Google Git
Sign in
apache / axis-axis2-java-core / 3f9c94592f8f0562166effc47204187f28e62540 / . / v1.5beta1 / modules / documentation / xdocs / modules / rampart / 1_3 / security-module.xml
blob: b6657b483152b98eb080efba52751885ff58731d [file] [log] [blame]
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content=""/>
<link href="../../../css/axis-docs.css" rel="stylesheet" type="text/css" media="all" />
<title>Rampart : WS-Security module for Axis2</title>
</head>
<body>
<h1>Securing SOAP Messages with Rampart</h1>
<p>Axis2 comes with a module based on Apache WSS4J [1] to provide WS-Security
features, called "Rampart". This document explains how to engage and
configure Rampart module.</p>
<h2>Content</h2>
<ul>
<li><a href="#intro">Introduction</a></li>
<li><a href="#1_1_config">Rampart-1.1 Configuration</a>
<ul>
<li><a href="#1_1_assetions">Rampart Specific Assertions</a></li>
<li><a href="#1_1_service_config">Service Configration</a></li>
<li><a href="#1_1_client_config">Client Confiuration</a></li>
</ul></li>
<li><a href="#1_0_config">Rampart-1.0 Configuration</a>
<ul>
<li><a href="#outflowsecurity">OutflowSecurity Parameter</a></li>
<li><a href="#inflowsecurity">InflowSecurity Parameter</a></li>
</ul></li>
<li><a href="#references">References</a></li>
<li><a href="#examples">Examples</a></li>
</ul>
<a name="intro"></a>
<h2>Introduction</h2>
<p>Since rampart module inserts handlers in the system specific security
phase, it must be engaged globally. These handlers can be configured
using WS-SecurityPolicy[2] and Rampart specific policy assertions.
Rampart-1.0 used two axis2 parameters for configuration and these are
still supported in the 1.1 release as well.</p>
<p>The rampart-1.1 release is available
<a href="http://www.apache.org/dyn/closer.cgi/ws/rampart/1_1">here</a>.</p>
<p>First it should be engaged by inserting the following in the axis2.xml
file.</p>
<source><pre> &lt;module ref="rampart"/&gt;</pre>
</source>
<p>The web admin interface can be used when Axis2 is deployed in a servlet
container such as Apache Tomcat.</p>
<p>At the server it is possible to provide security on a per service basis.
The configuration parameters should be set in the service.xml file of the
service. The client side config parameters should be set in the axis2.xml of
the client's Axis2 repository.</p>
<a id="1_1_config"></a>
<h2>Rampart-1.1 Configuration</h2>
<a id="1_1_assetions"></a>
<h3>Rampart Specific Assertions</h3>
<p>Rampart uses the standard WS-SecurityPolicy[2] assertions and also defines its own
assertions to be able capture the configuration information that is not provided
in WS-SecurityPolicy.</p>
<p>The Rampart specific assertion's xsd can be found <a href="sec-conf/rampart-config.xsd">here
</a>.</p>
<p>The <strong>ramp:RampartConfig</strong> assertion must be available as a one of the top
level assertions of the policy as shown <a href="sec-conf/sample-policy.xml">here</a>.</p>
<a id="1_1_service_config"></a>
<h3>Service Configration</h3>
To configure the service one will simply have to add the policy element into the
sevices.xml file. A sample service.xml file is available
<a href="sec-conf/sample-services.xml">here</a>.
<a id="1_1_client_config"></a>
<h3>Client Confiuration</h3>
<p>On the client side, a policy object should be created and loaded into options. Creating the policy object can be done using a "policy.xml" file as follows.</p>
<pre>
//Creating the object
StAXOMBuilder builder = new StAXOMBuilder(pathToPolicyfile);
Policy clientPolicy = PolicyEngine.getPolicy(builder.getDocumentElement());
//setting the object
Options options = new Options();
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, clientPolicy);
</pre>
<a id="1_0_config"></a>
<h2>Rampart-1.0 Configuration</h2>
<p>Rampart module uses two parameters:</p>
<ul>
<li><a href="outflowsecurity">OutflowSecurity</a></li>
<li><a href="inflowsecurity">InflowSecurity</a></li>
</ul>
The configuration that can go in each of these parameters are described
below: <a name="outflowsecurity"></a>
<h3>OutflowSecurity Parameter</h3>
This parameter is used to configure the outflow security handler. The outflow
handler can be invoked more than once in the outflow one can provide
configuration for each of these invocations. The 'action' element describes
one of these configurations. Therefore the 'OutflowSecurity' parameter can
contain more than one 'action' elements. The schema of this 'action' element
is available <a href="sec-conf/out-action.xsd">here</a>.
