Dec 3, 2009

How to build rampart-config programmatically..

The 'rampart-config' assertion is used to specify the configuration details required to secure a message exchange. Most common approach is to append this as a policy assertion to the corresponding policy in both client side and server side. But it is not feasible to use policy based rampart configuration always. For example, in a scenario where the username is loaded dynamically from a user input, policy based rampart-configuration would not be the best solution.

Rampart provides another approach for specifying these configuration details ; building the rampart-config programmatically and attaching it to the policy. By calling a few setters, you can build the required rampart-config without much effort.

In this post, I will walk you through the common rampart-config parameters and how to construct them programmatically. All the applicable rampart-config parameters are listed here.

First of all, instantiate a RampartConfig object.

RampartConfig rampartConfig = new RampartConfig();

Also you should be aware of how to build a CryptoConfig object. A CryptoConfig object is used to keep the information required for cryptographic operations like encryption and digital signature.

First set the necessary properties into a java properties collection.

Properties merlinProp = new Properties();
merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
merlinProp.put("org.apache.ws.security.crypto.merlin.file","path/to/jks");
merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.password", "wso2carbon");

Then build the CryptoConfig object and set the properties.

CryptoConfig cryptoConfig = new CryptoConfig();
sigCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");
sigCryptoConfig.setProp(merlinProp);

Now let's go ahead setting the rampart-config parameters.

Parameter - user
rampartConfig.setUser("admin");

Parameter - userCertAlias 
rampartConfig.setUserCertAlias("wso2carbon");

Parameter - encryptionUser 
rampartConfig.setEncryptionUser("wso2carbon");

Parameter - passwordCallbackClass 
rampartConfig.setPwCbClass("org.apache.rampart.test.PasswordCallbackHandler");

Parameter - signatureCrypto (This is a CryptoConfig object)
rampartConfig.setSigCryptoConfig(cryptoConfig);

Parameter - encryptionCypto (This is a CryptoConfig object)
rampartConfig.setEncrCryptoConfig(cryptoConfig);

Parameter - timestampTTL (in seconds)
rampartConfig.setTimestampTTL("300");

Now attach this rampart-config to the policy object.
StAXOMBuilder builder = new StAXOMBuilder("path/to/policy");
Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());
policy.addAssertion(rc);

Now set the policy object to the in client options.
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy)

These method names are self-explanatory. So if you are familiar with the names of the rampart-config parameters, it would be easier to identify the corresponding setter method in rampart-config.
Posted by Thilina Mahesh Buddhika at Thursday, December 03, 2009
Labels: , ,

14 comments:

  2. Great! Very useful information! Thanks, exactly what I needed
    ReplyDelete
  3. What if I don't have any policy.xml file? ie. I have programatically created service client and i'm using sendReceive method to send data to service. I know the service endpoint and action settings (among others) but i don't have wsdl file and policy.xml. Is there any way to create in code policy.xml file?
    ReplyDelete
  4. Hi Thilina, This is an informative great tutorial. thanks!. By the way, can you post a tutorial on how to configure rampart and mtom. I tried using rampart and mtom and i got Error in signature with X%09Token.

    Regards,
    wins
    ReplyDelete
  5. Hi,

    This tutorial is I think dynamic configuration of rampart in the client side. How about the service side? Can you post a tutorial on how to configure rampart dynamically on the service side?

    I have a service implementing signature. I learned that in signature implementation (not sure if its correct) both of the service and the client should have matching keys. Let say I have 100 clients it means I have to create 100 client.jks and 100 service.jks. the problem now is how to load the service.jks dynamically.

    please correct me if my understanding is wrong.

    Thanks
    ReplyDelete
  6. Hi ,

    We have delivered a webservice secured by rampart.Now client is not using rampart and we see Invalid Security at server side .
    Please suggest how a non rampart client can access webservice using rampart.

    Thanks
    Hari Prakash
    ReplyDelete
  7. @ Hari,

    That means there is a mismatch between the server side security requirements and security measures taken by client side. In your case, it appears like service is not properly secured. Check whether the policy is appearing in the WSDL properly.
    ReplyDelete
  8. yes policy is present in wsdl....any idea
    ReplyDelete
  9. Hi,

    I have a requirement to implement ws security using rampart on client side. Server side they have WSSecurity. How to achieve this ? where to start ?
    ReplyDelete
  10. Can you explain the way how to program a client that can invoke a secured WS?

    If ok, please help. I often write it on Eclipse

    Thanks, Vietanh
    ReplyDelete
  11. @ madhavi, vietanh,

    There are plenty of resources available in the internet covering this space. If you goto the Rampart site - http://ws.apache.org/rampart (Rampart is the WS-Security implementation for Axis2), you can download the latest release and try out the samples.

    Also following articles provide a good starting point.

    Web Services Security with Apache Rampart – Part 1(http://wso2.org/library/3190)

    Web Services Security with Apache Rampart – Part 2 (http://wso2.org/library/3415)
    ReplyDelete
  12. Hi Thilina,

    Thanks for the above article.
    I do have a question.

    I am working on webservice client using Axis2 and Rampart. I need to add a binary security token to soap header message.

    I only have WSDL file. I don't have any policy file. Also WSDL file doesn't talk about any security elements but I am tol by the service provider to insert binary security token in the message.
    my questions are:
    - Can I achieve this by using rampartconfig() without policy.xml file?
    ReplyDelete
  13. How can I configure rampart programatically at the server end. Here you are adding assertions to the policy.xml, I believe at the server end I have to add it to the services.xml or to the axis2.xml. Please provide steps.
    ReplyDelete
  14. @Yogendran : You can do it using RampartConfigCallbackHandler. Please check the following link. http://blog.rampartfaq.com/2009/08/can-we-avoid-duplicating-crypto-info.html
    ReplyDelete

Subscribe to: Post Comments (Atom)