Hi! I did not get any responses on this last month. I thought I would see if I had any better luck this month. :) -Doug.
-----Original Message----- From: Jackson, Douglas [mailto:[email protected]] Sent: Monday, February 16, 2009 5:26 PM To: [email protected] Subject: RE: securing outbound messages Hi! I did get the inbound and outbound security working to an extent. It puts the security in the header anyway :). I am wondering how to get usernames/passwords into/out of the BPEL though. I did see this article which I intend to try to get the username out of the rampart security handler and from there place it in the header so it accessible to the BPEL process via the header variable extension: http://www.keith-chapman.org/2008/09/axis2-rampart-access-username-used-for.html However, on the outbound message I am not sure how to get access to the outbound message from the password handler to get the credentials from the BPEL process into the rampart security header. I guess I could pass 2 sets of credentials (1 in WS-Security header and 1 outside) but that does not seem like the best solution. -Doug. -----Original Message----- From: Alexis Midon [mailto:[email protected]] Sent: Friday, February 13, 2009 12:28 PM To: [email protected] Subject: Re: securing outbound messages Hi Douglas, yes, you can engage additional modules and set a policy for outgoing messages. This area of ODE has been under development lately so I'll split my answer into 2 parts: one for the current release 1.2, one for the coming release, 1.3. ### In ODE 1.2 #### this is done on a service basis, using the mechanism describre in the user guide [1] Here is an example: let's assume you want to add a policy for outgoing messages to service { http://douglas.com}ServiceA . To do that, create a file named ServiceA.axis2 in the bundle directory of your process. This file must be a service.xml document [2] containing the policy. See [3] for example of such a file. The ServiceA.axis2 file will get loaded when the service is invoked and monitored for changes. Due to Axis2 limitations, the modules eventually listed in ServiceA.axis2 won't be engaged. So you need to engage them in the global config file [4] (and restart ODE). Keep in mind that the modules must be available in WEB-INF/modules ; keystores and additional classes (like callback handlers) must be in the classpath. ### In ODE 1.3 (yet to be released) #### In the coming release, these axis2 limitations are workarounded and modules listed in ServiceA.axis2 are engaged (for the targeted service only). We also optimized the policy case by adding an endpoint property "security.policy" to specify a policy file, and engaging rampart automatically. See ODE user guide for details [5] and test cases [6] for live examples. This information will be added to the User guide soon. I hope it's clear enough. Let us know if need help. Alexis [1] http://ode.apache.org/user-guide.html#UserGuide-AdditionalConfigurationforSOAPEndpoints [2] http://ws.apache.org/axis2/1_0/axis2config.html#Service_Configuration [3] http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/resources/TestRampartPolicy/secured-services/process-sample04_policy_in_service.xml/sample04-policy.axis2?view=log [4] http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/main/webapp/WEB-INF/conf/axis2.xml?view=markup [5] http://ode.apache.org/user-guide.html#UserGuide-EndpointConfiguration<https://issues.apache.org/jira/browse/ODE-388> [6] The unit test class: http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/java/org/apache/ode/axis2/rampart/policy/ The unit tes resources: http://svn.apache.org/viewvc/ode/branches/APACHE_ODE_1.X/axis2-war/src/test/resources/TestRampartPolicy/secured-services/ On Thu, Feb 12, 2009 at 4:07 PM, Jackson, Douglas < [email protected]> wrote: > Hi! > I am investigating security on outgoing messages from ode. Is there a way > to enable Rampart or some other processing on outgoing messages? > > As an alternative I was thinking of creating a Java XPATH extension that > would use wss4j to create a WS-Security compatible element based on the > credentials stored in the BPEL process that I could pass out via a header > element in the WSDL to the targeted service. > > However, this would not allow for things like encryption. > > -Doug. > > -- Alexis