<p>An outflow configuration to add a timestamp, sign and encrypt the message
once, is shown in<a href="#ex1"> Example 1</a> and <a href="#ex1"> Example
2</a> shows how to sign the message twice by chaining the outflow handler
(using two 'action' elements)</p>
<p>Following is a description of the elements that can go in an 'action'
element of the OutflowSecurity parameter</p>
<br/>
<table border="1">
<tbody>
<tr>
<td><b>Parameter</b></td>
<td><b>Description</b></td>
<td><b>Example</b></td>
</tr>
<tr>
<td>items</td>
<td>Security actions for the inflow</td>
<td>Add a Timestamp, Sign the SOAP body and Encrypt the SOAP body <br/>
&lt;items&gt; Timestamp Signature Encrypt&lt;/items&gt;</td>
</tr>
<tr>
<td>user</td>
<td>The user's name</td>
<td>Set alias of the key to be used to sign<br/>
&lt;user&gt; bob&lt;/user&gt;</td>
</tr>
<tr>
<td>passwordCallbackClass</td>
<td>Callback class used to provide the password required to create the
UsernameToken or to sign the message</td>
<td>&lt;passwordCallbackClass&gt;
org.apache.axis2.security.PWCallback&lt;/passwordCallbackClass&gt;</td>
</tr>
<tr>
<td>signaturePropFile</td>
<td>property file used to get the signature parameters such as crypto
provider, keystore and its password</td>
<td>Set example.properties file as the signature property file<br/>
&lt;signaturePropFile&gt;
example.properties&lt;/signaturePropFile&gt;</td>
</tr>
<tr>
<td>signatureKeyIdentifier</td>
<td>Key identifier to be used in referring the key in the signature</td>
<td>Use the serial number of the certificate<br/>
&lt;signatureKeyIdentifier&gt;
IssuerSerial&lt;/signatureKeyIdentifier&gt;</td>
</tr>
<tr>
<td>encryptionKeyIdentifier</td>
<td>Key identifier to be used in referring the key in encryption</td>
<td>Use the serial number of the certificate <br/>
&lt;encryptionKeyIdentifier&gt;IssuerSerial&lt;/encryptionKeyIdentifier&gt;</td>
</tr>
<tr>
<td>encryptionUser</td>
<td>The user's name for encryption.</td>
<td><br/>
&lt;encryptionUser&gt;alice&lt;/encryptionUser&gt;</td>
</tr>
<tr>
<td>encryptionSymAlgorithm</td>
<td>Symmetric algorithm to be used for encryption</td>
<td>Use AES-128<br/>
&lt;encryptionSymAlgorithm&gt;
http://www.w3.org/2001/04/xmlenc#aes128-cbc&lt;/encryptionSymAlgorithm&gt;</td>
</tr>
<tr>
<td>encryptionKeyTransportAlgorithm</td>
<td>Key encryption algorithm</td>
<td>Use RSA-OAEP<br/>
&lt;parameter name="encryptionSymAlgorithm"&gt;
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p&lt;/parameter&gt;</td>
</tr>
<tr>
<td>signatureParts</td>
<td>Sign multiple parts in the SOAP message</td>
<td>Sign Foo and Bar elements qualified by "http://app.ns/ns"<br/>
&lt;signatureParts&gt;
{Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar
&lt;/signatureParts&gt;</td>
</tr>
<tr>
<td>optimizeParts</td>
<td>MTOM Optimize the elements specified by the XPath query</td>
<td>Optimize the CipherValue<br/>
&lt;optimizeParts&gt;
//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue
&lt;/optimizeParts&gt;</td>
</tr>
</tbody>
</table>
<a name="inflowsecurity"></a>
<h3>InflowSecurity Parameter</h3>
<p>This parameter is used to configure the inflow security handler. The
'action' element is used to encapsulate the configuration elements here as
well. The schema of the 'action' element is available here. <a
href="#ex3">Example 3</a> shows the configuration to decrypt, verify
signature and validate timestamp.</p>
<table border="1">
<tbody>
<tr>
<td><b>Parameter</b></td>
<td><b>Description</b></td>
<td><b>Example</b></td>
</tr>
<tr>
<td>items</td>
<td>Security actions for the inflow</td>
<td>first the incoming message should be decrypted and then the
signatures should be verified and should be checked for the
availability of the Timestamp <br/>
&lt;items&gt; Timestamp Signature Encrypt&lt;/items&gt;</td>
</tr>
<tr>
<td>passwordCallbackClass</td>
<td>Callback class used to obtain password for decryption and
UsernameToken verification</td>
<td><br/>
&lt;passwordCallbackClass&gt;
org.apache.axis2.security.PWCallback&lt;/passwordCallbackClass&gt;</td>
</tr>
<tr>
<td>signaturePropFile</td>
<td>Property file used for signature verification</td>
<td><br/>
&lt;signaturePropFile&gt;
sig.properties&lt;/signaturePropFile&gt;</td>
</tr>
<tr>
<td>decryptionPropFile</td>
<td>Property file used for decryption</td>
<td><br/>
&lt;decryptionPropFile&gt;
dec.properties&lt;/decryptionPropFile&gt;</td>
</tr>
</tbody>
</table>
<br/>
<p>Please note that the '.properties' files used in properties such as
OutSignaturePropFile are the same property files that are using in the WSS4J
project. Following shows the properties defined in a sample property file</p>
<source><pre> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
org.apache.ws.security.crypto.merlin.alias.password=security
org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
</pre>
</source>org.apache.ws.security.crypto.provider defines the implementation of
the org.apache.ws.security.components.crypto.Crypto interface to provide the
crypto information required by WSS4J. The other properties defined are the
configuration properties used by the implementation class
(org.apache.ws.security.components.crypto.Merlin). <a name="ref"></a> <a
name="references"></a>
<h2>References</h2>
<p>1. <a href="http://ws.apache.org/wss4j">Apache WSS4J -Home</a></p>
<a name="examples"></a>
<p>2. <a href="http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf">ws-securitypolicy.pdf</a></p>
<a name="examples"></a>
<h2>Examples</h2>
<p id="ex1">Example 1: An outflow configuration to add a timestamp, sign and
encrypt the message once</p>
<p><img alt="" src="sec-conf/out-sample.png"/></p>
<p id="ex2">Example 2: An outflow configuration to sign the message twice and
add a timestamp</p>
<p><img alt="" src="sec-conf/out-sample2.png"/></p>
<p id="ex3">Example 3: An inflow configuration to decrypt, verify signature
and validate timestamp</p>
<p><img alt="" src="sec-conf/in-sample.png"/></p>
</body>
</html>