<deployment xmlns="http://xml.apache.org/axis/wsdd/" | |
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> | |
<!-- | |
Usage of cert/key identifiers (parameter: user / encryptionUser): | |
For the interop tests we have two different certificate/key pairs: | |
Server certificate: | |
contained in bob.pfx | |
identified with: bob | |
Client certificate: | |
contained in alice.pfx | |
identified with: alice | |
The Server uses it's certificate/private key to sign its request, the client | |
uses the server's certificate/pub key to encrypt requests | |
The client uses it's certificate/private key to sign its request, the server | |
uses the client's certificate/pub key to encrypt responses- | |
--> | |
<!-- define the service, using the WSDoAllSender security handler in request flow --> | |
<service name="Ping1"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="user" value="Chris"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="action" value="UsernameToken"/> | |
<parameter name="passwordType" value="PasswordText" /> | |
</handler> | |
</requestFlow> | |
</service> | |
<service name="Ping2"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="UsernameToken Encrypt"/> | |
<parameter name="user" value="Chris"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="passwordType" value="PasswordText" /> | |
<parameter name="addUTElements" value="Nonce Created" /> | |
<parameter name="encryptionPropFile" value="wsstest.properties" /> | |
<parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier" /> | |
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> | |
<!-- Use the Server's cert/key to encrypt the request --> | |
<parameter name="encryptionUser" value="bob" /> | |
<parameter name="encryptionParts" | |
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" /> | |
</handler> | |
</requestFlow> | |
</service> | |
<service name="Ping2a"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="UsernameTokenSignature Encrypt Timestamp"/> | |
<parameter name="user" value="Chris"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="encryptionPropFile" value="wsstest.properties" /> | |
<parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier" /> | |
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> | |
<!-- Use the Server's cert/key to encrypt the request --> | |
<parameter name="encryptionUser" value="bob" /> | |
<parameter name="encryptionParts" | |
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" /> | |
</handler> | |
</requestFlow> | |
</service> | |
<service name="Ping2b"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="UsernameTokenSignature Timestamp"/> | |
<parameter name="user" value="Chris"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="passwordType" value="PasswordDigest" /> | |
<parameter name="signatureParts" | |
value="Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" /> | |
</handler> | |
</requestFlow> | |
</service> | |
<service name="Ping3"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Signature Encrypt Timestamp"/> | |
<!-- Use the Client's cert/key to sign the request --> | |
<parameter name="user" value="alice"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
<parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier" /> | |
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> | |
<parameter name="encryptionUser" value="bob" /> | |
</handler> | |
</requestFlow> | |
<responseFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="action" value="Signature Encrypt Timestamp"/> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
</handler> | |
</responseFlow> | |
</service> | |
<service name="Ping4"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Signature Encrypt Timestamp"/> | |
<!-- Use the Client's cert/key to sign the request --> | |
<parameter name="user" value="alice"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
<parameter name="encryptionKeyIdentifier" value="EmbeddedKeyName" /> | |
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> | |
<parameter name="EmbeddedKeyCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1" /> | |
<parameter name="EmbeddedKeyName" value="SessionKey" /> | |
</handler> | |
</requestFlow> | |
<responseFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback"/> | |
<parameter name="action" value="Signature Encrypt Timestamp"/> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
</handler> | |
</responseFlow> | |
</service> | |
<service name="Ping5"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Signature NoSerialization"/> | |
<!-- Use the Client's cert/key to sign the request --> | |
<parameter name="user" value="alice"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
<parameter name="signatureParts" value="{}{http://xmlsoap.org/Ping}ticket" /> | |
</handler> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Signature Timestamp"/> | |
<!-- Use the Client's cert/key to sign the request --> | |
