code ds kind rw saml samlp typens #default xsd xsi" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <ds:DigestValue>nZR0zMYELrMrQqSmBhjkBzsTuZU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>cTF5Bq5UNKUtETf+0Cvw7aIbu9wc1tNvbsWTmXz2B7p2ViZ4qP99acYYHn2BNLau1fNGimLL/HXVCyRur7hdWjXKQsgL8GeBiPkJYp6xkTCaQnVvzmU/5ELPF5AHih3YO/ryCgdC4/1pBZaHo7GLtZ0vYu4DjML/tcFWnS5aoiY=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIICTjCCAbcCBEbJZQEwDQYJKoZIhvcNAQEEBQAwbTELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEXMBUGA1UEAxMOU2FtcGxlIFNlcnZpY2UwIBcNMDcwODIwMDk1NTEzWhgPMjA2MjA1MjMwOTU1MTNaMG0xCzAJBgNVBAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ8wDQYDVQQKEwZBcGFjaGUxEDAOBgNVBAsTB1JhbXBhcnQxFzAVBgNVBAMTDlNhbXBsZSBTZXJ2aWNlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDtgg6ess2lU1yOD48/iiAlWObB0WwAQtFG4bb2KyvOE9dRF7+d/aZrHti3QWs6dtHpGkVMLgpomoq7APEq1kQnRvduk2T6ln83Jw1EpPDXH/emqeC9OdNqHZj3eoyf34JMmgShuviYDqYaK4HkRmZMiJ13aPeZzPl60yBWydAuwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACVcoAqNbjO7+Jbm6+3pyYagQoBpdHZLnR8EU9/CRKmUGTj5qjXqYtE+Eka6OYKBzv/dHdYlB2X3yH3YlSx1OtA3+5xl4VIjYODlgh9Bs9Tbqj1tw0G37dLrlG97kJAVjrkfm743N9EHKFtFaX4iF1tWbGxa4+vIbbV4CaUG5s5x</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </Assertion> </wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </soapenv:Body> </soapenv:Envelope>0
POST /axis2/services/sample06 HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"; User-Agent: Axis2 Host: 127.0.0.1:9090 Transfer-Encoding: chunked 62f <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="http://www.w3.org/2005/08/addressing";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-6166426"> <wsu:Created>2007-10-02T18:18:26.223Z</wsu:Created> <wsu:Expires>2007-10-02T18:23:26.223Z</wsu:Expires> </wsu:Timestamp> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="UsernameToken-12430225"> <wsse:Username>client</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>apache</wsse:Password> </wsse:UsernameToken> </wsse:Security> <wsa:To>http://localhost:9090/axis2/services/sample06</wsa:To> <wsa:MessageID>urn:uuid:1A6694C2348759F1B81191349106041</wsa:MessageID> <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action> </soapenv:Header> <soapenv:Body> <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType> <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/Bearer</wst:KeyType> </wst:RequestSecurityToken> </soapenv:Body> </soapenv:Envelope>0
<?xml version="1.0" encoding="UTF-8"?> <!-- ! ! Copyright 2006 The Apache Software Foundation. ! ! Licensed under the Apache License, Version 2.0 (the "License"); ! you may not use this file except in compliance with the License. ! You may obtain a copy of the License at ! ! http://www.apache.org/licenses/LICENSE-2.0 ! ! Unless required by applicable law or agreed to in writing, software ! distributed under the License is distributed on an "AS IS" BASIS, ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ! See the License for the specific language governing permissions and ! limitations under the License. !--> <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"; /> <sp:SignedParts> <sp:Body/> </sp:SignedParts> </wsp:Policy> </sp:SignedSupportingTokens> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>client</ramp:user> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample06.ClientPWCBHandler</ramp:passwordCallbackClass> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
