Hi!
I did get the inbound and outbound security working to an extent. It puts the
security in the header anyway :). I am wondering how to get
usernames/passwords into/out of the BPEL though. I did see this article which
I intend to try to get the username out of the rampart security handler and
from there place it in the header so it accessible to the BPEL process via the
header variable extension:
http://www.keith-chapman.org/2008/09/axis2-rampart-access-username-used-for.html
However, on the outbound message I am not sure how to get access to the
outbound message from the password handler to get the credentials from the BPEL
process into the rampart security header. I guess I could pass 2 sets of
credentials (1 in WS-Security header and 1 outside) but that does not seem like
the best solution.
-Doug.
-----Original Message-----
From: Alexis Midon [mailto:[email protected]]
Sent: Friday, February 13, 2009 12:28 PM
To: [email protected]
Subject: Re: securing outbound messages
Hi Douglas,
yes, you can engage additional modules and set a policy for outgoing
messages.
This area of ODE has been under development lately so I'll split my answer
into 2 parts: one for the current release 1.2, one for the coming release,
1.3.
### In ODE 1.2 ####
this is done on a service basis, using the mechanism describre in the user
guide [1]
Here is an example:
let's assume you want to add a policy for outgoing messages to service {
http://douglas.com}ServiceA .
To do that, create a file named ServiceA.axis2 in the bundle directory of
your process. This file must be a service.xml document [2] containing the
policy. See [3] for example of such a file.
The ServiceA.axis2 file will get loaded when the service is invoked and
monitored for changes.
Due to Axis2 limitations, the modules eventually listed in ServiceA.axis2
won't be engaged. So you need to engage them in the global config file [4]
(and restart ODE).
Keep in mind that the modules must be available in WEB-INF/modules ;
keystores and additional classes (like callback handlers) must be in the
classpath.
### In ODE 1.3 (yet to be released) ####
In the coming release, these axis2 limitations are workarounded and modules
listed in ServiceA.axis2 are engaged (for the targeted service only).
We also optimized the policy case by adding an endpoint property
"security.policy" to specify a policy file, and engaging rampart
automatically.
See ODE user guide for details [5] and test cases [6] for live examples.
This information will be added to the User guide soon.
I hope it's clear enough. Let us know if need help.
Alexis
[1]
http://ode.apache.org/user-guide.html#UserGuide-AdditionalConfigurationforSOAPEndpoints
[2] http://ws.apache.org/axis2/1_0/axis2config.html#Service_Configuration
[3]
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/resources/TestRampartPolicy/secured-services/process-sample04_policy_in_service.xml/sample04-policy.axis2?view=log
[4]
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/main/webapp/WEB-INF/conf/axis2.xml?view=markup
[5]
http://ode.apache.org/user-guide.html#UserGuide-EndpointConfiguration<https://issues.apache.org/jira/browse/ODE-388>
[6] The unit test class:
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/java/org/apache/ode/axis2/rampart/policy/
The unit tes resources:
http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/resources/TestRampartPolicy/secured-services/
On Thu, Feb 12, 2009 at 4:07 PM, Jackson, Douglas <
[email protected]> wrote:
> Hi!
> I am investigating security on outgoing messages from ode. Is there a way
> to enable Rampart or some other processing on outgoing messages?
>
> As an alternative I was thinking of creating a Java XPATH extension that
> would use wss4j to create a WS-Security compatible element based on the
> credentials stored in the BPEL process that I could pass out via a header
> element in the WSDL to the targeted service.
>
> However, this would not allow for things like encryption.
>
> -Doug.
>
>
--
Alexis