<parameter name="user" value="alice"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="signatureKeyIdentifier" value="SKIKeyIdentifier" /> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
</handler> | |
</requestFlow> | |
</service> | |
<service name="Ping6"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Encrypt Signature Timestamp"/> | |
<!-- Use the Client's cert/key to sign the request --> | |
<parameter name="user" value="alice"/> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
<parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier" /> | |
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> | |
<!-- Use the Server's cert/key to encrypt the request --> | |
<parameter name="encryptionUser" value="bob" /> | |
</handler> | |
</requestFlow> | |
<responseFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> | |
<parameter name="passwordCallbackClass" value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="action" value="Encrypt Signature Timestamp"/> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
</handler> | |
</responseFlow> | |
</service> | |
<service name="Ping7"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Signature Encrypt Timestamp"/> | |
<parameter name="user" value="alice"/> | |
<parameter name="passwordCallbackClass" value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
<parameter name="signatureParts" | |
value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;STRTransform" /> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
<parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier" /> | |
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> | |
<parameter name="encryptionUser" value="bob" /> | |
<parameter name="encryptionPropFile" value="wsstest.properties" /> | |
</handler> | |
</requestFlow> | |
<responseFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> | |
<parameter name="passwordCallbackClass" | |
value="org.apache.ws.axis.oasis.PWCallback1"/> | |
<parameter name="action" value="Signature Encrypt Timestamp"/> | |
<parameter name="signaturePropFile" value="wsstest.properties" /> | |
<parameter name="decryptionPropFile" value="wsstest.properties" /> | |
</handler> | |
</responseFlow> | |
</service> | |
<service name="STPing1"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Timestamp SAMLTokenUnsigned"/> | |
<parameter name="samlPropFile" value="saml.properties"/> | |
</handler> | |
</requestFlow> | |
</service> | |
<!-- | |
The saml3.properties file defines a SAML token with "sender vouches" | |
option. Thus no further user specific data is required here. The | |
SAML issuer takes all the data from its data store (for the bare bone | |
SAML issuer included here: these data is in the saml properties file). | |
The SAML issuer uses its own certificate to sign, own certificate store, | |
etc. | |
The DoAllSender then gets the issuer's data (key name, key password) | |
and forwards it to the SignEnvelope. The SignEnvelope now signs the | |
SAML token _and_ at least one part of the message (SOAP Body if nothing | |
was specified, or the specified part). | |
--> | |
<service name="STPing3"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Timestamp SAMLTokenSigned"/> | |
<parameter name="samlPropFile" value="saml3.properties"/> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
</handler> | |
</requestFlow> | |
</service> | |
<!-- | |
The saml4.properties file defines a SAML token with "holder-of-key" | |
option. Because the DoAllSender handler acts as both, user and requestor, | |
we need the user specific data here. The handler gets this information, | |
forwards it to our (bare bone) SAML issuer. The SAML issuer creates | |
the SAML token and includes the user's certificate, and signs the | |
whole token with its certificate / Private Key. | |
DoAllSender forwards the user's information to SignEnvelope that uses | |
this to sign the message (SOAP Body if nothing was specified, or the | |
specified part). Because the issuer signed the SAML token the user's | |
certificate (contained in the token) can be trusted. | |
--> | |
<service name="STPing4"> | |
<requestFlow> | |
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" > | |
<parameter name="action" value="Timestamp SAMLTokenSigned"/> | |
<parameter name="samlPropFile" value="saml4.properties"/> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
<parameter name="user" value="16c73ab6-b892-458f-abf5-2f875f74882e"/> | |
<parameter name="passwordCallbackClass" value="org.apache.ws.axis.oasis.PWCallback"/> | |
<parameter name="signaturePropFile" value="crypto.properties" /> | |
<parameter name="signatureKeyIdentifier" value="DirectReference" /> | |
</handler> | |
</requestFlow> | |
</service> | |
<transport name="java" pivot="java:org.apache.axis.transport.java.JavaSender"/> | |
<transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> | |
<transport name="local" pivot="java:org.apache.axis.transport.local.LocalSender"/> | |
</deployment> |