Support for OASIS WS-SX standards in Metro

We provide support for OASIS WS-SX standards WS-SecurityPolicy 1.2, WS-SecureConversation 1.3 and WS-Trust 1.3 in the current build of Metro. This will be included in the up-coming Metro 1.2 release as EA features. No Netbeans tooling support is avialbale yet. However one can manually modify the wsdl and configuration produced from Netbeans to produce WS-SX based service and STS. This applies to all the existing security scenarios using previous versions of WS-Trust and WS-SecureConversation.

1. Create a service secured with WS-SX:

First create a service with Netbeans using an IssuedToken from an STS and/or secure conversation for the security.
Then make the following the changes for the service WSDL:

1) Change the all the occurence of WS-SecurityPolicy namespace from
"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
to
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702".
The change must also apply to the IncludeToken attribute.
2) Change all the occurence of the WS-Trust namespace from
"http://schemas.xmlsoap.org/ws/2005/02/trust"
to
"http://docs.oasis-open.org/ws-sx/ws-trust/200512".
This mainly applies to the element in the RequestSecurityTokenTemplate in
IssuedToken policy assertion and what used for Action.

3) Change the policy assertion Trust10 to Trust13.

2. Create STS of WS-SX version:

First Create an STS using Netbeans. (See also my blog entry for creating an customer STS). Then follow the above steps 1), 2) and 3)
to make the namespaces and policy assertion changes.

3. Using WS-Policy 1.5 with WS-SX:

With the service and STS produced from 1 and 2, WS-Policy 1.2 is used.
One may also use the standard WS-Policy 1.5 from W3C with WS-SX support.

For this,

1)Change all the occurence of the WS-Policy namespace from
"http://schemas.xmlsoap.org/ws/2004/09/policy"
to
"http://www.w3.org/ns/ws-policy"

2) Using addressing metadata:
Remove the policy assertion UsingAddressing.
And then add the following assertion instead to enable Addressing:
<wsam:Addressing>
<wsp:Policy>
<wsam:AnonymousResponses />
</wsp:Policy>
</wsam:Addressing>
where
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
Alos change the prefix for Action to wsam (e.g wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue").

This mainly address the use of WS-SX for existing features. There are also some new features introduced for Metro 1.2 which will be described in the subsequent blogs.
We will also provide samples with WS-SX in the current WSIT workspace.

Comments:

I and our team are enjoy for this new standard support added in Metro. We are writing security assertions in our service contract, conform to the OASIS Specification Ws-SecutityPolicy 1.2.

We have followed the above recommendations, replacing all Namespace reference with the new OASIS space.

All fine work. The old assertions work with new Namespace.

So, reading the OASIS specification, we have added a new element <sp:HashPassword /> under UserNameToken assertion.

But this don't work. We see the following exception at startup time:

AVVERTENZA: SP0100: Policy assertion Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'HashPassword'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
} is not supported under UsernameToken assertion.

The question is: Is HashPassword element supported?
If no, what is the manner to receive a DigestPasswordRequest in our Handler?

This object is mandatory for our task, because we must use that for other business control.

Thanks in advance

Posted by Michele Di Noia on February 13, 2008 at 11:17 PM PST #

HashPassword is not supported in Metro currently. It has
been in our plan. Actually this is possible with that GlassFish (SailFin release) now has support for PasswordDigestAuthentication.

If you need this feature earlier, please file an RFE here:

https://wsit.dev.java.net/servlets/ProjectIssues

Posted by Jiandong Guo on February 14, 2008 at 01:27 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jiandong Guo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today