Dec 3, 2009

Identity patterns and anti-patterns in real world web services

Prabath Siriwardena, the security lead at WSO2 and product manager for WSO2 Identity Server, did a talk on "Identity patterns and anti-patterns in real world web services" at Apache Asia Roadshow 2009 conference. I was lucky enough to be there at the audience for this wonderful presentation.

How to build rampart-config programmatically..

The 'rampart-config' assertion is used to specify the configuration details required to secure a message exchange. Most common approach is to append this as a policy assertion to the corresponding policy in both client side and server side. But it is not feasible to use policy based rampart configuration always. For example, in a scenario where the username is loaded dynamically from a user input, policy based rampart-configuration would not be the best solution.

Rampart provides another approach for specifying these configuration details ; building the rampart-config programmatically and attaching it to the policy. By calling a few setters, you can build the required rampart-config without much effort.

In this post, I will walk you through the common rampart-config parameters and how to construct them programmatically. All the applicable rampart-config parameters are listed here.

First of all, instantiate a RampartConfig object.

RampartConfig rampartConfig = new RampartConfig();

Also you should be aware of how to build a CryptoConfig object. A CryptoConfig object is used to keep the information required for cryptographic operations like encryption and digital signature.

First set the necessary properties into a java properties collection.

Properties merlinProp = new Properties();
merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
merlinProp.put("org.apache.ws.security.crypto.merlin.file","path/to/jks");
merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.password", "wso2carbon");

Then build the CryptoConfig object and set the properties.

CryptoConfig cryptoConfig = new CryptoConfig();
sigCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");
sigCryptoConfig.setProp(merlinProp);

Now let's go ahead setting the rampart-config parameters.

Parameter - user
rampartConfig.setUser("admin");

Parameter - userCertAlias
rampartConfig.setUserCertAlias("wso2carbon");

Parameter - encryptionUser
rampartConfig.setEncryptionUser("wso2carbon");

Parameter - passwordCallbackClass
rampartConfig.setPwCbClass("org.apache.rampart.test.PasswordCallbackHandler");

Parameter - signatureCrypto (This is a CryptoConfig object)
rampartConfig.setSigCryptoConfig(cryptoConfig);

Parameter - encryptionCypto (This is a CryptoConfig object)
rampartConfig.setEncrCryptoConfig(cryptoConfig);

Parameter - timestampTTL (in seconds)
rampartConfig.setTimestampTTL("300");

Now attach this rampart-config to the policy object.
StAXOMBuilder builder = new StAXOMBuilder("path/to/policy");
Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());
policy.addAssertion(rc);

Now set the policy object to the in client options.
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy)

These method names are self-explanatory. So if you are familiar with the names of the rampart-config parameters, it would be easier to identify the corresponding setter method in rampart-config.