Re: Question Regarding Initiator and Recipient Token

Mon, 29 Oct 2007 18:52:05 -0800 

Thanks for your reply Nandana.
> Whether the message need to be signed or encrypted and what parts should be signed or encrypted has to defined separately in the policy. 


I gather we can specify which parts are signed and encrypted but I 
don't  fully understand  how to specify and outflow configuration that 
is different from the inflow configuration, and visa-versa, when using a 
policy based configuration.



Ideally I want the service to only have the certificate of the issuer 
that has issued the client certificates/keys, very similar to the 
scenario in this article: http://wso2.org/library/255  I'm just not sure 
how to implement a policy based configuration of this scenario.



I've pasted my current policy after this message, I'm still 
experimenting though it's basically very similar to the example policy. 
To include the key with the request do I need to specify this policy: 
<sp:MustSupportRefEmbeddedToken /> ? And in the rampartconfig: 
<ramp:encryptionUser>useReqSigCert</ramp:encryptionUser> ?



Another quick question if I may: is it possible to specify multiple 
services with different polices, within a serviceGroup in the same 
services.xml file?


Thanks for your time,
Alan.

services.xml:


<service name="SignEncryptService" scope="request" 
targetNamespace="http://webservice.example.com/xsd";>

   <operation name="echo">

       <messageReceiver 
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
   </operation>   
   <parameter name="ServiceClass" 
locked="false">com.example.service.SimpleService</parameter>
  
   <module ref="rampart" />

   <module ref="addressing" />



<wsp:Policy wsu:Id="SigEncr" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>

   <wsp:ExactlyOne>
       <wsp:All>

           <sp:AsymmetricBinding 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

               <wsp:Policy>
                   <sp:InitiatorToken>
                       <wsp:Policy>

                           <sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>

                               <wsp:Policy>
                                   <sp:WssX509V3Token10/>
                               </wsp:Policy>
                           </sp:X509Token>
                       </wsp:Policy>
                   </sp:InitiatorToken>
                   <sp:RecipientToken>
                       <wsp:Policy>

                           <sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>

                               <wsp:Policy>
                                   <sp:WssX509V3Token10/>
                               </wsp:Policy>
                           </sp:X509Token>
                       </wsp:Policy>
                   </sp:RecipientToken>
                   <sp:AlgorithmSuite>
                       <wsp:Policy>
                           <sp:TripleDesRsa15/>
                       </wsp:Policy>
                   </sp:AlgorithmSuite>
                   <sp:Layout>
                       <wsp:Policy>
                           <sp:Strict/>
                       </wsp:Policy>
                   </sp:Layout>
                   <sp:IncludeTimestamp/>
                   <sp:OnlySignEntireHeadersAndBody/>
               </wsp:Policy>
           </sp:AsymmetricBinding>

           <sp:Wss10 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

               <wsp:Policy>
                   <sp:MustSupportRefKeyIdentifier/>
                   <sp:MustSupportRefIssuerSerial/>
               </wsp:Policy>
           </sp:Wss10>

           <sp:SignedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

               <sp:Body/>
           </sp:SignedParts>

           <sp:EncryptedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>

               <sp:Body/>
           </sp:EncryptedParts>


           <ramp:RampartConfig 
xmlns:ramp="http://ws.apache.org/rampart/policy";>

                <ramp:user>example-ca</ramp:user>
                <ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>

                
<ramp:passwordCallbackClass>com.learnpipe.webservice.PWCBHandler</ramp:passwordCallbackClass>
              
                <ramp:signatureCrypto>
                   <ramp:crypto 
provider="org.apache.ws.security.components.crypto.Merlin">
                       <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                       <ramp:property 
name="org.apache.ws.security.crypto.merlin.file">C:/Development/Security/Test/vendor/vendor2.jks</ramp:property>
                       <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">testpass</ramp:property>

                   </ramp:crypto>
               </ramp:signatureCrypto>
               <ramp:encryptionCypto>

                   <ramp:crypto 
provider="org.apache.ws.security.components.crypto.Merlin">
                       <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                       <ramp:property 
name="org.apache.ws.security.crypto.merlin.file">C:/Development/Security/Test/vendor/vendor2.jks</ramp:property>
                       <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">testpass</ramp:property>

                   </ramp:crypto>
               </ramp:encryptionCypto>
           </ramp:RampartConfig>

       </wsp:All>
   </wsp:ExactlyOne>
</wsp:Policy>

</service>



Nandana Mihindukulasooriya wrote:

Hi,

Using a policy configuration is it possible to construct a policy that

  

signs and encrypts a message from requestor to service, and the
response to be to be encrypted using the same key - by sending the
certificate along with the request message?

    



In encryption, first a encrypted key is created by encrypting a symmetric
key with the recipients public key. Then that symmetric key is used to
encrypt the message. Encrypted key is sent along  with the message
so that the recipient can decrypt the encrypted key and extract the
symmetric key. Then that symmetric key can be used to decrypt the
actual soap parts that were encrypted.
In the current implementation even if you use an asymmetric binding,
same encrypted key is used to encrypt the request and the response.
So anyway, same encrypted key is used to encrypt the request and
the response.

I'm looking at AsymmetricBinding and finding the Initiator / Recipient

  

Token concept somewhat confusing. By defining an RecipientToken the
message will be encrypted from initiator to recipient (what I require)
and the response signed from recipient to initiator(I don't require)

    



IFAIK, defining the Initiator token and Recipient token has nothing
to do with what parts are signed and encrypted. That only defines what
tokens to be used for signing and encryption.  Whether the message
need to be signed or encrypted and what parts should be signed or
encrypted has to defined separately in the policy. Can you post the
policy you are using ?

Is it not possible to specify only one of these actions?


Yes, it is possible.

Just as a quick aside - when including a UsernameToken using a policy

  

configuration, is it possible to specify a username dynamically, like
it is using basic configuration?

    



Yes, you can provide the username  using a RampartConfig Assertion
in the policy  or programmatically setting the username of the
RampartConfig.

As another aside - are there any editors available for constructing

  

policy documents?

    



I am working on a one for Rampart. Hopefully I will be able to finish it
soon. :)

Regards,
Nandana


  
























					Reply via email to