Support of Endpoint References with Addressing Identity Information in Metro

A Web service endpoint is a (referenceable) entity, processor, or resource where Web service messages can be targeted. WS-Addressing’s Endpoint references convey the information needed to reference a Web service endpoint, and may be used in several different ways: endpoint references are suitable for conveying the information needed to access a Web service endpoint, but are also used to provide addresses for individual messages sent to and from Web services.

Web Services Addressing Identity extends WS-Addressing’s endpoint reference by providing identity information about the endpoint that can be verified through a variety of security means. These means include transport security technologies like https or the wealth of WS-Security specifications.

<wsa:EndpointReference>

       ...........

      <wsid:Identity>

              .......

     </wsid:Identity>

</wsa:EndpointReference>

The identity value can be anything like KeyInfo,X509 Certificate,or any security token like BinarySecurityToken....etc, and it represents the certificate/publickey of the web service

for ex:

</wsa:EndpointReference>

       <wsid:Identity>

          <wsse:BinarySecurityToken ValueType="...#X509v3">

                <!--base64 encoded value of the X509 certificate-->

         </wsse:BinarySecurityToken>

       </wsid:Identity>

<wsa:EndpointReference>

In metro we added this feature recently and it publishes a binary security token as the value of identity element.There are many ways to configure the web service certificate.

The current implementation handles most of the ways to implement this ,here are the ways which are handled.

1) To parse the keystore assertion present  in the service wsdl and get the b.s.token by using the keystore's location , password and alias.Generally the keystore assertion will look like

<sc:KeyStore wspp:visibility="private" location="/home/suresh/glassfish/domains/domain1/config/keystore.jks" type="JKS" storepass="changeit" alias="xws-security-server"/>

2) You can configure Keystore Callback handler  without using location of the keystore or you can use aliasSelector also in place of alias.The current implementation handles all these cases to produce the BST in the Identity Element.

3) Put the X509certificate directly in the file WEB-INF/classes/META-INF/ServerCertificate.cert for servlet based webservices(or in META-INF/ServerCertificate.cert in case of EJB  webservices) and create the BST from it.The file name should be ServerCertificate.cert and metro searches for the file with this name.The contents of the certificate should be in the .DER or .PEM format.

Currently we are using these methods to get the b.s.token ,but in future we would support the full scope of server certificate configuration.

By default this feature is not enabled and If we want to enable this feature we should use the assertion

<sc:EnableEPRIdentity wspp:visibility="private" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"/> in the service wsdl then  metro will add the BST as the identity value to the EPR by using one of the above methods.

Thus clients can use this BST to encrypt the messages,and hence need not specify the peer alias,but the truststore configuration assertion is still needed to validate the certificate.

Please note that if there is no truststore assertion configured on the client side , metro don't accept the certificate and generates a warning that the certificate is not valid.

Currently we are forcing clients to use this feature by default ,but in future we allow them to disable this on their side by using some assertion as above and can use their own configuration.

Sample server side policy which uses the above feature is as shown below:  

<wsp:Policy wsu:Id="NewWebServicePortBindingPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <wsam:Addressing wsp:Optional="false"/>
                <sp:AsymmetricBinding>
                    <wsp:Policy>
                        <sp:InitiatorToken>
                            <wsp:Policy>
                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10/>
                                        <sp:RequireIssuerSerialReference/>
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:InitiatorToken>
                        <sp:RecipientToken>
                            <wsp:Policy>
                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10/>
                                        <sp:RequireIssuerSerialReference/>
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:RecipientToken>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Strict/>
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp/>
                        <sp:OnlySignEntireHeadersAndBody/>
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic128/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                    </wsp:Policy>
                  </sp:AsymmetricBinding>

<sc:EnableEPRIdentity wspp:visibility="private"xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"/>

                <sp:Wss10>
                    <wsp:Policy>
                        <sp:MustSupportRefIssuerSerial/>
                    </wsp:Policy>
                </sp:Wss10>

          <sc:KeyStore wspp:visibility="private" location="/home/suresh/glassfish/domains/domain1/config/keystore.jks" type="JKS"  storepass="changeit" alias="xws-security-server"/>

               <sp:EndorsingSupportingTokens>
                    <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10/>
                                        <sp:RequireIssuerSerialReference/>
                                    </wsp:Policy>
                                </sp:X509Token>
                    </wsp:Policy>
                </sp:EndorsingSupportingTokens>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

After publishing the endpoint reference with a BST as the value of identity , it looks like

<service name="NewWebServiceService">
     <port name="NewWebServicePort" binding="tns:NewWebServicePortBinding">
     <soap:address location="http://localhost:8080/issue1217/NewWebServiceService"/>
     <wsa:EndpointReference>
          <wsa:Address>
                  http://localhost:8080/issue1217/NewWebServiceService
          </wsa:Address>
          <ns10:Identity>                                                   
                 <ns5:BinarySecurityToken ns4:Id="uuid_326775ca-8125-4869-8ff2-b9918f9f22c4"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-  1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
MIIDDzCCAnigAwIBAgIBAjANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UECh

MDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4XDTA3MDMxMjEwMTgwNVoXDTE3MDMwOTEwMTgwNVowbzELMA

kGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1

VOMRowGAYDVQQDExF4d3NzZWN1cml0eXNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv11fD4vbn2E+RpKgPkDFYzorrGsGq

pdsmsZ3wGewLhSdrDI18Lugs6QcUUTq8dQ17xAWPITQWi0EzXpUhdFTQAi4eiLJnV2SVirz4iyCqbZCzn0gCJxFcJ//+BYwIuWdTLrfya14+47g

KBhFnNSZxmpjZlahf6105AZMTgt05BMCAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZC

BDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUdVE29ysyFW/iD1la3ddePzM6IWowfgYDVR0jBHcwdYAUZ7plxs6VyOOOTSFyojDV0YYjJWhUqRQME

4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ

0GCCQDbHkJaq6KijjANBgkqhkiG9w0BAQQFAAOBgQBWpPzVlkGUGarWc0ghob52gvWWjYoQ/2b1zHqUcLGt1fGKcwS0m23PMCWjwcTv4AKz4Z

AtymK9xe9UOoMkJt+N9SuOajGzKvpf7eXaC5d+CcGmIhRDL+8Exz9DVqLDi8MVHd8oMg/WeP2c0q0TCDxXmATn6n9hC0abODh8cLUh7Q==
</ns5:BinarySecurityToken>
           </ns10:Identity>
     </wsa:EndpointReference>
   </port>
</service>

Comments:

This addressing identity information can also be used by the STS to encrypt the issued tokens for the service.
The whole Endpoint Reference should be passed to the STS in the request message RST.

Posted by suresh on August 26, 2009 at 08:30 AM MVT #

Hi Suresh,

when using this feature I am observing a quite strange behavior - namely, though the certificate is transferred in the wsdl, it won't be picked up by the client.
I've tracked the issue to the SecurityClientTube class, which should store the wsdl fragment with the server certificate in wsitContext attribute. Though initially, the wsitContext contains the correct certificate, after the Tube will be cloned, the wsitContext will not be copied and is set to null.
I've tried to explicitly copy wsitContext it in SecurityClientTube(SecurityClientTube that, TubeCloner cloner) constructor, but while solving the problem, it causes anomalies in other situations (e.g., cached tokens that are expired are sent to the server).

Posted by Sergei on February 15, 2011 at 07:29 AM MVT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Suresh Mandalapu

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today