Dec 3, 2009

Identity patterns and anti-patterns in real world web services

Prabath Siriwardena, the security lead at WSO2 and product manager for WSO2 Identity Server, did a talk on "Identity patterns and anti-patterns in real world web services" at Apache Asia Roadshow 2009 conference. I was lucky enough to be there at the audience for this wonderful presentation.

How to build rampart-config programmatically..

The 'rampart-config' assertion is used to specify the configuration details required to secure a message exchange. Most common approach is to append this as a policy assertion to the corresponding policy in both client side and server side. But it is not feasible to use policy based rampart configuration always. For example, in a scenario where the username is loaded dynamically from a user input, policy based rampart-configuration would not be the best solution.

Rampart provides another approach for specifying these configuration details ; building the rampart-config programmatically and attaching it to the policy. By calling a few setters, you can build the required rampart-config without much effort.

In this post, I will walk you through the common rampart-config parameters and how to construct them programmatically. All the applicable rampart-config parameters are listed here.

First of all, instantiate a RampartConfig object.

RampartConfig rampartConfig = new RampartConfig();

Also you should be aware of how to build a CryptoConfig object. A CryptoConfig object is used to keep the information required for cryptographic operations like encryption and digital signature.

First set the necessary properties into a java properties collection.

Properties merlinProp = new Properties();
merlinProp.put("", "JKS");
merlinProp.put("", "wso2carbon");

Then build the CryptoConfig object and set the properties.

CryptoConfig cryptoConfig = new CryptoConfig();

Now let's go ahead setting the rampart-config parameters.

Parameter - user

Parameter - userCertAlias

Parameter - encryptionUser

Parameter - passwordCallbackClass

Parameter - signatureCrypto (This is a CryptoConfig object)

Parameter - encryptionCypto (This is a CryptoConfig object)

Parameter - timestampTTL (in seconds)

Now attach this rampart-config to the policy object.
StAXOMBuilder builder = new StAXOMBuilder("path/to/policy");
Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());

Now set the policy object to the in client options.
options.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy)

These method names are self-explanatory. So if you are familiar with the names of the rampart-config parameters, it would be easier to identify the corresponding setter method in rampart-config.